github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4408] vscode: crashes without seccomp !chroot #2655

New issue
Closed
opened 2026-05-05 09:18:55 -06:00 by gitea-mirror · 1 comment
gitea-mirror commented 2026-05-05 09:18:55 -06:00
Owner
Copy link

Originally created by @mariodsantana on GitHub (Jul 17, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4408

Recently, VS Code stopped working for me. I fixed it by adding seccomp !chroot to code.local

Bug and expected behavior

  • Describe the bug.
    code fails with and error that reference sys_chroot
  • What did you expect to happen?
    code runs like normal

No profile and disabling firejail

  • What changed calling firejail --noprofile /path/to/program in a terminal?
    it runs
  • What changed calling the program by path (e.g. /usr/bin/vlc)?
    it runs

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail code
  2. See error Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Environment

  • Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release
    Arch
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
> firejail --version
firejail version 0.9.66

Compile time support:
  - always force nonewprivs support is disabled
  - AppArmor support is enabled
  - AppImage support is enabled
  - chroot support is enabled
  - D-BUS proxy support is enabled
  - file and directory whitelisting support is enabled
  - file transfer support is enabled
  - firetunnel support is enabled
  - networking support is enabled
  - output logging is enabled
  - overlayfs support is disabled
  - private-home support is enabled
  - private-cache and tmpfs as user enabled
  - SELinux support is disabled
  - user namespace support is enabled
  - X11 sandboxing support is enabled

Additional context
Other context about the problem like related errors to understand the problem.

Checklist

  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
debug output 
$ firejail --debug code --verbose

Reading profile /etc/firejail/code.profile
Autoselecting /usr/bin/fish as shell
Building quoted command line: 'code' '--verbose' 
Command name #code#
Found code.profile profile in /etc/firejail directory
Reading profile /etc/firejail/code.local
Found code.local profile in /etc/firejail directory
Reading profile /etc/firejail/allow-common-devel.inc
Found allow-common-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.local
Found disable-common.local profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-programs.inc profile in /etc/firejail directory
[profile] combined protocol list: "unix,inet,inet6,netlink"
DISPLAY=:0 parsed as 0
Parent pid 42847, child pid 42850
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol 
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
5351 682 254:0 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5351 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
5352 5351 254:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5352 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
5353 682 254:0 /var /var ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5353 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
5354 5353 254:0 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5354 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
5355 682 254:0 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5355 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mario/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules/5.12.15-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 553: whitelist /tmp/.X11-unix
Debug 574: expanded: /tmp/.X11-unix
Debug 585: new_name: /tmp/.X11-unix
Debug 599: dir: /tmp
Adding whitelist top level directory /tmp
Mounting tmpfs on /tmp, check owner: no
5403 5048 0:191 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=5403 fsname=/ dir=/tmp fstype=tmpfs
Debug 735: file: /tmp/.X11-unix; dirfd: 4; topdir: /tmp; rel: .X11-unix
Whitelisting /tmp/.X11-unix
5404 5403 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5404 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Not blacklist /home/mario/src
Disable /home/mario/imm
Disable /home/mario/ifs
Disable /home/mario/vmware
Disable /home/mario/clients
Disable /home/mario/ctas
Disable /home/mario/innuendo
Disable /home/mario/mace
Disable /home/mario/ss
Disable /home/mario/.node_repl_history
Disable /home/mario/.bash_history
Disable /home/mario/.sqlite_history
Not blacklist /home/mario/.python_history
Disable /home/mario/.local/share/fish/fish_history
Not blacklist /home/mario/.python-history
Not blacklist /home/mario/.python_history
Not blacklist /home/mario/.pythonhist
Disable /home/mario/.lesshst
Disable /home/mario/.viminfo
Disable /home/mario/.config/autostart
Disable /home/mario/.config/awesome
Disable /home/mario/.config/sway
Disable /home/mario/.xinitrc
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/mario/.Xauthority
5425 5362 254:0 /home/mario/.Xauthority /home/mario/.Xauthority ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5425 fsname=/home/mario/.Xauthority dir=/home/mario/.Xauthority fstype=ext4
Disable /home/mario/.config/kwalletrc
Mounting read-only /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM=
5427 5362 254:0 /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5427 fsname=/home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= dir=/home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= fstype=ext4
Mounting read-only /home/mario/.config/kdeglobals
5428 5362 254:0 /home/mario/.config/kdeglobals /home/mario/.config/kdeglobals ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5428 fsname=/home/mario/.config/kdeglobals dir=/home/mario/.config/kdeglobals fstype=ext4
Mounting read-only /home/mario/.config/dconf
5429 5362 254:0 /home/mario/.config/dconf /home/mario/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5429 fsname=/home/mario/.config/dconf dir=/home/mario/.config/dconf fstype=ext4
Disable /home/mario/.config/systemd
Disable /var/lib/systemd
Disable /usr/bin/systemd-run
Disable /run/user/1000/systemd
Disable /home/mario/.config/VirtualBox
Disable /home/mario/VirtualBox VMs
Disable /home/mario/.cache/libvirt
Disable /var/cache/libvirt
Disable /var/lib/libvirt
Disable /var/log/libvirt
Disable /var/cache/pacman
Disable /var/lib/clamav
Disable /var/lib/dkms
Disable /var/lib/pacman
Disable /var/lib/upower
Disable /var/spool/mail (requested /var/mail)
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/docker.sock (requested /var/run/docker.sock)
Disable /var/spool/cron
Disable /var/spool/mail
Disable /etc/cron.hourly
Disable /etc/cron.deny
Disable /etc/crontab
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/cron.daily
Disable /etc/cron.d
Disable /etc/profile.d
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/dkms
Disable /etc/apparmor.d
Disable /etc/apparmor
Disable /etc/modules-load.d
Disable /etc/logrotate.d
Mounting read-only /home/mario/.bash_logout
5466 5362 254:0 /home/mario/.bash_logout /home/mario/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5466 fsname=/home/mario/.bash_logout dir=/home/mario/.bash_logout fstype=ext4
Mounting read-only /home/mario/.bash_profile
5467 5362 254:0 /home/mario/.bash_profile /home/mario/.bash_profile ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5467 fsname=/home/mario/.bash_profile dir=/home/mario/.bash_profile fstype=ext4
Mounting read-only /home/mario/.bashrc
5468 5362 254:0 /home/mario/.bashrc /home/mario/.bashrc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5468 fsname=/home/mario/.bashrc dir=/home/mario/.bashrc fstype=ext4
Mounting read-only /home/mario/.config/fish
5469 5362 254:0 /home/mario/.config/fish /home/mario/.config/fish ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5469 fsname=/home/mario/.config/fish dir=/home/mario/.config/fish fstype=ext4
Mounting read-only /home/mario/.local/share/fish
5471 5470 0:25 /firejail/firejail.ro.file /home/mario/.local/share/fish/fish_history rw,nosuid,nodev master:11 - tmpfs tmpfs rw,size=6498840k,nr_inodes=819200,mode=755,inode64
mountid=5471 fsname=/firejail/firejail.ro.file dir=/home/mario/.local/share/fish/fish_history fstype=tmpfs
Disable /home/mario/.ssh/authorized_keys
Mounting read-only /home/mario/.ssh/config
5473 5362 254:0 /home/mario/.ssh/config /home/mario/.ssh/config ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5473 fsname=/home/mario/.ssh/config dir=/home/mario/.ssh/config fstype=ext4
Mounting read-only /home/mario/.emacs
5474 5362 254:0 /home/mario/.emacs /home/mario/.emacs ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5474 fsname=/home/mario/.emacs dir=/home/mario/.emacs fstype=ext4
Mounting reWarning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
ad-only /home/mario/.emacs.d
5475 5362 254:0 /home/mario/.emacs.d /home/mario/.emacs.d ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5475 fsname=/home/mario/.emacs.d dir=/home/mario/.emacs.d fstype=ext4
Mounting read-only /home/mario/.mailcap
5476 5362 254:0 /home/mario/.mailcap /home/mario/.mailcap ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5476 fsname=/home/mario/.mailcap dir=/home/mario/.mailcap fstype=ext4
Mounting read-only /home/mario/.tmux.conf
5477 5362 254:0 /home/mario/.tmux.conf /home/mario/.tmux.conf ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5477 fsname=/home/mario/.tmux.conf dir=/home/mario/.tmux.conf fstype=ext4
Mounting read-only /home/mario/.vim
5478 5362 254:0 /home/mario/.vim /home/mario/.vim ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5478 fsname=/home/mario/.vim dir=/home/mario/.vim fstype=ext4
Mounting read-only /home/mario/.viminfo
5479 5418 0:25 /firejail/firejail.ro.file /home/mario/.viminfo ro,nosuid,nodev master:11 - tmpfs tmpfs rw,size=6498840k,nr_inodes=819200,mode=755,inode64
mountid=5479 fsname=/firejail/firejail.ro.file dir=/home/mario/.viminfo fstype=tmpfs
Mounting read-only /home/mario/.vimrc
5480 5362 254:0 /home/mario/.vimrc /home/mario/.vimrc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5480 fsname=/home/mario/.vimrc dir=/home/mario/.vimrc fstype=ext4
Mounting read-only /home/mario/.rustup
5481 5362 254:0 /home/mario/.rustup /home/mario/.rustup ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5481 fsname=/home/mario/.rustup dir=/home/mario/.rustup fstype=ext4
Mounting read-only /home/mario/.config/menus
5482 5362 254:0 /home/mario/.config/menus /home/mario/.config/menus ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5482 fsname=/home/mario/.config/menus dir=/home/mario/.config/menus fstype=ext4
Mounting read-only /home/mario/.gnome/apps
5483 5362 254:0 /home/mario/.gnome/apps /home/mario/.gnome/apps ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5483 fsname=/home/mario/.gnome/apps dir=/home/mario/.gnome/apps fstype=ext4
Mounting read-only /home/mario/.local/share/applications
5484 5362 254:0 /home/mario/.local/share/applications /home/mario/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5484 fsname=/home/mario/.local/share/applications dir=/home/mario/.local/share/applications fstype=ext4
Mounting read-only /home/mario/.config/mimeapps.list
5485 5362 254:0 /home/mario/.config/mimeapps.list /home/mario/.config/mimeapps.list ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5485 fsname=/home/mario/.config/mimeapps.list dir=/home/mario/.config/mimeapps.list fstype=ext4
Mounting read-only /home/mario/.config/user-dirs.dirs
5486 5362 254:0 /home/mario/.config/user-dirs.dirs /home/mario/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5486 fsname=/home/mario/.config/user-dirs.dirs dir=/home/mario/.config/user-dirs.dirs fstype=ext4
Mounting read-only /home/mario/.config/user-dirs.locale
5487 5362 254:0 /home/mario/.config/user-dirs.locale /home/mario/.config/user-dirs.locale ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5487 fsname=/home/mario/.config/user-dirs.locale dir=/home/mario/.config/user-dirs.locale fstype=ext4
Not blacklist /home/mario/.cargo/credentials
Not blacklist /home/mario/.cargo/credentials.toml
Disable /home/mario/.cert
Disable /home/mario/.config/keybase
Disable /home/mario/.davfs2/secrets
Not blacklist /home/mario/.git-credentials
Disable /home/mario/.gnupg
Disable /home/mario/.local/share/kwalletd
Disable /home/mario/.pki
Disable /home/mario/.local/share/pki
Disable /home/mario/.ssh
Disable /etc/davfs2/secrets
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Warning (blacklisting): cannot open /etc/ssh/*: Permission denied
Disable /home/mario/.aws
Disable /home/mario/.config/gcloud
Disable /usr/local/sbin
Warning (blacklisting): cannot open /usr/local/sbin/at: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/busybox: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/chage: Permission denied
Disable /usr/bin/chage
Warning (blacklisting): cannot open /usr/local/sbin/chfn: Permission denied
Disable /usr/bin/chfn
Warning (blacklisting): cannot open /usr/local/sbin/chsh: Permission denied
Disable /usr/bin/chsh
Warning (blacklisting): cannot open /usr/local/sbin/crontab: Permission denied
Disable /usr/bin/crontab
Warning (blacklisting): cannot open /usr/local/sbin/evtest: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/expiry: Permission denied
Disable /usr/bin/expiry
Warning (blacklisting): cannot open /usr/local/sbin/fusermount: Permission denied
Disable /usr/bin/fusermount
Warning (blacklisting): cannot open /usr/local/sbin/gksu: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gksudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gpasswd: Permission denied
Disable /usr/bin/gpasswd
Warning (blacklisting): cannot open /usr/local/sbin/kdesudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ksu: Permission denied
Disable /usr/bin/ksu
Warning (blacklisting): cannot open /usr/local/sbin/mount: Permission denied
Disable /usr/bin/mount
Warning (blacklisting): cannot open /usr/local/sbin/mount.ecryptfs_private: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nc: Permission denied
Disable /usr/bin/nc
Warning (blacklisting): cannot open /usr/local/sbin/ncat: Permission denied
Disable /usr/bin/ncat
Warning (blacklisting): cannot open /usr/local/sbin/nmap: Permission denied
Disable /usr/bin/nmap
Warning (blacklisting): cannot open /usr/local/sbin/newgidmap: Permission denied
Disable /usr/bin/newgidmap
Warning (blacklisting): cannot open /usr/local/sbin/newgrp: Permission denied
Disable /usr/bin/newgrp
Warning (blacklisting): cannot open /usr/local/sbin/newuidmap: Permission denied
Disable /usr/bin/newuidmap
Warning (blacklisting): cannot open /usr/local/sbin/ntfs-3g: Permission denied
Disable /usr/bin/ntfs-3g
Warning (blacklisting): cannot open /usr/local/sbin/pkexec: Permission denied
Disable /usr/bin/pkexec
Warning (blacklisting): cannot open /usr/local/sbin/procmail: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/sg: Permission denied
Disable /usr/bin/sg
Warning (blacklisting): cannot open /usr/local/sbin/strace: Permission denied
Disable /usr/bin/strace
Warning (blacklisting): cannot open /usr/local/sbin/su: Permission denied
Disable /usr/bin/su
Warning (blacklisting): cannot open /usr/local/sbin/sudo: Permission denied
Disable /usr/bin/sudo
Warning (blacklisting): cannot open /usr/local/sbin/tcpdump: Permission denied
Disable /usr/bin/tcpdump
Warning (blacklisting): cannot open /usr/local/sbin/umount: Permission denied
Disable /usr/bin/umount
Warning (blacklisting): cannot open /usr/local/sbin/unix_chkpwd: Permission denied
Disable /usr/bin/unix_chkpwd
Warning (blacklisting): cannot open /usr/local/sbin/xev: Permission denied
Disable /usr/bin/xev
Warning (blacklisting): cannot open /usr/local/sbin/xinput: Permission denied
Disable /usr/bin/xinput
Disable /usr/lib/virtualbox
Disable /usr/lib/virtualbox (requested /usr/lib64/virtualbox)
Warning (blacklisting): cannot open /usr/local/sbin/lxterminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/lilyterm: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/pantheon-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/roxterm: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/roxterm-config: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/terminix: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tilix: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/urxvtc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/urxvtcd: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/bwrap: Permission denied
Disable /usr/bin/bwrap
Disable /home/mario/.mail
Disable /home/mario/Mail
Disable /proc/config.gz
Warning (blacklisting): cannot open /usr/local/sbin/dig: Permission denied
Disable /usr/bin/dig
Warning (blacklisting): cannot open /usr/local/sbin/dlint: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dns2tcp: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dnssec-*: Permission denied
Disable /usr/bin/dnssec-keymgr
Disable /usr/bin/dnssec-settime
Disable /usr/bin/dnssec-keygen
Disable /usr/bin/dnssec-signzone
Disable /usr/bin/dnssec-dsfromkey
Disable /usr/bin/dnssec-coverage
Disable /usr/bin/dnssec-checkds
Disable /usr/bin/dnssec-revoke
Disable /usr/bin/dnssec-verify
Disable /usr/bin/dnssec-keyfromlabel
Disable /usr/bin/dnssec-cds
Disable /usr/bin/dnssec-importkey
Warning (blacklisting): cannot open /usr/local/sbin/dnswalk: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/drill: Permission denied
Disable /usr/bin/drill
Warning (blacklisting): cannot open /usr/local/sbin/host: Permission denied
Disable /usr/bin/host
Warning (blacklisting): cannot open /usr/local/sbin/iodine: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/kdig: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/khost: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/knsupdate: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ldns-*: Permission denied
Disable /usr/bin/ldns-update
Disable /usr/bin/ldns-key2ds
Disable /usr/bin/ldns-rrsig
Disable /usr/bin/ldns-zsplit
Disable /usr/bin/ldns-revoke
Disable /usr/bin/ldns-zcat
Disable /usr/bin/ldns-gen-zone
Disable /usr/bin/ldns-compare-zones
Disable /usr/bin/ldns-nsec3-hash
Disable /usr/bin/ldns-dpa
Disable /usr/bin/ldns-testns
Disable /usr/bin/ldns-keyfetcher
Disable /usr/bin/ldns-mx
Disable /usr/bin/ldns-walk
Disable /usr/bin/ldns-signzone
Disable /usr/bin/ldns-keygen
Disable /usr/bin/ldns-read-zone
Disable /usr/bin/ldns-chaos
Disable /usr/bin/ldns-verify-zone
Disable /usr/bin/ldns-resolver
Disable /usr/bin/ldns-test-edns
Disable /usr/bin/ldns-notify
Disable /usr/bin/ldns-dane
Disable /usr/bin/ldns-config
Disable /usr/bin/ldns-version
Warning (blacklisting): cannot open /usr/local/sbin/ldnsd: Permission denied
Disable /usr/bin/ldnsd
Warning (blacklisting): cannot open /usr/local/sbin/nslookup: Permission denied
Disable /usr/bin/nslookup
Warning (blacklisting): cannot open /usr/local/sbin/resolvectl: Permission denied
Disable /usr/bin/resolvectl
Warning (blacklisting): cannot open /usr/local/sbin/unbound-host: Permission denied
Disable /usr/bin/unbound-host
Disable /run/user/1000/wayland-1.lock
Disable /home/mario/.config/KeePass
Disable /home/mario/.config/keepassx
Disable /home/mario/.config/keepassxc
Disable /home/mario/.local/share/KeePass
Disable /home/mario/.bitcoin
Disable /home/mario/.android
Disable /home/mario/.bitcoin
Not blacklist /home/mario/.cargo/registry
Not blacklist /home/mario/.cargo/git
Not blacklist /home/mario/.cargo/.package-cache
Disable /home/mario/.config/BraveSoftware
Not blacklist /home/mario/.config/Code
Not blacklist /home/mario/.config/Code - OSS
Disable /home/mario/.config/GIMP
Disable /home/mario/.config/Google
Disable /home/mario/.config/InSilmaril
Disable /home/mario/.config/Nextcloud
Disable /home/mario/.config/Riot
Disable /home/mario/.config/Signal
Disable /home/mario/.config/VirtualBox
Disable /home/mario/.config/brave
Disable /home/mario/.config/chromium
Disable /home/mario/DISPLAY=:0 parsed as 0
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000002   jeq 2 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 0000000a   jeq a 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 01 00000010   jeq 10 0014 (false 0015)
 0014: 06 00 00 7fff0000   ret ALLOW
 0015: 06 00 00 0005005f   ret ERRNO(95)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00050001   ret ERRNO(1)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 3e 00 0000009f   jeq adjtimex 0046 (false 0008)
 0008: 15 3d 00 00000131   jeq clock_adjtime 0046 (false 0009)
 0009: 15 3c 00 000000e3   jeq clock_settime 0046 (false 000a)
 000a: 15 3b 00 000000a4   jeq settimeofday 0046 (false 000b)
 000b: 15 3a 00 0000009a   jeq modify_ldt 0046 (false 000c)
 000c: 15 39 00 000000d4   jeq lookup_dcookie 0046 (false 000d)
 000d: 15 38 00 0000012a   jeq perf_event_open 0046 (false 000e)
 000e: 15 37 00 00000137   jeq process_vm_writev 0046 (false 000f)
 000f: 15 36 00 000000b0   jeq delete_module 0046 (false 0010)
 0010: 15 35 00 00000139   jeq finit_module 0046 (false 0011)
 0011: 15 34 00 000000af   jeq init_module 0046 (false 0012)
 0012: 15 33 00 000000a1   jeq chroot 0046 (false 0013)
 0013: 15 32 00 000000a5   jeq mount 0046 (false 0014)
 0014: 15 31 00 0000009b   jeq pivot_root 0046 (false 0015)
 0015: 15 30 00 000000a6   jeq umount2 0046 (false 0016)
 0016: 15 2f 00 0000009c   jeq _sysctl 0046 (false 0017)
 0017: 15 2e 00 000000b7   jeq afs_syscall 0046 (false 0018)
 0018: 15 2d 00 000000ae   jeq create_module 0046 (false 0019)
 0019: 15 2c 00 000000b1   jeq get_kernel_syms 0046 (false 001a)
 001a: 15 2b 00 000000b5   jeq getpmsg 0046 (false 001b)
 001b: 15 2a 00 000000b6   jeq putpmsg 0046 (false 001c)
 001c: 15 29 00 000000b2   jeq query_module 0046 (false 001d)
 001d: 15 28 00 000000b9   jeq security 0046 (false 001e)
 001e: 15 27 00 0000008b   jeq sysfs 0046 (false 001f)
 001f: 15 26 00 000000b8   jeq tuxcall 0046 (false 0020)
 0020: 15 25 00 00000086   jeq uselib 0046 (false 0021)
 0021: 15 24 00 00000088   jeq ustat 0046 (false 0022)
 0022: 15 23 00 000000ec   jeq vserver 0046 (false 0023)
 0023: 15 22 00 000000ad   jeq ioperm 0046 (false 0024)
 0024: 15 21 00 000000ac   jeq iopl 0046 (false 0025)
 0025: 15 20 00 000000f6   jeq kexec_load 0046 (false 0026)
 0026: 15 1f 00 00000140   jeq kexec_file_load 0046 (false 0027)
 0027: 15 1e 00 000000a9   jeq reboot 0046 (false 0028)
 0028: 15 1d 00 000000a7   jeq swapon 0046 (false 0029)
 0029: 15 1c 00 000000a8   jeq swapoff 0046 (false 002a)
 002a: 15 1b 00 00000130   jeq open_by_handle_at 0046 (false 002b)
 002b: 15 1a 00 0000012f   jeq name_to_handle_at 0046 (false 002c)
 002c: 15 19 00 000000fb   jeq ioprio_set 0046 (false 002d)
 002d: 15 18 00 00000067   jeq syslog 0046 (false 002e)
 002e: 15 17 00 0000012c   jeq fanotify_init 0046 (false 002f)
 002f: 15 16 00 000000f8   jeq add_key 0046 (false 0030)
 0030: 15 15 00 000000f9   jeq request_key 0046 (false 0031)
 0031: 15 14 00 000000ed   jeq mbind 0046 (false 0032)
 0032: 15 13 00 00000100   jeq migrate_pages 0046 (false 0033)
 0033: 15 12 00 00000117   jeq move_pages 0046 (false 0034)
 0034: 15 11 00 000000fa   jeq keyctl 0046 (false 0035)
 0035: 15 10 00 000000ce   jeq io_setup 0046 (false 0036)
 0036: 15 0f 00 000000cf   jeq io_destroy 0046 (false 0037)
 0037: 15 0e 00 000000d0   jeq io_getevents 0046 (false 0038)
 0038: 15 0d 00 000000d1   jeq io_submit 0046 (false 0039)
 0039: 15 0c 00 000000d2   jeq io_cancel 0046 (false 003a)
 003a: 15 0b 00 000000d8   jeq remap_file_pages 0046 (false 003b)
 003b: 15 0a 00 00000143   jeq userfaultfd 0046 (false 003c)
 003c: 15 09 00 000000a3   jeq acct 0046 (false 003d)
 003d: 15 08 00 00000141   jeq bpf 0046 (false 003e)
 003e: 15 07 00 000000b4   jeq nfsservctl 0046 (false 003f)
 003f: 15 06 00 000000ab   jeq setdomainname 0046 (false 0040)
 0040: 15 05 00 000000aa   jeq sethostname 0046 (false 0041)
 0041: 15 04 00 00000099   jeq vhangup 0046 (false 0042)
 0042: 15 03 00 00000065   jeq ptrace 0046 (false 0043)
 0043: 15 02 00 00000087   jeq personality 0046 (false 0044)
 0044: 15 01 00 00000136   jeq process_vm_readv 0046 (false 0045)
 0045: 06 00 00 7fff0000   ret ALLOW
 0046: 06 00 00 00050001   ret ERRNO(1)
.config/enchant
Disable /home/mario/.config/gconf
Not blacklist /home/mario/.config/git
Disable /home/mario/.config/kdeconnect
Disable /home/mario/.config/libreoffice
Disable /home/mario/.config/Microsoft
Disable /home/mario/.config/mpv
Disable /home/mario/.config/neomutt
Disable /home/mario/.config/pavucontrol.ini
Disable /home/mario/.config/Pinta
Disable /home/mario/.config/qutebrowser
Disable /home/mario/.config/teams
Disable /home/mario/.config/teams-for-linux
Disable /home/mario/.config/torbrowser
Disable /home/mario/.config/transmission
Disable /home/mario/.config/vivaldi
Disable /home/mario/.config/vlc
Disable /home/mario/.config/wireshark
Disable /home/mario/.config/zoomus.conf
Disable /home/mario/.cups
Disable /home/mario/.electrum
Disable /home/mario/.emacs
Disable /home/mario/.emacs.d
Not blacklist /home/mario/.gitconfig
Not blacklist /home/mario/.gradle
Not blacklist /home/mario/.java
Disable /home/mario/.links
Disable /home/mario/.local/share/JetBrains
Disable /home/mario/.local/share/qutebrowser
Disable /home/mario/.local/share/signal-cli
Disable /home/mario/.local/share/torbrowser
Disable /home/mario/.local/share/vlc
Disable /home/mario/.minecraft
Disable /home/mario/.mozilla
Not blacklist /home/mario/.node-gyp
Not blacklist /home/mario/.npm
Not blacklist /home/mario/.npmrc
Not blacklist /home/mario/.nvm
Not blacklist /home/mario/.pylint.d
Disable /home/mario/.subversion
Disable /home/mario/.thunderbird
Disable /home/mario/.tor-browser
Disable /home/mario/.vim
Disable /home/mario/.vimrc
Disable /home/mario/.vmware
Not blacklist /home/mario/.vscode
Not blacklist /home/mario/.vscode-oss
Disable /home/mario/.w3m
Disable /home/mario/.weechat
Disable /home/mario/.wget-hsts
Not blacklist /home/mario/.yarn
Not blacklist /home/mario/.yarn-config
Not blacklist /home/mario/.yarncache
Not blacklist /home/mario/.yarnrc
Disable /home/mario/.zoom
Disable /var/games/nethack
Disable /home/mario/.cache/BraveSoftware
Disable /home/mario/.cache/babl
Disable /home/mario/.cache/chromium
Disable /home/mario/.cache/gegl-0.4
Disable /home/mario/.cache/gimp
Disable /home/mario/.cache/keepassxc
Disable /home/mario/.cache/mozilla
Disable /home/mario/.cache/pip
Disable /home/mario/.cache/qutebrowser
Disable /home/mario/.cache/thunderbird
Disable /home/mario/.cache/vlc
Disable /home/mario/.cache/vmware
Mounting noexec /tmp
5655 5654 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5655 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
5656 5655 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5656 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting tmpfs on /home/mario/.cache, check owner: yes
5657 5362 0:192 / /home/mario/.cache rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000,inode64
mountid=5657 fsname=/ dir=/home/mario/.cache fstype=tmpfs
Mounting read-only /tmp/.X11-unix
5658 5656 0:36 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5658 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /home/mario/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse
Current directory: /home/mario/src/pie/pie3
Install protocol filter: unix,inet,inet6,netlink
configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dual 32/64 bit seccomp filter configured
configuring 71 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
5664 5178 0:182 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=5664 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- mario    mario            568 seccomp
-rw-r--r-- mario    mario            432 seccomp.32
-rw-r--r-- mario    mario            114 seccomp.list
-rw-r--r-- mario    mario              0 seccomp.postexec
-rw-r--r-- mario    mario              0 seccomp.postexec32
-rw-r--r-- mario    mario            176 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
Child process initialized in 40.32 ms
Starting application
LD_PRELOAD=(null)
execvp argument 0: code
execvp argument 1: --verbose
Warning: an existing sandbox was detected. /usr/bin/code will run without any additional sandboxing features
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
Originally created by @mariodsantana on GitHub (Jul 17, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4408 Recently, VS Code stopped working for me. I fixed it by adding `seccomp !chroot` to code.local **Bug and expected behavior** - Describe the bug. `code fails with and error that reference sys_chroot` - What did you expect to happen? `code runs like normal` **No profile and disabling firejail** - What changed calling `firejail --noprofile /path/to/program` in a terminal? `it runs` - What changed calling the program by path (e.g. `/usr/bin/vlc`)? `it runs` **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail code` 2. See error `Check failed: sys_chroot("/proc/self/fdinfo/") == 0` **Environment** - Linux distribution and version (ie output of `lsb_release -a`, `screenfetch` or `cat /etc/os-release` `Arch` - Firejail version (output of `firejail --version`) exclusive or used git commit (`git rev-parse HEAD`) ``` > firejail --version firejail version 0.9.66 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` **Additional context** Other context about the problem like related errors to understand the problem. **Checklist** - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. <details><summary> debug output </summary> ``` $ firejail --debug code --verbose Reading profile /etc/firejail/code.profile Autoselecting /usr/bin/fish as shell Building quoted command line: 'code' '--verbose' Command name #code# Found code.profile profile in /etc/firejail directory Reading profile /etc/firejail/code.local Found code.local profile in /etc/firejail directory Reading profile /etc/firejail/allow-common-devel.inc Found allow-common-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.local Found disable-common.local profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found disable-programs.inc profile in /etc/firejail directory [profile] combined protocol list: "unix,inet,inet6,netlink" DISPLAY=:0 parsed as 0 Parent pid 42847, child pid 42850 Using the local network stack Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 5351 682 254:0 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5351 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 5352 5351 254:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5352 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 5353 682 254:0 /var /var ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5353 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 5354 5353 254:0 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5354 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 5355 682 254:0 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5355 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/mario/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Generate private-tmp whitelist commands blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules/5.12.15-arch1-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 553: whitelist /tmp/.X11-unix Debug 574: expanded: /tmp/.X11-unix Debug 585: new_name: /tmp/.X11-unix Debug 599: dir: /tmp Adding whitelist top level directory /tmp Mounting tmpfs on /tmp, check owner: no 5403 5048 0:191 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64 mountid=5403 fsname=/ dir=/tmp fstype=tmpfs Debug 735: file: /tmp/.X11-unix; dirfd: 4; topdir: /tmp; rel: .X11-unix Whitelisting /tmp/.X11-unix 5404 5403 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64 mountid=5404 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Not blacklist /home/mario/src Disable /home/mario/imm Disable /home/mario/ifs Disable /home/mario/vmware Disable /home/mario/clients Disable /home/mario/ctas Disable /home/mario/innuendo Disable /home/mario/mace Disable /home/mario/ss Disable /home/mario/.node_repl_history Disable /home/mario/.bash_history Disable /home/mario/.sqlite_history Not blacklist /home/mario/.python_history Disable /home/mario/.local/share/fish/fish_history Not blacklist /home/mario/.python-history Not blacklist /home/mario/.python_history Not blacklist /home/mario/.pythonhist Disable /home/mario/.lesshst Disable /home/mario/.viminfo Disable /home/mario/.config/autostart Disable /home/mario/.config/awesome Disable /home/mario/.config/sway Disable /home/mario/.xinitrc Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/mario/.Xauthority 5425 5362 254:0 /home/mario/.Xauthority /home/mario/.Xauthority ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5425 fsname=/home/mario/.Xauthority dir=/home/mario/.Xauthority fstype=ext4 Disable /home/mario/.config/kwalletrc Mounting read-only /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= 5427 5362 254:0 /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5427 fsname=/home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= dir=/home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= fstype=ext4 Mounting read-only /home/mario/.config/kdeglobals 5428 5362 254:0 /home/mario/.config/kdeglobals /home/mario/.config/kdeglobals ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5428 fsname=/home/mario/.config/kdeglobals dir=/home/mario/.config/kdeglobals fstype=ext4 Mounting read-only /home/mario/.config/dconf 5429 5362 254:0 /home/mario/.config/dconf /home/mario/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5429 fsname=/home/mario/.config/dconf dir=/home/mario/.config/dconf fstype=ext4 Disable /home/mario/.config/systemd Disable /var/lib/systemd Disable /usr/bin/systemd-run Disable /run/user/1000/systemd Disable /home/mario/.config/VirtualBox Disable /home/mario/VirtualBox VMs Disable /home/mario/.cache/libvirt Disable /var/cache/libvirt Disable /var/lib/libvirt Disable /var/log/libvirt Disable /var/cache/pacman Disable /var/lib/clamav Disable /var/lib/dkms Disable /var/lib/pacman Disable /var/lib/upower Disable /var/spool/mail (requested /var/mail) Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /run/docker.sock (requested /var/run/docker.sock) Disable /var/spool/cron Disable /var/spool/mail Disable /etc/cron.hourly Disable /etc/cron.deny Disable /etc/crontab Disable /etc/cron.monthly Disable /etc/cron.weekly Disable /etc/cron.daily Disable /etc/cron.d Disable /etc/profile.d Disable /etc/kernel Disable /etc/grub.d Disable /etc/dkms Disable /etc/apparmor.d Disable /etc/apparmor Disable /etc/modules-load.d Disable /etc/logrotate.d Mounting read-only /home/mario/.bash_logout 5466 5362 254:0 /home/mario/.bash_logout /home/mario/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5466 fsname=/home/mario/.bash_logout dir=/home/mario/.bash_logout fstype=ext4 Mounting read-only /home/mario/.bash_profile 5467 5362 254:0 /home/mario/.bash_profile /home/mario/.bash_profile ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5467 fsname=/home/mario/.bash_profile dir=/home/mario/.bash_profile fstype=ext4 Mounting read-only /home/mario/.bashrc 5468 5362 254:0 /home/mario/.bashrc /home/mario/.bashrc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5468 fsname=/home/mario/.bashrc dir=/home/mario/.bashrc fstype=ext4 Mounting read-only /home/mario/.config/fish 5469 5362 254:0 /home/mario/.config/fish /home/mario/.config/fish ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5469 fsname=/home/mario/.config/fish dir=/home/mario/.config/fish fstype=ext4 Mounting read-only /home/mario/.local/share/fish 5471 5470 0:25 /firejail/firejail.ro.file /home/mario/.local/share/fish/fish_history rw,nosuid,nodev master:11 - tmpfs tmpfs rw,size=6498840k,nr_inodes=819200,mode=755,inode64 mountid=5471 fsname=/firejail/firejail.ro.file dir=/home/mario/.local/share/fish/fish_history fstype=tmpfs Disable /home/mario/.ssh/authorized_keys Mounting read-only /home/mario/.ssh/config 5473 5362 254:0 /home/mario/.ssh/config /home/mario/.ssh/config ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5473 fsname=/home/mario/.ssh/config dir=/home/mario/.ssh/config fstype=ext4 Mounting read-only /home/mario/.emacs 5474 5362 254:0 /home/mario/.emacs /home/mario/.emacs ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5474 fsname=/home/mario/.emacs dir=/home/mario/.emacs fstype=ext4 Mounting reWarning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted ad-only /home/mario/.emacs.d 5475 5362 254:0 /home/mario/.emacs.d /home/mario/.emacs.d ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5475 fsname=/home/mario/.emacs.d dir=/home/mario/.emacs.d fstype=ext4 Mounting read-only /home/mario/.mailcap 5476 5362 254:0 /home/mario/.mailcap /home/mario/.mailcap ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5476 fsname=/home/mario/.mailcap dir=/home/mario/.mailcap fstype=ext4 Mounting read-only /home/mario/.tmux.conf 5477 5362 254:0 /home/mario/.tmux.conf /home/mario/.tmux.conf ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5477 fsname=/home/mario/.tmux.conf dir=/home/mario/.tmux.conf fstype=ext4 Mounting read-only /home/mario/.vim 5478 5362 254:0 /home/mario/.vim /home/mario/.vim ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5478 fsname=/home/mario/.vim dir=/home/mario/.vim fstype=ext4 Mounting read-only /home/mario/.viminfo 5479 5418 0:25 /firejail/firejail.ro.file /home/mario/.viminfo ro,nosuid,nodev master:11 - tmpfs tmpfs rw,size=6498840k,nr_inodes=819200,mode=755,inode64 mountid=5479 fsname=/firejail/firejail.ro.file dir=/home/mario/.viminfo fstype=tmpfs Mounting read-only /home/mario/.vimrc 5480 5362 254:0 /home/mario/.vimrc /home/mario/.vimrc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5480 fsname=/home/mario/.vimrc dir=/home/mario/.vimrc fstype=ext4 Mounting read-only /home/mario/.rustup 5481 5362 254:0 /home/mario/.rustup /home/mario/.rustup ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5481 fsname=/home/mario/.rustup dir=/home/mario/.rustup fstype=ext4 Mounting read-only /home/mario/.config/menus 5482 5362 254:0 /home/mario/.config/menus /home/mario/.config/menus ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5482 fsname=/home/mario/.config/menus dir=/home/mario/.config/menus fstype=ext4 Mounting read-only /home/mario/.gnome/apps 5483 5362 254:0 /home/mario/.gnome/apps /home/mario/.gnome/apps ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5483 fsname=/home/mario/.gnome/apps dir=/home/mario/.gnome/apps fstype=ext4 Mounting read-only /home/mario/.local/share/applications 5484 5362 254:0 /home/mario/.local/share/applications /home/mario/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5484 fsname=/home/mario/.local/share/applications dir=/home/mario/.local/share/applications fstype=ext4 Mounting read-only /home/mario/.config/mimeapps.list 5485 5362 254:0 /home/mario/.config/mimeapps.list /home/mario/.config/mimeapps.list ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5485 fsname=/home/mario/.config/mimeapps.list dir=/home/mario/.config/mimeapps.list fstype=ext4 Mounting read-only /home/mario/.config/user-dirs.dirs 5486 5362 254:0 /home/mario/.config/user-dirs.dirs /home/mario/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5486 fsname=/home/mario/.config/user-dirs.dirs dir=/home/mario/.config/user-dirs.dirs fstype=ext4 Mounting read-only /home/mario/.config/user-dirs.locale 5487 5362 254:0 /home/mario/.config/user-dirs.locale /home/mario/.config/user-dirs.locale ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw mountid=5487 fsname=/home/mario/.config/user-dirs.locale dir=/home/mario/.config/user-dirs.locale fstype=ext4 Not blacklist /home/mario/.cargo/credentials Not blacklist /home/mario/.cargo/credentials.toml Disable /home/mario/.cert Disable /home/mario/.config/keybase Disable /home/mario/.davfs2/secrets Not blacklist /home/mario/.git-credentials Disable /home/mario/.gnupg Disable /home/mario/.local/share/kwalletd Disable /home/mario/.pki Disable /home/mario/.local/share/pki Disable /home/mario/.ssh Disable /etc/davfs2/secrets Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Warning (blacklisting): cannot open /etc/ssh/*: Permission denied Disable /home/mario/.aws Disable /home/mario/.config/gcloud Disable /usr/local/sbin Warning (blacklisting): cannot open /usr/local/sbin/at: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/busybox: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/chage: Permission denied Disable /usr/bin/chage Warning (blacklisting): cannot open /usr/local/sbin/chfn: Permission denied Disable /usr/bin/chfn Warning (blacklisting): cannot open /usr/local/sbin/chsh: Permission denied Disable /usr/bin/chsh Warning (blacklisting): cannot open /usr/local/sbin/crontab: Permission denied Disable /usr/bin/crontab Warning (blacklisting): cannot open /usr/local/sbin/evtest: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/expiry: Permission denied Disable /usr/bin/expiry Warning (blacklisting): cannot open /usr/local/sbin/fusermount: Permission denied Disable /usr/bin/fusermount Warning (blacklisting): cannot open /usr/local/sbin/gksu: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/gksudo: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/gpasswd: Permission denied Disable /usr/bin/gpasswd Warning (blacklisting): cannot open /usr/local/sbin/kdesudo: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/ksu: Permission denied Disable /usr/bin/ksu Warning (blacklisting): cannot open /usr/local/sbin/mount: Permission denied Disable /usr/bin/mount Warning (blacklisting): cannot open /usr/local/sbin/mount.ecryptfs_private: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/nc: Permission denied Disable /usr/bin/nc Warning (blacklisting): cannot open /usr/local/sbin/ncat: Permission denied Disable /usr/bin/ncat Warning (blacklisting): cannot open /usr/local/sbin/nmap: Permission denied Disable /usr/bin/nmap Warning (blacklisting): cannot open /usr/local/sbin/newgidmap: Permission denied Disable /usr/bin/newgidmap Warning (blacklisting): cannot open /usr/local/sbin/newgrp: Permission denied Disable /usr/bin/newgrp Warning (blacklisting): cannot open /usr/local/sbin/newuidmap: Permission denied Disable /usr/bin/newuidmap Warning (blacklisting): cannot open /usr/local/sbin/ntfs-3g: Permission denied Disable /usr/bin/ntfs-3g Warning (blacklisting): cannot open /usr/local/sbin/pkexec: Permission denied Disable /usr/bin/pkexec Warning (blacklisting): cannot open /usr/local/sbin/procmail: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/sg: Permission denied Disable /usr/bin/sg Warning (blacklisting): cannot open /usr/local/sbin/strace: Permission denied Disable /usr/bin/strace Warning (blacklisting): cannot open /usr/local/sbin/su: Permission denied Disable /usr/bin/su Warning (blacklisting): cannot open /usr/local/sbin/sudo: Permission denied Disable /usr/bin/sudo Warning (blacklisting): cannot open /usr/local/sbin/tcpdump: Permission denied Disable /usr/bin/tcpdump Warning (blacklisting): cannot open /usr/local/sbin/umount: Permission denied Disable /usr/bin/umount Warning (blacklisting): cannot open /usr/local/sbin/unix_chkpwd: Permission denied Disable /usr/bin/unix_chkpwd Warning (blacklisting): cannot open /usr/local/sbin/xev: Permission denied Disable /usr/bin/xev Warning (blacklisting): cannot open /usr/local/sbin/xinput: Permission denied Disable /usr/bin/xinput Disable /usr/lib/virtualbox Disable /usr/lib/virtualbox (requested /usr/lib64/virtualbox) Warning (blacklisting): cannot open /usr/local/sbin/lxterminal: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal.wrapper: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/lilyterm: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal.wrapper: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/pantheon-terminal: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/roxterm: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/roxterm-config: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/terminix: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/tilix: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/urxvtc: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/urxvtcd: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal.wrapper: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/bwrap: Permission denied Disable /usr/bin/bwrap Disable /home/mario/.mail Disable /home/mario/Mail Disable /proc/config.gz Warning (blacklisting): cannot open /usr/local/sbin/dig: Permission denied Disable /usr/bin/dig Warning (blacklisting): cannot open /usr/local/sbin/dlint: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/dns2tcp: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/dnssec-*: Permission denied Disable /usr/bin/dnssec-keymgr Disable /usr/bin/dnssec-settime Disable /usr/bin/dnssec-keygen Disable /usr/bin/dnssec-signzone Disable /usr/bin/dnssec-dsfromkey Disable /usr/bin/dnssec-coverage Disable /usr/bin/dnssec-checkds Disable /usr/bin/dnssec-revoke Disable /usr/bin/dnssec-verify Disable /usr/bin/dnssec-keyfromlabel Disable /usr/bin/dnssec-cds Disable /usr/bin/dnssec-importkey Warning (blacklisting): cannot open /usr/local/sbin/dnswalk: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/drill: Permission denied Disable /usr/bin/drill Warning (blacklisting): cannot open /usr/local/sbin/host: Permission denied Disable /usr/bin/host Warning (blacklisting): cannot open /usr/local/sbin/iodine: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/kdig: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/khost: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/knsupdate: Permission denied Warning (blacklisting): cannot open /usr/local/sbin/ldns-*: Permission denied Disable /usr/bin/ldns-update Disable /usr/bin/ldns-key2ds Disable /usr/bin/ldns-rrsig Disable /usr/bin/ldns-zsplit Disable /usr/bin/ldns-revoke Disable /usr/bin/ldns-zcat Disable /usr/bin/ldns-gen-zone Disable /usr/bin/ldns-compare-zones Disable /usr/bin/ldns-nsec3-hash Disable /usr/bin/ldns-dpa Disable /usr/bin/ldns-testns Disable /usr/bin/ldns-keyfetcher Disable /usr/bin/ldns-mx Disable /usr/bin/ldns-walk Disable /usr/bin/ldns-signzone Disable /usr/bin/ldns-keygen Disable /usr/bin/ldns-read-zone Disable /usr/bin/ldns-chaos Disable /usr/bin/ldns-verify-zone Disable /usr/bin/ldns-resolver Disable /usr/bin/ldns-test-edns Disable /usr/bin/ldns-notify Disable /usr/bin/ldns-dane Disable /usr/bin/ldns-config Disable /usr/bin/ldns-version Warning (blacklisting): cannot open /usr/local/sbin/ldnsd: Permission denied Disable /usr/bin/ldnsd Warning (blacklisting): cannot open /usr/local/sbin/nslookup: Permission denied Disable /usr/bin/nslookup Warning (blacklisting): cannot open /usr/local/sbin/resolvectl: Permission denied Disable /usr/bin/resolvectl Warning (blacklisting): cannot open /usr/local/sbin/unbound-host: Permission denied Disable /usr/bin/unbound-host Disable /run/user/1000/wayland-1.lock Disable /home/mario/.config/KeePass Disable /home/mario/.config/keepassx Disable /home/mario/.config/keepassxc Disable /home/mario/.local/share/KeePass Disable /home/mario/.bitcoin Disable /home/mario/.android Disable /home/mario/.bitcoin Not blacklist /home/mario/.cargo/registry Not blacklist /home/mario/.cargo/git Not blacklist /home/mario/.cargo/.package-cache Disable /home/mario/.config/BraveSoftware Not blacklist /home/mario/.config/Code Not blacklist /home/mario/.config/Code - OSS Disable /home/mario/.config/GIMP Disable /home/mario/.config/Google Disable /home/mario/.config/InSilmaril Disable /home/mario/.config/Nextcloud Disable /home/mario/.config/Riot Disable /home/mario/.config/Signal Disable /home/mario/.config/VirtualBox Disable /home/mario/.config/brave Disable /home/mario/.config/chromium Disable /home/mario/DISPLAY=:0 parsed as 0 line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 01 00000010 jeq 10 0014 (false 0015) 0014: 06 00 00 7fff0000 ret ALLOW 0015: 06 00 00 0005005f ret ERRNO(95) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00050001 ret ERRNO(1) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 3e 00 0000009f jeq adjtimex 0046 (false 0008) 0008: 15 3d 00 00000131 jeq clock_adjtime 0046 (false 0009) 0009: 15 3c 00 000000e3 jeq clock_settime 0046 (false 000a) 000a: 15 3b 00 000000a4 jeq settimeofday 0046 (false 000b) 000b: 15 3a 00 0000009a jeq modify_ldt 0046 (false 000c) 000c: 15 39 00 000000d4 jeq lookup_dcookie 0046 (false 000d) 000d: 15 38 00 0000012a jeq perf_event_open 0046 (false 000e) 000e: 15 37 00 00000137 jeq process_vm_writev 0046 (false 000f) 000f: 15 36 00 000000b0 jeq delete_module 0046 (false 0010) 0010: 15 35 00 00000139 jeq finit_module 0046 (false 0011) 0011: 15 34 00 000000af jeq init_module 0046 (false 0012) 0012: 15 33 00 000000a1 jeq chroot 0046 (false 0013) 0013: 15 32 00 000000a5 jeq mount 0046 (false 0014) 0014: 15 31 00 0000009b jeq pivot_root 0046 (false 0015) 0015: 15 30 00 000000a6 jeq umount2 0046 (false 0016) 0016: 15 2f 00 0000009c jeq _sysctl 0046 (false 0017) 0017: 15 2e 00 000000b7 jeq afs_syscall 0046 (false 0018) 0018: 15 2d 00 000000ae jeq create_module 0046 (false 0019) 0019: 15 2c 00 000000b1 jeq get_kernel_syms 0046 (false 001a) 001a: 15 2b 00 000000b5 jeq getpmsg 0046 (false 001b) 001b: 15 2a 00 000000b6 jeq putpmsg 0046 (false 001c) 001c: 15 29 00 000000b2 jeq query_module 0046 (false 001d) 001d: 15 28 00 000000b9 jeq security 0046 (false 001e) 001e: 15 27 00 0000008b jeq sysfs 0046 (false 001f) 001f: 15 26 00 000000b8 jeq tuxcall 0046 (false 0020) 0020: 15 25 00 00000086 jeq uselib 0046 (false 0021) 0021: 15 24 00 00000088 jeq ustat 0046 (false 0022) 0022: 15 23 00 000000ec jeq vserver 0046 (false 0023) 0023: 15 22 00 000000ad jeq ioperm 0046 (false 0024) 0024: 15 21 00 000000ac jeq iopl 0046 (false 0025) 0025: 15 20 00 000000f6 jeq kexec_load 0046 (false 0026) 0026: 15 1f 00 00000140 jeq kexec_file_load 0046 (false 0027) 0027: 15 1e 00 000000a9 jeq reboot 0046 (false 0028) 0028: 15 1d 00 000000a7 jeq swapon 0046 (false 0029) 0029: 15 1c 00 000000a8 jeq swapoff 0046 (false 002a) 002a: 15 1b 00 00000130 jeq open_by_handle_at 0046 (false 002b) 002b: 15 1a 00 0000012f jeq name_to_handle_at 0046 (false 002c) 002c: 15 19 00 000000fb jeq ioprio_set 0046 (false 002d) 002d: 15 18 00 00000067 jeq syslog 0046 (false 002e) 002e: 15 17 00 0000012c jeq fanotify_init 0046 (false 002f) 002f: 15 16 00 000000f8 jeq add_key 0046 (false 0030) 0030: 15 15 00 000000f9 jeq request_key 0046 (false 0031) 0031: 15 14 00 000000ed jeq mbind 0046 (false 0032) 0032: 15 13 00 00000100 jeq migrate_pages 0046 (false 0033) 0033: 15 12 00 00000117 jeq move_pages 0046 (false 0034) 0034: 15 11 00 000000fa jeq keyctl 0046 (false 0035) 0035: 15 10 00 000000ce jeq io_setup 0046 (false 0036) 0036: 15 0f 00 000000cf jeq io_destroy 0046 (false 0037) 0037: 15 0e 00 000000d0 jeq io_getevents 0046 (false 0038) 0038: 15 0d 00 000000d1 jeq io_submit 0046 (false 0039) 0039: 15 0c 00 000000d2 jeq io_cancel 0046 (false 003a) 003a: 15 0b 00 000000d8 jeq remap_file_pages 0046 (false 003b) 003b: 15 0a 00 00000143 jeq userfaultfd 0046 (false 003c) 003c: 15 09 00 000000a3 jeq acct 0046 (false 003d) 003d: 15 08 00 00000141 jeq bpf 0046 (false 003e) 003e: 15 07 00 000000b4 jeq nfsservctl 0046 (false 003f) 003f: 15 06 00 000000ab jeq setdomainname 0046 (false 0040) 0040: 15 05 00 000000aa jeq sethostname 0046 (false 0041) 0041: 15 04 00 00000099 jeq vhangup 0046 (false 0042) 0042: 15 03 00 00000065 jeq ptrace 0046 (false 0043) 0043: 15 02 00 00000087 jeq personality 0046 (false 0044) 0044: 15 01 00 00000136 jeq process_vm_readv 0046 (false 0045) 0045: 06 00 00 7fff0000 ret ALLOW 0046: 06 00 00 00050001 ret ERRNO(1) .config/enchant Disable /home/mario/.config/gconf Not blacklist /home/mario/.config/git Disable /home/mario/.config/kdeconnect Disable /home/mario/.config/libreoffice Disable /home/mario/.config/Microsoft Disable /home/mario/.config/mpv Disable /home/mario/.config/neomutt Disable /home/mario/.config/pavucontrol.ini Disable /home/mario/.config/Pinta Disable /home/mario/.config/qutebrowser Disable /home/mario/.config/teams Disable /home/mario/.config/teams-for-linux Disable /home/mario/.config/torbrowser Disable /home/mario/.config/transmission Disable /home/mario/.config/vivaldi Disable /home/mario/.config/vlc Disable /home/mario/.config/wireshark Disable /home/mario/.config/zoomus.conf Disable /home/mario/.cups Disable /home/mario/.electrum Disable /home/mario/.emacs Disable /home/mario/.emacs.d Not blacklist /home/mario/.gitconfig Not blacklist /home/mario/.gradle Not blacklist /home/mario/.java Disable /home/mario/.links Disable /home/mario/.local/share/JetBrains Disable /home/mario/.local/share/qutebrowser Disable /home/mario/.local/share/signal-cli Disable /home/mario/.local/share/torbrowser Disable /home/mario/.local/share/vlc Disable /home/mario/.minecraft Disable /home/mario/.mozilla Not blacklist /home/mario/.node-gyp Not blacklist /home/mario/.npm Not blacklist /home/mario/.npmrc Not blacklist /home/mario/.nvm Not blacklist /home/mario/.pylint.d Disable /home/mario/.subversion Disable /home/mario/.thunderbird Disable /home/mario/.tor-browser Disable /home/mario/.vim Disable /home/mario/.vimrc Disable /home/mario/.vmware Not blacklist /home/mario/.vscode Not blacklist /home/mario/.vscode-oss Disable /home/mario/.w3m Disable /home/mario/.weechat Disable /home/mario/.wget-hsts Not blacklist /home/mario/.yarn Not blacklist /home/mario/.yarn-config Not blacklist /home/mario/.yarncache Not blacklist /home/mario/.yarnrc Disable /home/mario/.zoom Disable /var/games/nethack Disable /home/mario/.cache/BraveSoftware Disable /home/mario/.cache/babl Disable /home/mario/.cache/chromium Disable /home/mario/.cache/gegl-0.4 Disable /home/mario/.cache/gimp Disable /home/mario/.cache/keepassxc Disable /home/mario/.cache/mozilla Disable /home/mario/.cache/pip Disable /home/mario/.cache/qutebrowser Disable /home/mario/.cache/thunderbird Disable /home/mario/.cache/vlc Disable /home/mario/.cache/vmware Mounting noexec /tmp 5655 5654 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64 mountid=5655 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 5656 5655 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64 mountid=5656 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting tmpfs on /home/mario/.cache, check owner: yes 5657 5362 0:192 / /home/mario/.cache rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000,inode64 mountid=5657 fsname=/ dir=/home/mario/.cache fstype=tmpfs Mounting read-only /tmp/.X11-unix 5658 5656 0:36 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64 mountid=5658 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /sys/fs Disable /sys/module disable pulseaudio blacklist /home/mario/.config/pulse blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse Current directory: /home/mario/src/pie/pie3 Install protocol filter: unix,inet,inet6,netlink configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dual 32/64 bit seccomp filter configured configuring 71 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 5664 5178 0:182 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=5664 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 240 .. -rw-r--r-- mario mario 568 seccomp -rw-r--r-- mario mario 432 seccomp.32 -rw-r--r-- mario mario 114 seccomp.list -rw-r--r-- mario mario 0 seccomp.postexec -rw-r--r-- mario mario 0 seccomp.postexec32 -rw-r--r-- mario mario 176 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups Child process initialized in 40.32 ms Starting application LD_PRELOAD=(null) execvp argument 0: code execvp argument 1: --verbose Warning: an existing sandbox was detected. /usr/bin/code will run without any additional sandboxing features Check failed: sys_chroot("/proc/self/fdinfo/") == 0 Parent is shutting down, bye... ``` </details>
gitea-mirror commented 2026-05-05 09:18:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 17, 2021):

code.profile needs an electron redirect re-factoring too. (And the new codium alias + wusc adaptation).

<!-- gh-comment-id:881923520 --> @rusty-snake commented on GitHub (Jul 17, 2021): code.profile needs an electron redirect re-factoring too. (And the new codium alias + wusc adaptation).
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2655
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?