github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4937] Profile for signal-desktop fails! #2828

New issue
Closed
opened 2026-05-05 09:28:53 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 09:28:53 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Feb 13, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4937

Description

I tried to launch signal-desktop after running firecfg and the program fails to start.

Steps to Reproduce

  1. sudo pacman -S signal-desktop
  2. sudo firecfg
  3. signal-desktop'

Expected behavior

Signal should start.

Actual behavior

[sapiens@fuckup ~]$ signal-desktop
Reading profile /etc/firejail/signal-desktop.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 37899, child pid 37902
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 38.85 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 158.67 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

Behavior without a profile

LC_ALL=C firejail --noprofile /path/to/program

[user@computer ~]$ LC_ALL=C firejail --noprofile /bin/signal-desktop
Parent pid 44226, child pid 44227
Child process initialized in 15.86 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

Calling signal by running /bin/signal-desktop causes Signal to launch as expected.

Environment

  • ArchLinux
  • 5.15.21-hardened
  • firejail version 0.9.68

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

[user@computer ~]$ LC_ALL=C firejail /bin/signal-desktop
Reading profile /etc/firejail/signal-desktop.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 46932, child pid 46935
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 41.64 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 156.23 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

EDIT by @rusty-snake: fix markdown checklist; fix details tag

Originally created by @ghost on GitHub (Feb 13, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4937 ### Description I tried to launch signal-desktop after running firecfg and the program fails to start. ### Steps to Reproduce 1. sudo pacman -S signal-desktop 2. sudo firecfg 3. signal-desktop' ### Expected behavior Signal should start. ### Actual behavior ``` [sapiens@fuckup ~]$ signal-desktop Reading profile /etc/firejail/signal-desktop.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 37899, child pid 37902 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 38.85 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 158.67 ms The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Parent is shutting down, bye... ``` ### Behavior without a profile `LC_ALL=C firejail --noprofile /path/to/program` ``` [user@computer ~]$ LC_ALL=C firejail --noprofile /bin/signal-desktop Parent pid 44226, child pid 44227 Child process initialized in 15.86 ms The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Parent is shutting down, bye... ``` Calling signal by running `/bin/signal-desktop` causes Signal to launch as expected. ### Environment - ArchLinux - 5.15.21-hardened - firejail version 0.9.68 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` [user@computer ~]$ LC_ALL=C firejail /bin/signal-desktop Reading profile /etc/firejail/signal-desktop.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 46932, child pid 46935 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Private /etc installed in 41.64 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: cleaning all supplementary groups Child process initialized in 156.23 ms The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Parent is shutting down, bye... ``` </details> --- EDIT by @rusty-snake: fix markdown checklist; fix details tag
gitea-mirror 2026-05-05 09:28:53 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:28:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 13, 2022):

Did you set force-nonewprivs yes in firejail.config?

<!-- gh-comment-id:1037980272 --> @rusty-snake commented on GitHub (Feb 13, 2022): Did you set `force-nonewprivs yes` in firejail.config?
gitea-mirror commented 2026-05-05 09:28:58 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 13, 2022):

Did you set force-nonewprivs yes in firejail.config?

Indeed I did. I followed the instructions to harden firejail. I suppose this is an issue. How should I handle the situation?

<!-- gh-comment-id:1037981352 --> @ghost commented on GitHub (Feb 13, 2022): > Did you set `force-nonewprivs yes` in firejail.config? Indeed I did. I followed the instructions to harden firejail. I suppose this is an issue. How should I handle the situation?
gitea-mirror commented 2026-05-05 09:28:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 13, 2022):

You can not set nnp and disable userns if you want to use chromium* programs.

Either set force-nonewprivs no or sysctl kernel.unprivileged_userns_clone=1 (IMHO the right thing).

<!-- gh-comment-id:1037982739 --> @rusty-snake commented on GitHub (Feb 13, 2022): You can not set nnp and disable userns if you want to use chromium\* programs. Either set `force-nonewprivs no` or `sysctl kernel.unprivileged_userns_clone=1` (IMHO the right thing).
gitea-mirror commented 2026-05-05 09:29:00 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 13, 2022):

From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk, while force-nonewprivs no disabled the general hardening for firejail. Can you tell me if there is a third option, that would be to set firecfg to exclude signal-desktop from profile generation or a setting I could put into the signal-desktop.local that disables restriction. I think under the circumstances I would exclude signal from being handeled by firejail

<!-- gh-comment-id:1037986994 --> @ghost commented on GitHub (Feb 13, 2022): From what I read `sysctl kernel.unprivileged_userns_clone=1` is a security risk, while `force-nonewprivs no` disabled the general hardening for firejail. Can you tell me if there is a third option, that would be to set firecfg to exclude signal-desktop from profile generation or a setting I could put into the signal-desktop.local that disables restriction. I think under the circumstances I would exclude signal from being handeled by firejail
gitea-mirror commented 2026-05-05 09:29:01 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 13, 2022):

or a setting I could put into the signal-desktop.local that disables restriction.

The idea behind force-nonewprivs is that you can not undo it, otherwise it wouldn't be a hardening option.

From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk

It's such a huge security risk that it is the default in mainline, Debian, Ubuntu, Mint, Fedora, ... kernels.

Did you know that firefox is a security risk?

that would be to set firecfg to exclude signal-desktop from profile generation

Yes you can #2097, https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049, #3016, ...

<!-- gh-comment-id:1037996506 --> @rusty-snake commented on GitHub (Feb 13, 2022): > or a setting I could put into the signal-desktop.local that disables restriction. The idea behind `force-nonewprivs` is that you can not undo it, otherwise it wouldn't be a hardening option. > From what I read sysctl kernel.unprivileged_userns_clone=1 is a security risk It's such a huge security risk that it is the default in mainline, Debian, Ubuntu, Mint, Fedora, ... kernels. Did you know that firefox is a security risk? > that would be to set firecfg to exclude signal-desktop from profile generation Yes you can #2097, https://github.com/netblue30/firejail/issues/3665#issuecomment-707689049, #3016, ...
gitea-mirror commented 2026-05-05 09:29:02 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 13, 2022):

Thank you for the links. I left the hardening in place.

I created a script to remove the links from applications I want to exclude.

#!/bin/bash
apps=(signal-desktop)
for app in "${apps[@]}"; do
	rm /usr/local/bin/$app
done

Then I modified the pacman hook accordingly to run the script everytime it runs firecfg.

  GNU nano 6.0                                                                            /etc/pacman.d/hooks/firejail.hook                                                                                      
[Trigger]
Type = Path
Operation = Install
Operation = Upgrade
Operation = Remove
Target = usr/bin/*
Target = usr/local/bin/*
Target = usr/share/applications/*.desktop

[Action]
Description = Configure symlinks in /usr/local/bin based on firecfg.config...
When = PostTransaction
Depends = firejail
Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh'
<!-- gh-comment-id:1038018622 --> @ghost commented on GitHub (Feb 13, 2022): Thank you for the links. I left the hardening in place. I created a script to remove the links from applications I want to exclude. ``` #!/bin/bash apps=(signal-desktop) for app in "${apps[@]}"; do rm /usr/local/bin/$app done ``` Then I modified the pacman hook accordingly to run the script everytime it runs firecfg. ``` GNU nano 6.0 /etc/pacman.d/hooks/firejail.hook [Trigger] Type = Path Operation = Install Operation = Upgrade Operation = Remove Target = usr/bin/* Target = usr/local/bin/* Target = usr/share/applications/*.desktop [Action] Description = Configure symlinks in /usr/local/bin based on firecfg.config... When = PostTransaction Depends = firejail Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh' ```
gitea-mirror commented 2026-05-05 09:29:03 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 13, 2022):

Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh'

All this issue is about a problem caused by multiple hardening option to mitigate potential user2root exploits (which aren't much of an issue for the most desktop systems) that could be discovered in the future.. And to fix it you automatically execute a user writeable script as root? Think of your thread models.

<!-- gh-comment-id:1038022808 --> @rusty-snake commented on GitHub (Feb 13, 2022): > Exec = /bin/sh -c 'firecfg >/dev/null 2>&1 && /home/user/scripts/firejail-disable-helper.sh' All this issue is about a problem caused by multiple hardening option to mitigate potential user2root exploits (which aren't much of an issue for the most desktop systems) that could be discovered in the future.. And to fix it you automatically execute a user writeable script as root? Think of your thread models.
gitea-mirror commented 2026-05-05 09:29:04 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 13, 2022):

Thank you for your concern, but the script is not user writable.

-rwxr----- 1 root    root     91 Feb 13 11:47 firejail-disable-helper.sh

As long as some applications make problems with firejail, I will exclude them and let Apparmor handle them. It is a single application so far, so I think this is a good compromise.

<!-- gh-comment-id:1038023389 --> @ghost commented on GitHub (Feb 13, 2022): Thank you for your concern, but the script is not user writable. ``` -rwxr----- 1 root root 91 Feb 13 11:47 firejail-disable-helper.sh ``` As long as some applications make problems with firejail, I will exclude them and let Apparmor handle them. It is a single application so far, so I think this is a good compromise.
gitea-mirror commented 2026-05-05 09:29:06 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 13, 2022):

Is /home/user/scripts owned by you and writeable?

rm -f ~/scripts/firejail-disable-helper.sh
echo -e '#!/bin/bash\nrm -rf /' > ~/scripts/firejail-disable-helper.sh
chmod +x ~/scripts/firejail-disable-helper.sh
<!-- gh-comment-id:1038030290 --> @rusty-snake commented on GitHub (Feb 13, 2022): Is `/home/user/scripts` owned by you and writeable? ```bash rm -f ~/scripts/firejail-disable-helper.sh echo -e '#!/bin/bash\nrm -rf /' > ~/scripts/firejail-disable-helper.sh chmod +x ~/scripts/firejail-disable-helper.sh ```
gitea-mirror commented 2026-05-05 09:29:07 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 13, 2022):

Oh, I actually did not know that this works. Thanks for explaining. I moved the script to /root/scripts for now. I still think only excluding the few applications that make problems is the best way to go.

<!-- gh-comment-id:1038038078 --> @ghost commented on GitHub (Feb 13, 2022): Oh, I actually did not know that this works. Thanks for explaining. I moved the script to /root/scripts for now. I still think only excluding the few applications that make problems is the best way to go.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2828
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?