[GH-ISSUE #4713] Can't mount using firejail

gitea-mirror commented

2026-05-05 09:25:28 -06:00

Owner

Originally created by @Kcchouette on GitHub (Nov 25, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4713

Description

Hello,
using firejail I can't mount with rclone application

Steps to Reproduce

Steps to reproduce the behavior

Run in bash LC_ALL=C firejail --noprofile --ignore=quiet --debug rclone mount "rcloneconf:/Font/" ~/test/
Visit ~/test/
See nothing in this folder (ls is empty too)

Expected behavior

Without firejail, rclone correctly mount the directory

Actual behavior

It doesn't mount the directory

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal? Nothing

Additional context

Any other detail that may help to understand/debug the problem

Environment

Manjaro
Firejail version firejail version 0.9.66

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

Nothing relevant

Output of LC_ALL=C firejail --debug /path/to/program

$ LC_ALL=C firejail --debug --noprofile rclone mount "rcloneconf:/Font/" ~/test/
Autoselecting /bin/bash as shell
Building quoted command line: 'rclone' 'mount' 'rcloneconf:/Font/' '/home/user/test/' 
Command name #rclone#
DISPLAY=:1 parsed as 1
Using the local network stack
Parent pid 4811, child pid 4812
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
365 330 254:0 /etc /etc ro,noatime master:1 - ext4 /dev/mapper/luks-8e0fbe0b-0903-4bbc-b74e-f8b331939efd rw
mountid=365 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
366 365 254:0 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/luks-8e0fbe0b-0903-4bbc-b74e-f8b331939efd rw
mountid=366 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
369 367 7:1 / /var/lib/snapd/snap/core/11993 ro,nodev,relatime master:49 - squashfs /dev/loop1 ro
mountid=369 fsname=/ dir=/var/lib/snapd/snap/core/11993 fstype=squashfs
Mounting noexec /var
496 370 7:1 / /var/lib/snapd/snap/core/11993 ro,nodev,relatime master:49 - squashfs /dev/loop1 ro
mountid=496 fsname=/ dir=/var/lib/snapd/snap/core/11993 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/core/11798
497 371 7:0 / /var/lib/snapd/snap/core/11798 ro,nosuid,nodev,noexec,relatime master:46 - squashfs /dev/loop0 ro
mountid=497 fsname=/ dir=/var/lib/snapd/snap/core/11798 fstype=squashfs
Mounting noexec /var/lib/snapd/snap/core/11993
502 496 7:1 / /var/lib/snapd/snap/core/11993 ro,nosuid,nodev,noexec,relatime master:49 - squashfs /dev/loop1 ro
mountid=502 fsname=/ dir=/var/lib/snapd/snap/core/11993 fstype=squashfs
Mounting read-only /usr
503 330 254:0 /usr /usr ro,noatime master:1 - ext4 /dev/mapper/luks-8e0fbe0b-0903-4bbc-b74e-f8b331939efd rw
mountid=503 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Current directory: /home/user
DISPLAY=:1 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Mounting read-only /run/firejail/mnt/seccomp
544 362 0:57 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=544 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             160 ..
-rw-r--r-- user   user           568 seccomp
-rw-r--r-- user   user           432 seccomp.32
-rw-r--r-- user   user             0 seccomp.postexec
-rw-r--r-- user   user             0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0
Starting application
LD_PRELOAD=(null)
Running 'rclone' 'mount' 'rcloneconf:/Font/' '/home/user/test/'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'rclone' 'mount' 'rcloneconf:/Font/' '/home/user/test/' 
Child process initialized in 4.21 ms
monitoring pid 2

Originally created by @Kcchouette on GitHub (Nov 25, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4713 ### Description Hello, using firejail I can't mount with rclone application ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in bash `LC_ALL=C firejail --noprofile --ignore=quiet --debug rclone mount "rcloneconf:/Font/" ~/test/` 2. Visit `~/test/` 3. See nothing in this folder (`ls` is empty too) ### Expected behavior Without firejail, rclone correctly mount the directory ### Actual behavior It doesn't mount the directory ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Nothing ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Manjaro - Firejail version firejail version 0.9.66 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Nothing relevant ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` $ LC_ALL=C firejail --debug --noprofile rclone mount "rcloneconf:/Font/" ~/test/ Autoselecting /bin/bash as shell Building quoted command line: 'rclone' 'mount' 'rcloneconf:/Font/' '/home/user/test/' Command name #rclone# DISPLAY=:1 parsed as 1 Using the local network stack Parent pid 4811, child pid 4812 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 365 330 254:0 /etc /etc ro,noatime master:1 - ext4 /dev/mapper/luks-8e0fbe0b-0903-4bbc-b74e-f8b331939efd rw mountid=365 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 366 365 254:0 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/luks-8e0fbe0b-0903-4bbc-b74e-f8b331939efd rw mountid=366 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 369 367 7:1 / /var/lib/snapd/snap/core/11993 ro,nodev,relatime master:49 - squashfs /dev/loop1 ro mountid=369 fsname=/ dir=/var/lib/snapd/snap/core/11993 fstype=squashfs Mounting noexec /var 496 370 7:1 / /var/lib/snapd/snap/core/11993 ro,nodev,relatime master:49 - squashfs /dev/loop1 ro mountid=496 fsname=/ dir=/var/lib/snapd/snap/core/11993 fstype=squashfs Mounting noexec /var/lib/snapd/snap/core/11798 497 371 7:0 / /var/lib/snapd/snap/core/11798 ro,nosuid,nodev,noexec,relatime master:46 - squashfs /dev/loop0 ro mountid=497 fsname=/ dir=/var/lib/snapd/snap/core/11798 fstype=squashfs Mounting noexec /var/lib/snapd/snap/core/11993 502 496 7:1 / /var/lib/snapd/snap/core/11993 ro,nosuid,nodev,noexec,relatime master:49 - squashfs /dev/loop1 ro mountid=502 fsname=/ dir=/var/lib/snapd/snap/core/11993 fstype=squashfs Mounting read-only /usr 503 330 254:0 /usr /usr ro,noatime master:1 - ext4 /dev/mapper/luks-8e0fbe0b-0903-4bbc-b74e-f8b331939efd rw mountid=503 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Current directory: /home/user DISPLAY=:1 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Mounting read-only /run/firejail/mnt/seccomp 544 362 0:57 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=544 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 160 .. -rw-r--r-- user user 568 seccomp -rw-r--r-- user user 432 seccomp.32 -rw-r--r-- user user 0 seccomp.postexec -rw-r--r-- user user 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 Starting application LD_PRELOAD=(null) Running 'rclone' 'mount' 'rcloneconf:/Font/' '/home/user/test/' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'rclone' 'mount' 'rcloneconf:/Font/' '/home/user/test/' Child process initialized in 4.21 ms monitoring pid 2 ``` </p> </details>

gitea-mirror

2026-05-05 09:25:28 -06:00

closed this issue
added the
notabug
label

gitea-mirror commented

2026-05-05 09:25:31 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 25, 2021):

Mounting is a privileged task, how does rclone get CAP_SYS_ADMIN? userns? suid? setcap? Or is it a FUSE implementation? Did you modified firejail.config?

@rusty-snake commented on GitHub (Nov 25, 2021): Mounting is a privileged task, how does rclone get CAP_SYS_ADMIN? userns? suid? setcap? Or is it a FUSE implementation? Did you modified firejail.config?

gitea-mirror commented

2026-05-05 09:25:32 -06:00

Author

Owner

@Kcchouette commented on GitHub (Nov 25, 2021):

I have exactly this file: https://raw.githubusercontent.com/netblue30/firejail/0.9.66/etc/firejail.config

Of what I am seeing, they use /dev/fuse: https://github.com/rclone/rclone/blob/master/contrib/docker-plugin/managed/config.json

@Kcchouette commented on GitHub (Nov 25, 2021): I have exactly this file: https://raw.githubusercontent.com/netblue30/firejail/0.9.66/etc/firejail.config Of what I am seeing, they use `/dev/fuse`: https://github.com/rclone/rclone/blob/master/contrib/docker-plugin/managed/config.json

gitea-mirror commented

2026-05-05 09:25:33 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 25, 2021):

Does it work with the noprofile.profile?

@rusty-snake commented on GitHub (Nov 25, 2021): Does it work with the noprofile.profile?

gitea-mirror commented

2026-05-05 09:25:34 -06:00

Author

Owner

@Kcchouette commented on GitHub (Nov 25, 2021):

No, the log above is using --noprofile

@Kcchouette commented on GitHub (Nov 25, 2021): No, the log above is using `--noprofile`

gitea-mirror commented

2026-05-05 09:25:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 25, 2021):

noprofile.profile not --noprofile.

@rusty-snake commented on GitHub (Nov 25, 2021): [noprofile.profile](https://github.com/netblue30/firejail/blob/master/etc/profile-m-z/noprofile.profile) not `--noprofile`.

gitea-mirror commented

2026-05-05 09:25:35 -06:00

Author

Owner

@Kcchouette commented on GitHub (Nov 25, 2021):

It seems not:

$ firejail --profile=/etc/firejail/noprofile.profile rclone mount "rcloneconf:/Font/" ~/test/
Reading profile /etc/firejail/noprofile.profile
Parent pid 7235, child pid 7236
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Child process initialized in 2.59 ms

@Kcchouette commented on GitHub (Nov 25, 2021): It seems not: ``` $ firejail --profile=/etc/firejail/noprofile.profile rclone mount "rcloneconf:/Font/" ~/test/ Reading profile /etc/firejail/noprofile.profile Parent pid 7235, child pid 7236 Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Child process initialized in 2.59 ms ```

gitea-mirror commented

2026-05-05 09:25:36 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 25, 2021):

If no one else has an idea, it seems like rclone does not work with firejail (generally).

@rusty-snake commented on GitHub (Nov 25, 2021): If no one else has an idea, it seems like rclone does not work with firejail (generally).

gitea-mirror commented

2026-05-05 09:25:36 -06:00

Author

Owner

@Kcchouette commented on GitHub (Nov 25, 2021):

someone show me this weird trick:
if you join the firejail ID of rclone mount using bash:

$ firejail --join=XXX bash
$ ls ~/test

i can see the content 🤔

@Kcchouette commented on GitHub (Nov 25, 2021): someone show me this weird trick: if you join the firejail ID of rclone mount using bash: > $ firejail --join=XXX bash > $ ls ~/test i can see the content :thinking:

gitea-mirror commented

2026-05-05 09:25:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 25, 2021):

Ohh, you expected an mount operation inside the sandbox to take effect on your system (outside the sandbox and it's mount name space).

No, this does not work. And it doesn't make sense to put a program in a "sandbox" which allows things like that.

@rusty-snake commented on GitHub (Nov 25, 2021): Ohh, you expected an mount operation inside the sandbox to take effect on your system (outside the sandbox and it's mount name space). No, this does not work. And it doesn't make sense to put a program in a "sandbox" which allows things like that.

gitea-mirror commented

2026-05-05 09:25:37 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 26, 2021):

So if you run firejail --noprofile bash, run rclone ... inside it and ls inside it, you see it. But if you ls in a second terminal, you don't see it. Right? That's what to expect and what you want.

@rusty-snake commented on GitHub (Nov 26, 2021): So if you run `firejail --noprofile bash`, run `rclone ...` inside it and `ls` inside it, you see it. But if you `ls` in a second terminal, you don't see it. Right? That's what to expect and what you want.

gitea-mirror commented

2026-05-05 09:25:38 -06:00

Author

Owner

@Kcchouette commented on GitHub (Nov 26, 2021):

yes, but I was expecting that the ls in the 2nd terminal to work

@Kcchouette commented on GitHub (Nov 26, 2021): yes, but I was expecting that the `ls` in the 2nd terminal to work

gitea-mirror commented

2026-05-05 09:25:38 -06:00

Author

Owner

@rusty-snake commented on GitHub (Nov 26, 2021):

I think we can close here. If we would mount / with MS_SHARED | MS_REC to allow a sandbox to propagate mounts to the host (which also makes a lot of trouble and possible CVEs) the sandbox would be useless (a program could just mount bad-bashrc over ~/.bashrc instead of ~/test).

@rusty-snake commented on GitHub (Nov 26, 2021): I think we can close here. If we would mount `/` with `MS_SHARED | MS_REC` to allow a sandbox to propagate mounts to the host (which also makes a lot of trouble and possible CVEs) the sandbox would be useless (a program could just mount `bad-bashrc` over `~/.bashrc` instead of `~/test`).

Rows
Columns

[GH-ISSUE #4713] Can't mount using firejail #2761

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log