github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4422] nuclear: does not work with --no-sandbox #2663

New issue
Open
opened 2026-05-05 09:19:33 -06:00 by gitea-mirror · 23 comments
gitea-mirror commented 2026-05-05 09:19:33 -06:00
Owner
Copy link

Originally created by @mYnDstrEAm on GitHub (Jul 26, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4422

#3883 and #3806 could be related

When running firejail --profile=/etc/firejail/nuclear.profile nuclear I get The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/nuclear/chrome-sandbox is owned by root and has mode 4755.

When appending --no-sandbox to the command it shows these errors:

libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915
libGL error: failed to open drm device: No such file or directory
libGL error: failed to load driver: i965
      main › Sqlite database creation failed
      main › DriverPackageNotInstalledError: SQLite package has not been found installed. Try to install it: npm install sqlite3 --save
    at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:723535)
    at t.loadDependencies (/opt/nuclear/resources/app.asar/dist/main.js:2680:592613)
    at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:591154)
    at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:70627)
    at new e (/opt/nuclear/resources/app.asar/dist/main.js:2680:23774)
    at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:32984)
    at /opt/nuclear/resources/app.asar/dist/main.js:2682:12651
    at /opt/nuclear/resources/app.asar/dist/main.js:2699:2716
    at Object.next (/opt/nuclear/resources/app.asar/dist/main.js:2699:2821)
    at /opt/nuclear/resources/app.asar/dist/main.js:2699:1758
    at new Promise (<anonymous>)
    at Module.u (/opt/nuclear/resources/app.asar/dist/main.js:2699:1503)
    at t.createConnection (/opt/nuclear/resources/app.asar/dist/main.js:2682:12385)
    at bn.connect (/opt/nuclear/resources/app.asar/dist/main.js:2711:488198)
    at App.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:529294)
    at App.emit (events.js:327:22)
libva error: va_getDriverName() failed with unknown libva error,driver_name=(null)
   ipc api › error in event get-localfolders => Cannot read property 'find' of undefined
   ipc api › TypeError: Cannot read property 'find' of undefined
    at bn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:488573)
    at Qn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:496490)
    at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433)
    at IpcMainImpl.emit (events.js:315:20)
    at Object.<anonymous> (electron/js2c/browser_init.js:161:10351)
    at Object.emit (events.js:315:20)
   ipc api › error in event get-metas => Cannot read property 'find' of undefined
   ipc api › TypeError: Cannot read property 'find' of undefined
    at bn.getTracks (/opt/nuclear/resources/app.asar/dist/main.js:2711:488952)
    at Qn.getLocalMetas (/opt/nuclear/resources/app.asar/dist/main.js:2711:496403)
    at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433)
    at IpcMainImpl.emit (events.js:315:20)
    at Object.<anonymous> (electron/js2c/browser_init.js:161:10351)
    at Object.emit (events.js:315:20)
(node:73) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `exe --trace-deprecation ...` to show where the warning was created)

Is there another way one is supposed to solve this electron problem or is the nuclear.profile broken?

Bug and expected behavior
It should run the Nuclear music player or display an error message that tells the user exactly what to do / run to make it work.

No profile and disabling firejail

Reproduce
Steps to reproduce the behavior:

  1. Run the commands above on Debian10

Environment
Debian10 stable
Firejail version 0.9.64.4

Additional context

Checklist

  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
Originally created by @mYnDstrEAm on GitHub (Jul 26, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4422 #3883 and #3806 could be related When running `firejail --profile=/etc/firejail/nuclear.profile nuclear` I get `The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/nuclear/chrome-sandbox is owned by root and has mode 4755.` When appending `--no-sandbox` to the command it shows these errors: ``` libGL error: MESA-LOADER: failed to retrieve device information libGL error: Version 4 or later of flush extension not found libGL error: failed to load driver: i915 libGL error: failed to open drm device: No such file or directory libGL error: failed to load driver: i965 main › Sqlite database creation failed main › DriverPackageNotInstalledError: SQLite package has not been found installed. Try to install it: npm install sqlite3 --save at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:723535) at t.loadDependencies (/opt/nuclear/resources/app.asar/dist/main.js:2680:592613) at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:591154) at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:70627) at new e (/opt/nuclear/resources/app.asar/dist/main.js:2680:23774) at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:32984) at /opt/nuclear/resources/app.asar/dist/main.js:2682:12651 at /opt/nuclear/resources/app.asar/dist/main.js:2699:2716 at Object.next (/opt/nuclear/resources/app.asar/dist/main.js:2699:2821) at /opt/nuclear/resources/app.asar/dist/main.js:2699:1758 at new Promise (<anonymous>) at Module.u (/opt/nuclear/resources/app.asar/dist/main.js:2699:1503) at t.createConnection (/opt/nuclear/resources/app.asar/dist/main.js:2682:12385) at bn.connect (/opt/nuclear/resources/app.asar/dist/main.js:2711:488198) at App.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:529294) at App.emit (events.js:327:22) libva error: va_getDriverName() failed with unknown libva error,driver_name=(null) ipc api › error in event get-localfolders => Cannot read property 'find' of undefined ipc api › TypeError: Cannot read property 'find' of undefined at bn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:488573) at Qn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:496490) at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433) at IpcMainImpl.emit (events.js:315:20) at Object.<anonymous> (electron/js2c/browser_init.js:161:10351) at Object.emit (events.js:315:20) ipc api › error in event get-metas => Cannot read property 'find' of undefined ipc api › TypeError: Cannot read property 'find' of undefined at bn.getTracks (/opt/nuclear/resources/app.asar/dist/main.js:2711:488952) at Qn.getLocalMetas (/opt/nuclear/resources/app.asar/dist/main.js:2711:496403) at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433) at IpcMainImpl.emit (events.js:315:20) at Object.<anonymous> (electron/js2c/browser_init.js:161:10351) at Object.emit (events.js:315:20) (node:73) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use `exe --trace-deprecation ...` to show where the warning was created) ``` Is there another way one is supposed to solve this electron problem or is the nuclear.profile broken? **Bug and expected behavior** It should run the Nuclear music player or display an error message that tells the user exactly what to do / run to make it work. **No profile and disabling firejail** **Reproduce** Steps to reproduce the behavior: 1. Run the commands above on Debian10 **Environment** Debian10 stable Firejail version 0.9.64.4 **Additional context** **Checklist** - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
gitea-mirror commented 2026-05-05 09:19:34 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

Did you set force-nonewprivs yes?
Do you have a globals.local or nuclear.local or electron.local?

What do you get with firejail --ignore=no3d nuclear --no-sandbox?

<!-- gh-comment-id:886558493 --> @rusty-snake commented on GitHub (Jul 26, 2021): Did you set `force-nonewprivs yes`? Do you have a globals.local or nuclear.local or electron.local? What do you get with `firejail --ignore=no3d nuclear --no-sandbox`?
gitea-mirror commented 2026-05-05 09:19:35 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

No, I didn't.
No, I didn't have a nuclear.local.
I get this:

(node:3) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `nuclear --trace-deprecation ...` to show where the warning was created)
A JavaScript error occurred in the main process
Uncaught Exception:
Error: EACCES: permission denied, open '/home/username/.config/nuclear/config.json'
    at Object.openSync (fs.js:476:3)
    at Object.func [as openSync] (electron/js2c/asar_bundle.js:5:1846)
    at Object.readFileSync (fs.js:377:35)
    at Object.e.readFileSync (electron/js2c/asar_bundle.js:5:8643)
    at e.exports.get store [as store] (/opt/nuclear/resources/app.asar/dist/main.js:2118:1196475)
    at new y (/opt/nuclear/resources/app.asar/dist/main.js:2118:1192456)
    at new e.exports (/opt/nuclear/resources/app.asar/dist/main.js:2165:49188)
    at Module../src/main.ts (/opt/nuclear/resources/app.asar/dist/main.js:2711:461516)
    at r (/opt/nuclear/resources/app.asar/dist/main.js:1:118)
    at /opt/nuclear/resources/app.asar/dist/main.js:1:1544

(nuclear:3): Gtk-WARNING **: 12:07:28.990: Theme parsing error: gtk.css:68:35: The style property GtkButton:child-displacement-x is deprecated and shouldn't be used anymore. It will be removed in a future version

(nuclear:3): Gtk-WARNING **: 12:07:28.990: Theme parsing error: gtk.css:69:35: The style property GtkButton:child-displacement-y is deprecated and shouldn't be used anymore. It will be removed in a future version

(nuclear:3): Gtk-WARNING **: 12:07:28.990: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version
<!-- gh-comment-id:886565148 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): No, I didn't. No, I didn't have a nuclear.local. I get this: ``` (node:3) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use `nuclear --trace-deprecation ...` to show where the warning was created) A JavaScript error occurred in the main process Uncaught Exception: Error: EACCES: permission denied, open '/home/username/.config/nuclear/config.json' at Object.openSync (fs.js:476:3) at Object.func [as openSync] (electron/js2c/asar_bundle.js:5:1846) at Object.readFileSync (fs.js:377:35) at Object.e.readFileSync (electron/js2c/asar_bundle.js:5:8643) at e.exports.get store [as store] (/opt/nuclear/resources/app.asar/dist/main.js:2118:1196475) at new y (/opt/nuclear/resources/app.asar/dist/main.js:2118:1192456) at new e.exports (/opt/nuclear/resources/app.asar/dist/main.js:2165:49188) at Module../src/main.ts (/opt/nuclear/resources/app.asar/dist/main.js:2711:461516) at r (/opt/nuclear/resources/app.asar/dist/main.js:1:118) at /opt/nuclear/resources/app.asar/dist/main.js:1:1544 (nuclear:3): Gtk-WARNING **: 12:07:28.990: Theme parsing error: gtk.css:68:35: The style property GtkButton:child-displacement-x is deprecated and shouldn't be used anymore. It will be removed in a future version (nuclear:3): Gtk-WARNING **: 12:07:28.990: Theme parsing error: gtk.css:69:35: The style property GtkButton:child-displacement-y is deprecated and shouldn't be used anymore. It will be removed in a future version (nuclear:3): Gtk-WARNING **: 12:07:28.990: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version ```
gitea-mirror commented 2026-05-05 09:19:36 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

The "The SUID sandbox helper binary was found, but is not configured correctly." Issue should be gone since f4f6767458. What does firejail --profile=nuclear cat /proc/self/status | grep NoNewPrivs show? (It should be and must be NoNewPrivs: 0).

Does it work with --noprofile? Does --ignore=apparmor help?

Error: EACCES: permission denied, open '/home/username/.config/nuclear/config.json'

nuclear.profile has noblacklist ${HOME}/.config/nuclear. From where does this come (check --debug)?

<!-- gh-comment-id:886594791 --> @rusty-snake commented on GitHub (Jul 26, 2021): The "The SUID sandbox helper binary was found, but is not configured correctly." Issue should be gone since f4f6767458208a127084e4c0103fab88761d9056. What does `firejail --profile=nuclear cat /proc/self/status | grep NoNewPrivs` show? (It should be and must be `NoNewPrivs: 0`). Does it work with `--noprofile`? Does `--ignore=apparmor` help? > Error: EACCES: permission denied, open '/home/username/.config/nuclear/config.json' nuclear.profile has `noblacklist ${HOME}/.config/nuclear`. From where does this come (check `--debug`)?
gitea-mirror commented 2026-05-05 09:19:37 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

NoNewPrivs: 1
Should I set that in nuclear.local?
I'm using Firejail version 0.9.64.4 from Debian10 backports.
--debug doesn't have more info as far as I could see and shows just the same error messag at the end (it also has things like Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter before).

<!-- gh-comment-id:886603399 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): `NoNewPrivs: 1` Should I set that in nuclear.local? I'm using Firejail version 0.9.64.4 from Debian10 backports. `--debug` doesn't have more info as far as I could see and shows just the same error messag at the end (it also has things like `Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter` before).
gitea-mirror commented 2026-05-05 09:19:38 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

Why does it install a seccomp filter? It should not do this. It must not do this.

<!-- gh-comment-id:886614194 --> @rusty-snake commented on GitHub (Jul 26, 2021): Why does it install a seccomp filter? It should not do this. It must not do this.
gitea-mirror commented 2026-05-05 09:19:38 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

There is no protocol in

From where does it come?

<!-- gh-comment-id:886616124 --> @rusty-snake commented on GitHub (Jul 26, 2021): There is no `protocol` in - https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-m-z/nuclear.profile - https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/electron.profile From where does it come?
gitea-mirror commented 2026-05-05 09:19:39 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

The two profiles match those in the repo and there is no electron.local or nuclear.local (well I just created that file but it doesn't contain anything; I copy-pasted their contents to make sure they are the same). How to find out from where it comes?

I edited the issue description to show the complete error which takes a while to load. The nuclear I installed via .deb file is v0.6.6 (sha256sum e18b2b00f136b0f5b0642cd34a08938771d90bcd47012b77a5d34202173e02a1).

<!-- gh-comment-id:886619310 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): The two profiles match those in the repo and there is no electron.local or nuclear.local (well I just created that file but it doesn't contain anything; I copy-pasted their contents to make sure they are the same). How to find out from where it comes? I edited the issue description to show the complete error which takes a while to load. The nuclear I installed via .deb file is v0.6.6 (sha256sum `e18b2b00f136b0f5b0642cd34a08938771d90bcd47012b77a5d34202173e02a1`).
gitea-mirror commented 2026-05-05 09:19:39 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

firejail --ignore=apparmor --ignore=no3d --profile=/etc/firejail/nuclear.profile nuclear --no-sandbox doesn't work either. Are those error messages of any use in finding the cause of this? Why does the SQLite package fail?

<!-- gh-comment-id:886784221 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): `firejail --ignore=apparmor --ignore=no3d --profile=/etc/firejail/nuclear.profile nuclear --no-sandbox` doesn't work either. Are those error messages of any use in finding the cause of this? Why does the SQLite package fail?
gitea-mirror commented 2026-05-05 09:19:39 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

Because it talks about js files and npm you maybe need to allow this stuff (ignore include disable-interpreters.inc and ignore include disable-programs.inc for now). Anyway I'm still thinking why NNP is set/from where the protocol seccomp filters come. Can you post the --debug output.

<!-- gh-comment-id:886788742 --> @rusty-snake commented on GitHub (Jul 26, 2021): Because it talks about js files and npm you maybe need to allow this stuff (`ignore include disable-interpreters.inc` and `ignore include disable-programs.inc` for now). Anyway I'm still thinking why NNP is set/from where the protocol seccomp filters come. Can you post the `--debug` output.
gitea-mirror commented 2026-05-05 09:19:40 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

Output of the above command:

...
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
...
Mounting noexec /run/firejail/mnt/pulse
1788 1286 0:78 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1788 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Creating empty /home/username/.config/pulse directory
Drop privileges: pid 22, uid 1000, gid 1000, nogroups 0
Mounting /run/firejail/mnt/pulse on /home/username/.config/pulse
1789 1370 0:78 /pulse /home/username/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1789 fsname=/pulse dir=/home/username/.config/pulse fstype=tmpfs
Current directory: /home/username
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
1791 1286 0:78 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=1791 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             440 ..
-rw-r--r-- 1000     1000            1072 seccomp
-rw-r--r-- 1000     1000             808 seccomp.32
-rw-r--r-- 1000     1000               0 seccomp.postexec
-rw-r--r-- 1000     1000               0 seccomp.postexec32
No active seccomp files
Dropping all capabilities
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
Starting application
....
<!-- gh-comment-id:886814788 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): Output of the above command: ``` ... Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace ... Mounting noexec /run/firejail/mnt/pulse 1788 1286 0:78 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1788 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Creating empty /home/username/.config/pulse directory Drop privileges: pid 22, uid 1000, gid 1000, nogroups 0 Mounting /run/firejail/mnt/pulse on /home/username/.config/pulse 1789 1370 0:78 /pulse /home/username/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1789 fsname=/pulse dir=/home/username/.config/pulse fstype=tmpfs Current directory: /home/username DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp 1791 1286 0:78 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=1791 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 440 .. -rw-r--r-- 1000 1000 1072 seccomp -rw-r--r-- 1000 1000 808 seccomp.32 -rw-r--r-- 1000 1000 0 seccomp.postexec -rw-r--r-- 1000 1000 0 seccomp.postexec32 No active seccomp files Dropping all capabilities Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups Starting application .... ```
gitea-mirror commented 2026-05-05 09:19:40 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

Dropping all capabilities

It must not do this.

Can you post the first lines, e.g which files it reads.

<!-- gh-comment-id:886820916 --> @rusty-snake commented on GitHub (Jul 26, 2021): > Dropping all capabilities It must not do this. Can you post the first lines, e.g which files it reads.
gitea-mirror commented 2026-05-05 09:19:40 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

Sure, would have posted them already if there was something strange in there (electron.profile and nuclear.profile have their default content)

Reading profile /etc/firejail/nuclear.profile
Found nuclear.local profile in /home/username/.config/firejail directory
Found disable-shell.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-shell.inc
Found electron.profile profile in /etc/firejail directory
Reading profile /etc/firejail/electron.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-common.local profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.local
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-xdg.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-xdg.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-runuser-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-runuser-common.inc
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Found whitelist-var-common.inc profile in /home/username/.config/firejail directory
Reading profile /home/username/.config/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Building quoted command line: 'nuclear' '--no-sandbox' 
Command name #nuclear#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid [pid], child pid [pid]
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
<!-- gh-comment-id:886823734 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): Sure, would have posted them already if there was something strange in there (electron.profile and nuclear.profile have their default content) ``` Reading profile /etc/firejail/nuclear.profile Found nuclear.local profile in /home/username/.config/firejail directory Found disable-shell.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-shell.inc Found electron.profile profile in /etc/firejail directory Reading profile /etc/firejail/electron.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-common.local profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.local Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found disable-xdg.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-xdg.inc Found whitelist-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-common.inc Found whitelist-runuser-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-runuser-common.inc Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-usr-share-common.inc Found whitelist-var-common.inc profile in /home/username/.config/firejail directory Reading profile /home/username/.config/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Building quoted command line: 'nuclear' '--no-sandbox' Command name #nuclear# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid [pid], child pid [pid] Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace ```
gitea-mirror commented 2026-05-05 09:19:41 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 26, 2021):

Found nuclear.local profile in /home/username/.config/firejail directory

This is empty as I got you

Found whitelist-var-common.inc profile in /home/username/.config/firejail directory

and this must only contain whitelist /var/foobarbaz commands.

<!-- gh-comment-id:886830894 --> @rusty-snake commented on GitHub (Jul 26, 2021): > Found nuclear.local profile in /home/username/.config/firejail directory This is empty as I got you > Found whitelist-var-common.inc profile in /home/username/.config/firejail directory and this must only contain `whitelist /var/foobarbaz` commands.
gitea-mirror commented 2026-05-05 09:19:41 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Jul 26, 2021):

Yes, it's empty...I even moved out #commented out lines.
I don't think I created a whitelist-var-common.inc file so it must have been created by default and I didn't change it. It only includes whitelists of /var/ directories and includes whitelist-var-common.local (which doesn't exist).

<!-- gh-comment-id:886840820 --> @mYnDstrEAm commented on GitHub (Jul 26, 2021): Yes, it's empty...I even moved out #commented out lines. I don't think I created a whitelist-var-common.inc file so it must have been created by default and I didn't change it. It only includes whitelists of /var/ directories and includes whitelist-var-common.local (which doesn't exist).
gitea-mirror commented 2026-05-05 09:19:42 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jul 30, 2021):

so it must have been created by default

Neither firejail nor your package manager write to $HOME/.config/firejail resp. $HOME. Anyway "It only includes whitelists of /var/ directories".

<!-- gh-comment-id:889811213 --> @rusty-snake commented on GitHub (Jul 30, 2021): > so it must have been created by default Neither firejail nor your package manager write to $HOME/.config/firejail resp. $HOME. Anyway "It only includes whitelists of /var/ directories".
gitea-mirror commented 2026-05-05 09:19:42 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Aug 3, 2021):

I'm sure that I haven't created that file or only created it because it was part of some guide to get something to work with the file's contents to be pasted in or the file to be copied but forgot about it. This is the file's contents, I don't think it's why it doesn't run:

# Local customizations come here
include whitelist-var-common.local

# common /var whitelist for all profiles

whitelist /var/lib/dbus
whitelist /var/lib/menu-xdg
whitelist /var/cache/fontconfig
whitelist /var/tmp
whitelist /var/run
whitelist /var/lock

/home/username/.config/firejail/whitelist-var-common.local doesn't exist. Any ideas how to get Nuclear to work? Also attaching --disable-setuid-sandbox isn't needed right?

/etc/firejail/whitelist-var-common.inc has the following contents:

# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include whitelist-var-common.local

# common /var whitelist for all profiles

whitelist /var/lib/ca-certificates
whitelist /var/lib/dbus
whitelist /var/lib/menu-xdg
whitelist /var/lib/uim
whitelist /var/cache/fontconfig
whitelist /var/tmp
whitelist /var/run
whitelist /var/lock
<!-- gh-comment-id:891969201 --> @mYnDstrEAm commented on GitHub (Aug 3, 2021): I'm sure that I haven't created that file or only created it because it was part of some guide to get something to work with the file's contents to be pasted in or the file to be copied but forgot about it. This is the file's contents, I don't think it's why it doesn't run: ``` # Local customizations come here include whitelist-var-common.local # common /var whitelist for all profiles whitelist /var/lib/dbus whitelist /var/lib/menu-xdg whitelist /var/cache/fontconfig whitelist /var/tmp whitelist /var/run whitelist /var/lock ``` /home/username/.config/firejail/whitelist-var-common.local doesn't exist. Any ideas how to get Nuclear to work? Also attaching `--disable-setuid-sandbox` isn't needed right? /etc/firejail/whitelist-var-common.inc has the following contents: ``` # This file is overwritten during software install. # Persistent customizations should go in a .local file. include whitelist-var-common.local # common /var whitelist for all profiles whitelist /var/lib/ca-certificates whitelist /var/lib/dbus whitelist /var/lib/menu-xdg whitelist /var/lib/uim whitelist /var/cache/fontconfig whitelist /var/tmp whitelist /var/run whitelist /var/lock ```
gitea-mirror commented 2026-05-05 09:19:43 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 3, 2021):

What does the disable-common.local contain?

<!-- gh-comment-id:892043187 --> @rusty-snake commented on GitHub (Aug 3, 2021): What does the disable-common.local contain?
gitea-mirror commented 2026-05-05 09:19:43 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Aug 3, 2021):

Only blacklist ${HOME}/... entries
None of those directories is used by Nuclear. I didn't even block blacklist ${HOME}/Music for example. (caps.drop all and apparmor are #commented out).

<!-- gh-comment-id:892073971 --> @mYnDstrEAm commented on GitHub (Aug 3, 2021): Only `blacklist ${HOME}/...` entries None of those directories is used by Nuclear. I didn't even block blacklist ${HOME}/Music for example. (caps.drop all and apparmor are #commented out).
gitea-mirror commented 2026-05-05 09:19:43 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 3, 2021):

caps.drop all and apparmor are #commented out

In disable-common.local? Since when?

<!-- gh-comment-id:892080257 --> @rusty-snake commented on GitHub (Aug 3, 2021): > caps.drop all and apparmor are #commented out In disable-common.local? Since when?
gitea-mirror commented 2026-05-05 09:19:44 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Aug 3, 2021):

I think since before I recently tried to get Nuclear running again. It was just a note that's most likely irrelevant as these are commented out anyway but it's what I'd try to (re)include if everything works fine otherwise.

<!-- gh-comment-id:892081657 --> @mYnDstrEAm commented on GitHub (Aug 3, 2021): I think since before I recently tried to get Nuclear running again. It was just a note that's most likely irrelevant as these are commented out anyway but it's what I'd try to (re)include if everything works fine otherwise.
gitea-mirror commented 2026-05-05 09:19:44 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 3, 2021):

So it was already commented when you got "Dropping all capabilities".

Btw does it work without firejail or with --noprofile?

<!-- gh-comment-id:892086214 --> @rusty-snake commented on GitHub (Aug 3, 2021): So it was already commented when you got "[Dropping all capabilities](https://github.com/netblue30/firejail/issues/4422#issuecomment-886814788)". Btw does it work without firejail or with --noprofile?
gitea-mirror commented 2026-05-05 09:19:45 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Aug 3, 2021):

I commented it out at this point. The output of firejail --debug --ignore=apparmor --ignore=no3d --profile=/etc/firejail/nuclear.profile nuclear --no-sandbox is slightly different:

[...]
Disable /usr/local/lib/python3.7
Disable /usr/local/lib/python3.6
Not blacklist /home/username/.config/nuclear
Mounting read-only /tmp/.X11-unix
1763 1696 254:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/name rw,errors=remount-ro
mountid=1763 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /media
Disable /run/mount
Mounting noexec /run/firejail/mnt/pulse
1769 1270 0:77 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1769 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Creating empty /home/username/.config/pulse directory
Drop privileges: pid 22, uid 1000, gid 1000, nogroups 0
Mounting /run/firejail/mnt/pulse on /home/username/.config/pulse
1770 1351 0:77 /pulse /home/username/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1770 fsname=/pulse dir=/home/username/.config/pulse fstype=tmpfs
Current directory: /home/username/
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
1772 1270 0:77 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=1772 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             440 ..
-rw-r--r-- 1000     1000            1072 seccomp
-rw-r--r-- 1000     1000             808 seccomp.32
-rw-r--r-- 1000     1000               0 seccomp.postexec
-rw-r--r-- 1000     1000               0 seccomp.postexec32
No active seccomp files
Set caps filter 240000
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
Starting application
LD_PRELOAD=(null)
execvp argument 0: nuclear
execvp argument 1: --no-sandbox
Child process initialized in 897.22 ms
Searching $PATH for nuclear
trying #/home/username/local/Python36/bin/nuclear#
trying #/home/username/.nvm/versions/node/v12.22.2/bin/nuclear#
trying #/usr/local/bin/nuclear#
trying #/usr/bin/nuclear#
monitoring pid 23

      main › (node:23) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `nuclear --trace-deprecation ...` to show where the warning was created)

(nuclear:23): Gtk-WARNING **: ...: Theme parsing error: gtk.css:68:35: The style property GtkButton:child-displacement-x is deprecated and shouldn't be used anymore. It will be removed in a future version

(nuclear:23): Gtk-WARNING **: ...: Theme parsing error: gtk.css:69:35: The style property GtkButton:child-displacement-y is deprecated and shouldn't be used anymore. It will be removed in a future version

(nuclear:23): Gtk-WARNING **: ...: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version
      main › Sqlite database creation failed
      main › DriverPackageNotInstalledError: SQLite package has not been found installed. Try to install it: npm install sqlite3 --save
[...]

Haven't tried running it without a firejail profile and it doesn't seem like there's an easy way to generate a VM of the current system.

<!-- gh-comment-id:892091924 --> @mYnDstrEAm commented on GitHub (Aug 3, 2021): I commented it out [at this point](https://github.com/netblue30/firejail/issues/4428#issuecomment-889051217). The output of `firejail --debug --ignore=apparmor --ignore=no3d --profile=/etc/firejail/nuclear.profile nuclear --no-sandbox` is slightly different: ``` [...] Disable /usr/local/lib/python3.7 Disable /usr/local/lib/python3.6 Not blacklist /home/username/.config/nuclear Mounting read-only /tmp/.X11-unix 1763 1696 254:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/name rw,errors=remount-ro mountid=1763 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount Mounting noexec /run/firejail/mnt/pulse 1769 1270 0:77 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1769 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Creating empty /home/username/.config/pulse directory Drop privileges: pid 22, uid 1000, gid 1000, nogroups 0 Mounting /run/firejail/mnt/pulse on /home/username/.config/pulse 1770 1351 0:77 /pulse /home/username/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1770 fsname=/pulse dir=/home/username/.config/pulse fstype=tmpfs Current directory: /home/username/ DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp 1772 1270 0:77 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=1772 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 440 .. -rw-r--r-- 1000 1000 1072 seccomp -rw-r--r-- 1000 1000 808 seccomp.32 -rw-r--r-- 1000 1000 0 seccomp.postexec -rw-r--r-- 1000 1000 0 seccomp.postexec32 No active seccomp files Set caps filter 240000 Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups Starting application LD_PRELOAD=(null) execvp argument 0: nuclear execvp argument 1: --no-sandbox Child process initialized in 897.22 ms Searching $PATH for nuclear trying #/home/username/local/Python36/bin/nuclear# trying #/home/username/.nvm/versions/node/v12.22.2/bin/nuclear# trying #/usr/local/bin/nuclear# trying #/usr/bin/nuclear# monitoring pid 23 main › (node:23) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use `nuclear --trace-deprecation ...` to show where the warning was created) (nuclear:23): Gtk-WARNING **: ...: Theme parsing error: gtk.css:68:35: The style property GtkButton:child-displacement-x is deprecated and shouldn't be used anymore. It will be removed in a future version (nuclear:23): Gtk-WARNING **: ...: Theme parsing error: gtk.css:69:35: The style property GtkButton:child-displacement-y is deprecated and shouldn't be used anymore. It will be removed in a future version (nuclear:23): Gtk-WARNING **: ...: Theme parsing error: gtk.css:73:46: The style property GtkScrolledWindow:scrollbars-within-bevel is deprecated and shouldn't be used anymore. It will be removed in a future version main › Sqlite database creation failed main › DriverPackageNotInstalledError: SQLite package has not been found installed. Try to install it: npm install sqlite3 --save [...] ``` Haven't tried running it without a firejail profile and [it doesn't seem like there's an easy way to generate a VM of the current system](https://unix.stackexchange.com/questions/656393/are-there-dedicated-tools-for-efficient-backups-of-fully-encrypted-debian-gnu).
gitea-mirror commented 2026-05-05 09:19:45 -06:00
Author
Owner
Copy link

@mYnDstrEAm commented on GitHub (Sep 20, 2021):

Now it does start but it still shows these errors (and takes a bit too long to launch).
Furthermore the nuclear.local profile file in /home/username/.config/firejail directory wasn't just commented out lines anymore but had the following contents I didn't write`(they are different from the contents here):

################################
# Generic GUI application profile
################################
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-passwdmgr.inc

#blacklist ${HOME}/.wine

caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6
seccomp

So I think this file was generated / overwritten somehow (however its metadata has modified & created in June 2020).

Maybe it's working now because of the upgrade from Debian 10 to 11. Looks like the issue can be closed.

The output of firejail nuclear now is:

Reading profile /etc/firejail/nuclear.profile
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /home/username/.config/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid ...., child pid ....
Private /opt installed in xx9.9x ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning fcopy: skipping /etc/alternatives/js, cannot find inode
Warning fcopy: skipping /etc/alternatives/js.1.gz, cannot find inode
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Warning fcopy: skipping /etc/pulse/client.conf.d/01-enable-autospawn.conf, cannot find inode
Private /etc installed in xx.86 ms
Warning: skipping alsa for private /usr/etc
Warning: skipping alternatives for private /usr/etc
Warning: skipping asound.conf for private /usr/etc
Warning: skipping ca-certificates for private /usr/etc
Warning: skipping crypto-policies for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping gtk-2.0 for private /usr/etc
Warning: skipping gtk-3.0 for private /usr/etc
Warning: skipping host.conf for private /usr/etc
Warning: skipping hostname for private /usr/etc
Warning: skipping hosts for private /usr/etc
Warning: skipping mime.types for private /usr/etc
Warning: skipping nsswitch.conf for private /usr/etc
Warning: skipping pki for private /usr/etc
Warning: skipping pulse for private /usr/etc
Warning: skipping resolv.conf for private /usr/etc
Warning: skipping selinux for private /usr/etc
Warning: skipping ssl for private /usr/etc
Warning: skipping X11 for private /usr/etc
Warning: skipping xdg for private /usr/etc
Private /usr/etc installed in 0.x5 ms
Child process initialized in xx3.90 ms
      main › (node:23) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `nuclear --trace-deprecation ...` to show where the warning was created)
libGL error: MESA-LOADER: failed to retrieve device information
libGL error: Version 4 or later of flush extension not found
libGL error: failed to load driver: i915
libGL error: failed to open /dev/dri/card0: No such file or directory
libGL error: failed to load driver: iris
      main › Sqlite database creation failed
      main › DriverPackageNotInstalledError: SQLite package has not been found installed. Try to install it: npm install sqlite3 --save
    at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:723535)
    at t.loadDependencies (/opt/nuclear/resources/app.asar/dist/main.js:2680:592613)
    at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:591154)
    at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:70627)
    at new e (/opt/nuclear/resources/app.asar/dist/main.js:2680:23774)
    at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:32984)
    at /opt/nuclear/resources/app.asar/dist/main.js:2682:12651
    at /opt/nuclear/resources/app.asar/dist/main.js:2699:2716
    at Object.next (/opt/nuclear/resources/app.asar/dist/main.js:2699:2821)
    at /opt/nuclear/resources/app.asar/dist/main.js:2699:1758
    at new Promise (<anonymous>)
    at Module.u (/opt/nuclear/resources/app.asar/dist/main.js:2699:1503)
    at t.createConnection (/opt/nuclear/resources/app.asar/dist/main.js:2682:12385)
    at bn.connect (/opt/nuclear/resources/app.asar/dist/main.js:2711:488198)
    at App.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:529294)
    at App.emit (events.js:327:22)
   ipc api › error in event get-localfolders => Cannot read property 'find' of undefined
   ipc api › TypeError: Cannot read property 'find' of undefined
    at bn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:488573)
    at Qn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:496490)
    at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433)
    at IpcMainImpl.emit (events.js:315:20)
    at Object.<anonymous> (electron/js2c/browser_init.js:161:10351)
    at Object.emit (events.js:315:20)
   ipc api › error in event get-metas => Cannot read property 'find' of undefined
   ipc api › TypeError: Cannot read property 'find' of undefined
    at bn.getTracks (/opt/nuclear/resources/app.asar/dist/main.js:2711:488952)
    at Qn.getLocalMetas (/opt/nuclear/resources/app.asar/dist/main.js:2711:496403)
    at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433)
    at IpcMainImpl.emit (events.js:315:20)
    at Object.<anonymous> (electron/js2c/browser_init.js:161:10351)
    at Object.emit (events.js:315:20)
(node:89) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.
(Use `exe --trace-deprecation ...` to show where the warning was created)

(After at Object.emit (events.js:315:20) it's taking too long to load, and I don't know what those errors are about.)

<!-- gh-comment-id:923251684 --> @mYnDstrEAm commented on GitHub (Sep 20, 2021): Now it does start but it still shows these errors (and takes a bit too long to launch). Furthermore the nuclear.local profile file in /home/username/.config/firejail directory wasn't just commented out lines anymore but had the following contents I didn't write`(they are different from the contents [here](https://github.com/netblue30/firejail/issues/4422#issuecomment-891969201)): ``` ################################ # Generic GUI application profile ################################ include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-passwdmgr.inc #blacklist ${HOME}/.wine caps.drop all netfilter nonewprivs noroot protocol unix,inet,inet6 seccomp ``` So I think this file was generated / overwritten somehow (however its metadata has modified & created in June 2020). Maybe it's working now because of the upgrade from Debian 10 to 11. Looks like the issue can be closed. The output of `firejail nuclear` now is: ``` Reading profile /etc/firejail/nuclear.profile Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /home/username/.config/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid ...., child pid .... Private /opt installed in xx9.9x ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning fcopy: skipping /etc/alternatives/js, cannot find inode Warning fcopy: skipping /etc/alternatives/js.1.gz, cannot find inode Warning: skipping asound.conf for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/pulse/client.conf.d/01-enable-autospawn.conf, cannot find inode Private /etc installed in xx.86 ms Warning: skipping alsa for private /usr/etc Warning: skipping alternatives for private /usr/etc Warning: skipping asound.conf for private /usr/etc Warning: skipping ca-certificates for private /usr/etc Warning: skipping crypto-policies for private /usr/etc Warning: skipping fonts for private /usr/etc Warning: skipping gtk-2.0 for private /usr/etc Warning: skipping gtk-3.0 for private /usr/etc Warning: skipping host.conf for private /usr/etc Warning: skipping hostname for private /usr/etc Warning: skipping hosts for private /usr/etc Warning: skipping mime.types for private /usr/etc Warning: skipping nsswitch.conf for private /usr/etc Warning: skipping pki for private /usr/etc Warning: skipping pulse for private /usr/etc Warning: skipping resolv.conf for private /usr/etc Warning: skipping selinux for private /usr/etc Warning: skipping ssl for private /usr/etc Warning: skipping X11 for private /usr/etc Warning: skipping xdg for private /usr/etc Private /usr/etc installed in 0.x5 ms Child process initialized in xx3.90 ms main › (node:23) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use `nuclear --trace-deprecation ...` to show where the warning was created) libGL error: MESA-LOADER: failed to retrieve device information libGL error: Version 4 or later of flush extension not found libGL error: failed to load driver: i915 libGL error: failed to open /dev/dri/card0: No such file or directory libGL error: failed to load driver: iris main › Sqlite database creation failed main › DriverPackageNotInstalledError: SQLite package has not been found installed. Try to install it: npm install sqlite3 --save at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:723535) at t.loadDependencies (/opt/nuclear/resources/app.asar/dist/main.js:2680:592613) at new t (/opt/nuclear/resources/app.asar/dist/main.js:2680:591154) at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:70627) at new e (/opt/nuclear/resources/app.asar/dist/main.js:2680:23774) at e.create (/opt/nuclear/resources/app.asar/dist/main.js:2680:32984) at /opt/nuclear/resources/app.asar/dist/main.js:2682:12651 at /opt/nuclear/resources/app.asar/dist/main.js:2699:2716 at Object.next (/opt/nuclear/resources/app.asar/dist/main.js:2699:2821) at /opt/nuclear/resources/app.asar/dist/main.js:2699:1758 at new Promise (<anonymous>) at Module.u (/opt/nuclear/resources/app.asar/dist/main.js:2699:1503) at t.createConnection (/opt/nuclear/resources/app.asar/dist/main.js:2682:12385) at bn.connect (/opt/nuclear/resources/app.asar/dist/main.js:2711:488198) at App.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:529294) at App.emit (events.js:327:22) ipc api › error in event get-localfolders => Cannot read property 'find' of undefined ipc api › TypeError: Cannot read property 'find' of undefined at bn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:488573) at Qn.getLocalFolders (/opt/nuclear/resources/app.asar/dist/main.js:2711:496490) at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433) at IpcMainImpl.emit (events.js:315:20) at Object.<anonymous> (electron/js2c/browser_init.js:161:10351) at Object.emit (events.js:315:20) ipc api › error in event get-metas => Cannot read property 'find' of undefined ipc api › TypeError: Cannot read property 'find' of undefined at bn.getTracks (/opt/nuclear/resources/app.asar/dist/main.js:2711:488952) at Qn.getLocalMetas (/opt/nuclear/resources/app.asar/dist/main.js:2711:496403) at IpcMainImpl.<anonymous> (/opt/nuclear/resources/app.asar/dist/main.js:2711:528433) at IpcMainImpl.emit (events.js:315:20) at Object.<anonymous> (electron/js2c/browser_init.js:161:10351) at Object.emit (events.js:315:20) (node:89) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead. (Use `exe --trace-deprecation ...` to show where the warning was created) ``` (After `at Object.emit (events.js:315:20)` it's taking too long to load, and I don't know what those errors are about.)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2663
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?