github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5089] dnsmasq: libvirtd cannot start bridge network: PATH environment variable not set #2875

New issue
Closed
opened 2026-05-05 09:32:08 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 09:32:08 -06:00
Owner
Copy link

Originally created by @itoffshore on GitHub (Apr 3, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5089

Description

The default libvirt bridge network fails to start with:

virsh # net-start default
error: Failed to start network default
error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set

Steps to Reproduce

virsh # net-start default

  1. Run in bash LC_ALL=C firejail PROGRAM
[root]$ LC_ALL=C firejail /usr/bin/dnsmasq

dnsmasq: failed to open pidfile /var/run/dnsmasq.pid: Permission denied

Expected behavior

libvirtd.service start successfully

Actual behavior

libvirtd.service fails to start

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?

Parent pid 12239, child pid 12240
The new log directory is /proc/12240/root/var/log
Child process initialized in 18.62 ms

Additional context

this problem appeared recently with libvirt 1.8.1 / 1.8.2 (it did not exist in 1.8.0)

owner of the pid now:

[stuart@endeavour ~]$ ll /var/run/dnsmasq.pid 
-rw-r--r-- 1 nobody nobody 2 Apr  3 21:22 /var/run/dnsmasq.pid

Environment

  • Arch Linux
  • Firejail version (firejail --version).
firejail version 0.9.68

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

  • [ x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

[root]$ LC_ALL=C firejail /usr/bin/dnsmasq

dnsmasq: failed to open pidfile /var/run/dnsmasq.pid: Permission denied

Output of LC_ALL=C firejail --debug /path/to/program 

[root]# LC_ALL=C firejail --debug /usr/bin/dnsmasq
Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/dnsmasq' 
Command name #dnsmasq#
Found dnsmasq.profile profile in /etc/firejail directory
Reading profile /etc/firejail/dnsmasq.profile
Found globals.local profile in /etc/firejail directory
Reading profile /etc/firejail/globals.local
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-xdg.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-xdg.inc
[profile] combined protocol list: "unix,inet,inet6,netlink"
DISPLAY is not set
Enabling IPC namespace
Using the local network stack
Parent pid 12753, child pid 12754
The new log directory is /proc/12754/root/var/log
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 0, gid 0, force_nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
8007 7912 0:25 /@/etc /etc ro,noatime master:1 - btrfs /dev/mapper/luks-b5c8aa83-2e49-42ed-8807-893adcfdafb3 rw,compress=zstd:3,ssd,space_cache,autodefrag,subvolid=256,subvol=/@
mountid=8007 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
8033 8008 0:277 / /var/lib/lxd/devlxd rw,relatime master:641 - tmpfs tmpfs rw,size=100k,mode=755,inode64
mountid=8033 fsname=/ dir=/var/lib/lxd/devlxd fstype=tmpfs
Mounting read-only /var/tmp
8034 8012 0:97 /@var-tmp /var/tmp ro,nosuid,nodev,noexec,noatime master:94 - btrfs /dev/mapper/cryptvar rw,compress=zstd:3,space_cache,autodefrag,subvolid=315,subvol=/@var-tmp
mountid=8034 fsname=/@var-tmp dir=/var/tmp fstype=btrfs
Mounting read-only /var/build
8037 8035 253:2 / /var/build/sources rw,nosuid,nodev,noexec,noatime master:109 - ext4 /dev/zram2 rw,discard
mountid=8037 fsname=/ dir=/var/build/sources fstype=ext4
Mounting read-only /var/build/makepkg
8038 8036 253:1 / /var/build/makepkg ro,nosuid,nodev,noatime master:106 - ext4 /dev/zram1 rw,discard
mountid=8038 fsname=/ dir=/var/build/makepkg fstype=ext4
Mounting read-only /var/build/sources
8039 8037 253:2 / /var/build/sources ro,nosuid,nodev,noexec,noatime master:109 - ext4 /dev/zram2 rw,discard
mountid=8039 fsname=/ dir=/var/build/sources fstype=ext4
Mounting read-only /var/cache/pacman/pkg
8040 8016 0:97 /@var-cache-pacman-pkg /var/cache/pacman/pkg ro,nosuid,nodev,noexec,noatime master:103 - btrfs /dev/mapper/cryptvar rw,compress=zstd:3,space_cache,autodefrag,subvolid=296,subvol=/@var-cache-pacman-pkg
mountid=8040 fsname=/@var-cache-pacman-pkg dir=/var/cache/pacman/pkg fstype=btrfs
Mounting read-only /var/log
8041 8017 0:97 /@var-log /var/log ro,nosuid,nodev,noexec,noatime master:112 - btrfs /dev/mapper/cryptvar rw,compress=zstd:3,space_cache,autodefrag,subvolid=297,subvol=/@var-log
mountid=8041 fsname=/@var-log dir=/var/log fstype=btrfs
Mounting read-only /var/lib/lxcfs
8042 8031 0:275 / /var/lib/lxcfs ro,nosuid,nodev,relatime master:568 - fuse.lxcfs lxcfs rw,user_id=0,group_id=0,allow_other
mountid=8042 fsname=/ dir=/var/lib/lxcfs fstype=fuse.lxcfs
Mounting read-only /var/lib/lxd/shmounts
8043 8032 0:276 / /var/lib/lxd/shmounts ro,relatime master:630 - tmpfs tmpfs rw,size=100k,mode=711,inode64
mountid=8043 fsname=/ dir=/var/lib/lxd/shmounts fstype=tmpfs
Mounting read-only /var/lib/lxd/devlxd
8044 8033 0:277 / /var/lib/lxd/devlxd ro,relatime master:641 - tmpfs tmpfs rw,size=100k,mode=755,inode64
mountid=8044 fsname=/ dir=/var/lib/lxd/devlxd fstype=tmpfs
Mounting read-only /usr
8045 7912 0:25 /@/usr /usr ro,noatime master:1 - btrfs /dev/mapper/luks-b5c8aa83-2e49-42ed-8807-893adcfdafb3 rw,compress=zstd:3,ssd,space_cache,autodefrag,subvolid=256,subvol=/@
mountid=8045 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Drop privileges: pid 3, uid 0, gid 0, force_nogroups 0
No supplementary groups
Mounting a new /root directory
Mounting a new /home directory
Drop privileges: pid 4, uid 0, gid 0, force_nogroups 0
No supplementary groups
Drop privileges: pid 5, uid 0, gid 0, force_nogroups 0
No supplementary groups
Mounting tmpfs on /dev
Process /dev/shm directory
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /tmp/.X11-unix
Disable /etc/xdg/autostart
Mounting read-only /root/.Xauthority
8074 8051 0:284 /.Xauthority /root/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=700,inode64
mountid=8074 fsname=/.Xauthority dir=/root/.Xauthority fstype=tmpfs
Disable /usr/bin/systemctl
Disable /usr/bin/systemd-run
Disable /etc/systemd/network
Disable /etc/systemd/system
Disable /var/lib/systemd
Disable /var/cache/libvirt
Disable /var/lib/libvirt
Disable /var/log/libvirt
Disable /var/cache/pacman
Disable /var/lib/dkms
Disable /var/lib/pacman
Disable /var/lib/upower
Disable /var/spool/mail (requested /var/mail)
Disable /var/opt
Disable /run/screens (requested /var/run/screens)
Disable /var/spool/anacron
Disable /var/spool/cron
Disable /var/spool/mail
Disable /etc/anacrontab
Disable /etc/apparmor.d
Disable /etc/apparmor
Disable /etc/cron.d
Disable /etc/cron.daily
Disable /etc/cron.hourly
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/cron.allow
Disable /etc/cron.deny
Disable /etc/default
Disable /etc/dkms
Disable /etc/grub.d
Disable /etc/kernel
Disable /etc/logrotate.d
Disable /etc/logrotate.conf
Disable /etc/modules-load.d
Disable /etc/profile.d
Disable /etc/rc.local
Mounting read-only /root/.bashrc
8112 8051 0:284 /.bashrc /root/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=700,inode64
mountid=8112 fsname=/.bashrc dir=/root/.bashrc fstype=tmpfs
Disable /tmp/ssh-XXXXXXhWNvJr
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Not blacklist /sbin
Disable /usr/local/sbin
Not blacklist /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /usr/bin/fusermount
Disable /usr/bin/gpasswd
Disable /usr/bin/ksu
Disable /usr/bin/mount
Disable /usr/bin/netcat (requested /usr/bin/nc)
Disable /usr/bin/ncat
Disable /usr/bin/nmap
Disable /usr/bin/newgidmap
Disable /usr/bin/newgrp
Disable /usr/bin/newuidmap
Disable /usr/bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/sg
Disable /usr/bin/su
Disable /usr/bin/sudo
Disable /usr/bin/tcpdump
Disable /usr/bin/umount
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/xinput
Disable /usr/lib/ssh
Disable /usr/bin/passwd
Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Disable /usr/lib/chromium/chrome-sandbox
Disable /usr/bin/hostname
Disable /usr/bin/netstat
Disable /usr/bin/nm-online
Disable /usr/bin/nmcli
Disable /usr/bin/nmtui
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-connect)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-edit)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-hostname)
Disable /usr/bin/networkctl
Disable /usr/bin/ss
Disable /usr/bin/traceroute
Disable /usr/bin/xfce4-terminal
Disable /.snapshots
Disable /usr/bin/bwrap
Disable /var/lib/flatpak/repo
Disable /var/lib/flatpak/.changed
Disable /var/lib/flatpak/runtime
Disable /var/lib/flatpak/app
Not blacklist /var/lib/flatpak/exports
Disable /var/lib/flatpak/.removed
Disable /proc/config.gz
Disable /usr/bin/dig
Disable /usr/bin/dnssec-cds
Disable /usr/bin/dnssec-dsfromkey
Disable /usr/bin/dnssec-importkey
Disable /usr/bin/dnssec-keyfromlabel
Disable /usr/bin/dnssec-keygen
Disable /usr/bin/dnssec-revoke
Disable /usr/bin/dnssec-settime
Disable /usr/bin/dnssec-signzone
Disable /usr/bin/dnssec-verify
Disable /usr/bin/drill
Disable /usr/bin/host
Disable /usr/bin/ldns-chaos
Disable /usr/bin/ldns-compare-zones
Disable /usr/bin/ldns-config
Disable /usr/bin/ldns-dane
Disable /usr/bin/ldns-dpa
Disable /usr/bin/ldns-gen-zone
Disable /usr/bin/ldns-key2ds
Disable /usr/bin/ldns-keyfetcher
Disable /usr/bin/ldns-keygen
Disable /usr/bin/ldns-mx
Disable /usr/bin/ldns-notify
Disable /usr/bin/ldns-nsec3-hash
Disable /usr/bin/ldns-read-zone
Disable /usr/bin/ldns-resolver
Disable /usr/bin/ldns-revoke
Disable /usr/bin/ldns-rrsig
Disable /usr/bin/ldns-signzone
Disable /usr/bin/ldns-test-edns
Disable /usr/bin/ldns-testns
Disable /usr/bin/ldns-update
Disable /usr/bin/ldns-verify-zone
Disable /usr/bin/ldns-version
Disable /usr/bin/ldns-walk
Disable /usr/bin/ldns-zcat
Disable /usr/bin/ldns-zsplit
Disable /usr/bin/ldnsd
Disable /usr/bin/nslookup
Disable /usr/bin/resolvectl
Disable /usr/bin/unbound-host
Disable /usr/bin/ftp
Disable /usr/bin/ssh
Disable /usr/bin/telnet
Disable /usr/bin/as
Disable /usr/bin/gcc (requested /usr/bin/cc)
Disable /usr/bin/c++filt
Disable /usr/bin/c++
Disable /usr/bin/c89
Disable /usr/bin/c99
Disable /usr/bin/cpp
Disable /usr/bin/g++
Disable /usr/bin/gcc
Disable /usr/bin/gcc-ar
Disable /usr/bin/gcc-nm
Disable /usr/bin/gcc-ranlib
Disable /usr/bin/ld
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-11.2.0
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-11.2.0
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/lib/go/bin/go (requested /usr/bin/go)
Disable /usr/lib/go/bin/gofmt (requested /usr/bin/gofmt)
Disable /usr/lib/jvm/java-17-openjdk/bin/java (requested /usr/bin/java)
Disable /usr/lib/jvm/java-17-openjdk/bin/java (requested /usr/lib/jvm/default/bin/java)
Disable /usr/lib/jvm/java-17-openjdk/bin/javac (requested /usr/bin/javac)
Disable /usr/lib/jvm/java-17-openjdk/bin/javac (requested /usr/lib/jvm/default/bin/javac)
Disable /usr/share/java
Disable /usr/bin/openssl
Disable /usr/bin/openssl-1.0
Disable /usr/lib/valgrind
Disable /usr/src
Disable /usr/local/src
Disable /usr/include
Disable /usr/local/include
Disable /usr/bin/lua5.3
Disable /usr/bin/luac5.3
Disable /usr/bin/lua5.1
Disable /usr/bin/luac5.1
Disable /usr/bin/lua5.2
Disable /usr/bin/luac5.2
Disable /usr/bin/lua
Disable /usr/bin/lua (requested /usr/bin/lua5.4)
Disable /usr/bin/luac
Disable /usr/bin/luac (requested /usr/bin/luac5.4)
Disable /usr/bin/luajit-2.1.0-beta3 (requested /usr/bin/luajit)
Disable /usr/bin/luajit-2.1.0-beta3
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua.so.5.3)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua.so.5.3.6)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua5.3.so)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua5.3.so.5.3)
Disable /usr/lib/liblua5.3.so.5.3.6
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua.so.5.1)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua.so.5.1.5)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua5.1.so)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua5.1.so.5.1)
Disable /usr/lib/liblua5.1.so.5.1.5
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua.so.5.2)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua.so.5.2.4)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua5.2.so)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua5.2.so.5.2)
Disable /usr/lib/liblua5.2.so.5.2.4
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua.so)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua.so.5.4)
Disable /usr/lib/liblua.so.5.4.4
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua5.4.so)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib/libluajit-5.1.so)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib/libluajit-5.1.so.2)
Disable /usr/lib/libluajit-5.1.so.2.1.0
Disable /usr/lib/lua
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua.so.5.3)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua.so.5.3.6)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so.5.3)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so.5.3.6)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua.so.5.1)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua.so.5.1.5)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua5.1.so)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua5.1.so.5.1)
Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua5.1.so.5.1.5)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua.so.5.2)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua.so.5.2.4)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so.5.2)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so.5.2.4)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so.5.4)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so.5.4.4)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua5.4.so)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so.2)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so.2.1.0)
Disable /usr/lib/lua (requested /usr/lib64/lua)
Disable /usr/share/lua
Disable /usr/share/luajit-2.1.0-beta3
Disable /usr/lib/libmozjs-78.so
Disable /usr/lib/libmozjs-78.so (requested /usr/lib64/libmozjs-78.so)
Disable /usr/bin/node
Disable /usr/bin/core_perl
Disable /usr/bin/perl
Disable /usr/bin/site_perl
Disable /usr/bin/vendor_perl
Disable /usr/lib/perl5
Disable /usr/lib/perl5 (requested /usr/lib64/perl5)
Disable /usr/share/perl5
Disable /usr/lib/ruby
Disable /usr/lib/ruby (requested /usr/lib64/ruby)
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7-config (requested /usr/bin/python2-config)
Disable /usr/bin/python2.7
Disable /usr/bin/python2.7-config
Disable /usr/lib/python2.7
Disable /usr/bin/python3.10 (requested /usr/bin/python3)
Disable /usr/bin/python3.10-config (requested /usr/bin/python3-config)
Disable /usr/bin/python3.10
Disable /usr/bin/python3.10-config
Disable /usr/lib/python3.10
Disable /usr/lib/python3.10 (requested /usr/lib64/python3.10)
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /media
Disable /run/mount
Disable /run/media
disable pulseaudio
disable pipewire
rebuilding /etc directory
Creating empty /run/firejail/mnt/dns-etc/NetworkManager directory
Creating empty /run/firejail/mnt/dns-etc/UPower directory
Creating empty /run/firejail/mnt/dns-etc/X11 directory
Creating empty /run/firejail/mnt/dns-etc/alsa directory
Creating empty /run/firejail/mnt/dns-etc/audit directory
Creating empty /run/firejail/mnt/dns-etc/avahi directory
Creating empty /run/firejail/mnt/dns-etc/binfmt.d directory
Creating empty /run/firejail/mnt/dns-etc/bluetooth directory
Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory
Creating empty /run/firejail/mnt/dns-etc/cifs-utils directory
Creating empty /run/firejail/mnt/dns-etc/conf.d directory
Creating empty /run/firejail/mnt/dns-etc/dconf directory
Creating empty /run/firejail/mnt/dns-etc/depmod.d directory
Creating empty /run/firejail/mnt/dns-etc/exports.d directory
Creating empty /run/firejail/mnt/dns-etc/fonts directory
Creating empty /run/firejail/mnt/dns-etc/gss directory
Creating empty /run/firejail/mnt/dns-etc/gssproxy directory
Creating empty /run/firejail/mnt/dns-etc/gtk-2.0 directory
Creating empty /run/firejail/mnt/dns-etc/gtk-3.0 directory
Creating empty /run/firejail/mnt/dns-etc/ifplugd directory
Creating empty /run/firejail/mnt/dns-etc/iproute2 directory
Creating empty /run/firejail/mnt/dns-etc/keyutils directory
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/libblockdev directory
Creating empty /run/firejail/mnt/dns-etc/libnl directory
Creating empty /run/firejail/mnt/dns-etc/lightdm directory
Creating empty /run/firejail/mnt/dns-etc/lvm directory
Creating empty /run/firejail/mnt/dns-etc/mkinitcpio.d directory
Creating empty /run/firejail/mnt/dns-etc/modprobe.d directory
Creating empty /run/firejail/mnt/dns-etc/nbd-server directory
Creating empty /run/firejail/mnt/dns-etc/ndctl directory
Creating empty /run/firejail/mnt/dns-etc/netctl directory
Creating empty /run/firejail/mnt/dns-etc/nginx directory
Creating empty /run/firejail/mnt/dns-etc/nvme directory
Creating empty /run/firejail/mnt/dns-etc/openldap directory
Creating empty /run/firejail/mnt/dns-etc/openvpn directory
Creating empty /run/firejail/mnt/dns-etc/pacman.d directory
Creating empty /run/firejail/mnt/dns-etc/pam.d directory
Creating empty /run/firejail/mnt/dns-etc/pipewire directory
Creating empty /run/firejail/mnt/dns-etc/pkcs11 directory
Creating empty /run/firejail/mnt/dns-etc/polkit-1 directory
Creating empty /run/firejail/mnt/dns-etc/ppp directory
Creating empty /run/firejail/mnt/dns-etc/pulse directory
Creating empty /run/firejail/mnt/dns-etc/rc_keymaps directory
Creating empty /run/firejail/mnt/dns-etc/rdnssd directory
Creating empty /run/firejail/mnt/dns-etc/refind.d directory
Creating empty /run/firejail/mnt/dns-etc/request-key.d directory
Creating empty /run/firejail/mnt/dns-etc/security directory
Creating empty /run/firejail/mnt/dns-etc/sensors.d directory
Creating empty /run/firejail/mnt/dns-etc/skel directory
Creating empty /run/firejail/mnt/dns-etc/ssl directory
Creating empty /run/firejail/mnt/dns-etc/sudoers.d directory
Creating empty /run/firejail/mnt/dns-etc/sysctl.d directory
Creating empty /run/firejail/mnt/dns-etc/systemd directory
Creating empty /run/firejail/mnt/dns-etc/tlp.d directory
Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory
Creating empty /run/firejail/mnt/dns-etc/udev directory
Creating empty /run/firejail/mnt/dns-etc/udisks2 directory
Creating empty /run/firejail/mnt/dns-etc/usb_modeswitch.d directory
Creating empty /run/firejail/mnt/dns-etc/vpnc directory
Creating empty /run/firejail/mnt/dns-etc/wpa_supplicant directory
Creating empty /run/firejail/mnt/dns-etc/xdg directory
Creating empty /run/firejail/mnt/dns-etc/xinetd.d directory
Creating empty /run/firejail/mnt/dns-etc/xl2tpd directory
Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file
Creating empty /run/firejail/mnt/dns-etc/crypttab file
Creating empty /run/firejail/mnt/dns-etc/environment file
Creating empty /run/firejail/mnt/dns-etc/fstab file
Creating empty /run/firejail/mnt/dns-etc/hostname file
Creating empty /run/firejail/mnt/dns-etc/hosts file
Creating empty /run/firejail/mnt/dns-etc/locale.conf file
Creating empty /run/firejail/mnt/dns-etc/locale.gen file
Creating empty /run/firejail/mnt/dns-etc/nilfs_cleanerd.conf file
Creating empty /run/firejail/mnt/dns-etc/ntp.conf file
Creating empty /run/firejail/mnt/dns-etc/openswap.conf file
Creating empty /run/firejail/mnt/dns-etc/pacman.conf file
Creating empty /run/firejail/mnt/dns-etc/request-key.conf file
Creating empty /run/firejail/mnt/dns-etc/shells file
Creating empty /run/firejail/mnt/dns-etc/slsh.rc file
Creating empty /run/firejail/mnt/dns-etc/smartd.conf file
Creating empty /run/firejail/mnt/dns-etc/trusted-key.key file
Creating empty /run/firejail/mnt/dns-etc/machine-id file
Creating empty /run/firejail/mnt/dns-etc/timezone file
Creating empty /run/firejail/mnt/dns-etc/vconsole.conf file
Creating empty /run/firejail/mnt/dns-etc/adjtime file
Creating empty /run/firejail/mnt/dns-etc/iwd directory
Creating empty /run/firejail/mnt/dns-etc/ts.conf file
Creating empty /run/firejail/mnt/dns-etc/zfs directory
Creating empty /run/firejail/mnt/dns-etc/healthd.conf file
Creating empty /run/firejail/mnt/dns-etc/sensors3.conf file
Creating empty /run/firejail/mnt/dns-etc/libinput directory
Creating empty /run/firejail/mnt/dns-etc/initcpio directory
Creating empty /run/firejail/mnt/dns-etc/openmpi directory
Creating empty /run/firejail/mnt/dns-etc/ImageMagick-7 directory
Creating empty /run/firejail/mnt/dns-etc/spacefm directory
Creating empty /run/firejail/mnt/dns-etc/libpaper.d directory
Creating empty /run/firejail/mnt/dns-etc/papersize file
Creating empty /run/firejail/mnt/dns-etc/gimp directory
Creating empty /run/firejail/mnt/dns-etc/dbus-1 directory
Creating empty /run/firejail/mnt/dns-etc/zstore directory
Creating empty /run/firejail/mnt/dns-etc/tor directory
Creating empty /run/firejail/mnt/dns-etc/libreoffice directory
Creating empty /run/firejail/mnt/dns-etc/firejail directory
Creating empty /run/firejail/mnt/dns-etc/ld.so.preload file
Creating empty /run/firejail/mnt/dns-etc/libvirt directory
Creating empty /run/firejail/mnt/dns-etc/sasl2 directory
Creating empty /run/firejail/mnt/dns-etc/brlapi.key file
Creating empty /run/firejail/mnt/dns-etc/vde directory
Creating empty /run/firejail/mnt/dns-etc/vde2 directory
Creating empty /run/firejail/mnt/dns-etc/zrepl directory
Creating empty /run/firejail/mnt/dns-etc/ufw directory
Creating empty /run/firejail/mnt/dns-etc/gufw directory
Creating empty /run/firejail/mnt/dns-etc/lxc directory
Creating empty /run/firejail/mnt/dns-etc/subgid file
Creating empty /run/firejail/mnt/dns-etc/subuid file
Creating empty /run/firejail/mnt/dns-etc/linkding directory
Creating empty /run/firejail/mnt/dns-etc/pinentry directory
Creating empty /run/firejail/mnt/dns-etc/java-openjdk directory
Creating empty /run/firejail/mnt/dns-etc/apcupsd directory
Creating empty /run/firejail/mnt/dns-etc/opensnitchd directory
Creating empty /run/firejail/mnt/dns-etc/updatedb.conf file
Creating empty /run/firejail/mnt/dns-etc/uniconf.conf file
Creating empty /run/firejail/mnt/dns-etc/ansible directory
Creating empty /run/firejail/mnt/dns-etc/mailcap file
Creating empty /run/firejail/mnt/dns-etc/mime.types file
Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file
Creating empty /run/firejail/mnt/dns-etc/netconfig file
Creating empty /run/firejail/mnt/dns-etc/profile file
Creating empty /run/firejail/mnt/dns-etc/nfs.conf file
Creating empty /run/firejail/mnt/dns-etc/opt directory
Creating empty /run/firejail/mnt/dns-etc/brave directory
Creating empty /run/firejail/mnt/dns-etc/ctdb directory
Creating empty /run/firejail/mnt/dns-etc/samba directory
Creating empty /run/firejail/mnt/dns-etc/passwd.OLD file
Creating empty /run/firejail/mnt/dns-etc/udevil directory
Creating empty /run/firejail/mnt/dns-etc/jack directory
Creating empty /run/firejail/mnt/dns-etc/rsyncd.conf file
Creating empty /run/firejail/mnt/dns-etc/xml directory
Creating empty /run/firejail/mnt/dns-etc/geoclue directory
Creating empty /run/firejail/mnt/dns-etc/atmsigd.conf file
Creating empty /run/firejail/mnt/dns-etc/hosts.atm file
Creating empty /run/firejail/mnt/dns-etc/mkinitcpio.conf.old file
Creating empty /run/firejail/mnt/dns-etc/mkinitcpio.conf file
Creating empty /run/firejail/mnt/dns-etc/unbound directory
Creating empty /run/firejail/mnt/dns-etc/makepkg.conf.old file
Creating empty /run/firejail/mnt/dns-etc/makepkg.conf file
Creating empty /run/firejail/mnt/dns-etc/fuse.conf file
Creating empty /run/firejail/mnt/dns-etc/snapper directory
Creating empty /run/firejail/mnt/dns-etc/dnsmasq.conf file
Creating empty /run/firejail/mnt/dns-etc/mbuffer.rc file
Creating empty /run/firejail/mnt/dns-etc/nanorc file
Creating empty /run/firejail/mnt/dns-etc/rc_maps.cfg file
Creating empty /run/firejail/mnt/dns-etc/krb5.conf file
Creating empty /run/firejail/mnt/dns-etc/snap-pac.ini file
Creating empty /run/firejail/mnt/dns-etc/arch-release file
Creating empty /run/firejail/mnt/dns-etc/host.conf file
Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file
Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file
Creating empty /run/firejail/mnt/dns-etc/securetty file
Creating empty /run/firejail/mnt/dns-etc/daxctl.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/ndctl.conf.d directory
Creating empty /run/firejail/mnt/dns-etc/cni directory
Creating empty /run/firejail/mnt/dns-etc/containers directory
Creating empty /run/firejail/mnt/dns-etc/mail.rc file
Creating empty /run/firejail/mnt/dns-etc/pcurses.conf file
Creating empty /run/firejail/mnt/dns-etc/reflector-simple-tool.conf file
Creating empty /run/firejail/mnt/dns-etc/reflector-simple.conf file
Creating empty /run/firejail/mnt/dns-etc/eos-rankmirrors.conf file
Creating empty /run/firejail/mnt/dns-etc/bash.bash_logout file
Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file
Creating empty /run/firejail/mnt/dns-etc/idmapd.conf file
Creating empty /run/firejail/mnt/dns-etc/exports file
Creating empty /run/firejail/mnt/dns-etc/nfs.conf.pacnew file
Creating empty /run/firejail/mnt/dns-etc/nfsmount.conf file
Creating empty /run/firejail/mnt/dns-etc/issue file
Creating empty /run/firejail/mnt/dns-etc/xattr.conf file
Creating empty /run/firejail/mnt/dns-etc/inputrc file
Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file
Creating empty /run/firejail/mnt/dns-etc/login.defs file
Creating empty /run/firejail/mnt/dns-etc/screenrc file
Creating empty /run/firejail/mnt/dns-etc/brltty.conf file
Creating empty /run/firejail/mnt/dns-etc/rarfiles.lst file
Creating empty /run/firejail/mnt/dns-etc/protocols file
Creating empty /run/firejail/mnt/dns-etc/services file
Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file
Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file
Creating empty /run/firejail/mnt/dns-etc/tpm2-tss directory
Creating empty /run/firejail/mnt/dns-etc/nanorc.pacnew file
Creating empty /run/firejail/mnt/dns-etc/whois.conf file
Creating empty /run/firejail/mnt/dns-etc/lsb-release file
Creating empty /run/firejail/mnt/dns-etc/passwd file
Creating empty /run/firejail/mnt/dns-etc/makepkg.conf.pacnew file
Creating empty /run/firejail/mnt/dns-etc/pacman.conf.pacnew file
Creating empty /run/firejail/mnt/dns-etc/libva.conf file
Creating empty /run/firejail/mnt/dns-etc/mtools.conf file
Creating empty /run/firejail/mnt/dns-etc/sudo.conf file
Creating empty /run/firejail/mnt/dns-etc/sudo_logsrvd.conf file
Creating empty /run/firejail/mnt/dns-etc/sudoers.pacnew file
Creating empty /run/firejail/mnt/dns-etc/tlp.conf file
Creating empty /run/firejail/mnt/dns-etc/usb_modeswitch.conf file
Creating empty /run/firejail/mnt/dns-etc/usb_modeswitch.setup file
Creating empty /run/firejail/mnt/dns-etc/vdpau_wrapper.cfg file
Creating empty /run/firejail/mnt/dns-etc/bind.keys file
Creating empty /run/firejail/mnt/dns-etc/named.conf file
Creating empty /run/firejail/mnt/dns-etc/arptables.conf file
Creating empty /run/firejail/mnt/dns-etc/ebtables.conf file
Creating empty /run/firejail/mnt/dns-etc/ethertypes file
Creating empty /run/firejail/mnt/dns-etc/iptables directory
Creating empty /run/firejail/mnt/dns-etc/man_db.conf file
Creating empty /run/firejail/mnt/dns-etc/gai.conf file
Creating empty /run/firejail/mnt/dns-etc/locale.gen.pacnew file
Creating empty /run/firejail/mnt/dns-etc/nscd.conf file
Creating empty /run/firejail/mnt/dns-etc/rpc file
Creating empty /run/firejail/mnt/dns-etc/eos-script-lib-yad.conf file
Creating empty /run/firejail/mnt/dns-etc/eos-sendlog.conf file
Creating empty /run/firejail/mnt/dns-etc/wgetrc file
Creating empty /run/firejail/mnt/dns-etc/sudoers file
Creating empty /run/firejail/mnt/dns-etc/nftables.conf file
Creating empty /run/firejail/mnt/dns-etc/cpufreq-bench.conf file
Creating empty /run/firejail/mnt/dns-etc/eos-rankmirrors.conf.pacnew file
Creating empty /run/firejail/mnt/dns-etc/eos-update-notifier.conf file
Creating empty /run/firejail/mnt/dns-etc/group file
Creating empty /run/firejail/mnt/dns-etc/mdadm.conf file
Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file
Creating empty /run/firejail/mnt/dns-etc/.updated file
Creating empty /run/firejail/mnt/dns-etc/resolv.conf file
Mount-bind /run/firejail/mnt/dns-etc on top of /etc
Current directory: /etc/libvirt
DISPLAY is not set
Install protocol filter: unix,inet,inet6,netlink
configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 6, uid 0, gid 0, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000002   jeq 2 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 0000000a   jeq a 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 01 00000010   jeq 10 0014 (false 0015)
 0014: 06 00 00 7fff0000   ret ALLOW
 0015: 06 00 00 0005005f   ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 7, uid 0, gid 0, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00050001   ret ERRNO(1)
Dual 32/64 bit seccomp filter configured
configuring 71 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 8, uid 0, gid 0, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 3e 00 0000009f   jeq adjtimex 0046 (false 0008)
 0008: 15 3d 00 00000131   jeq clock_adjtime 0046 (false 0009)
 0009: 15 3c 00 000000e3   jeq clock_settime 0046 (false 000a)
 000a: 15 3b 00 000000a4   jeq settimeofday 0046 (false 000b)
 000b: 15 3a 00 0000009a   jeq modify_ldt 0046 (false 000c)
 000c: 15 39 00 000000d4   jeq lookup_dcookie 0046 (false 000d)
 000d: 15 38 00 0000012a   jeq perf_event_open 0046 (false 000e)
 000e: 15 37 00 00000137   jeq process_vm_writev 0046 (false 000f)
 000f: 15 36 00 000000b0   jeq delete_module 0046 (false 0010)
 0010: 15 35 00 00000139   jeq finit_module 0046 (false 0011)
 0011: 15 34 00 000000af   jeq init_module 0046 (false 0012)
 0012: 15 33 00 000000a1   jeq chroot 0046 (false 0013)
 0013: 15 32 00 000000a5   jeq mount 0046 (false 0014)
 0014: 15 31 00 0000009b   jeq pivot_root 0046 (false 0015)
 0015: 15 30 00 000000a6   jeq umount2 0046 (false 0016)
 0016: 15 2f 00 0000009c   jeq _sysctl 0046 (false 0017)
 0017: 15 2e 00 000000b7   jeq afs_syscall 0046 (false 0018)
 0018: 15 2d 00 000000ae   jeq create_module 0046 (false 0019)
 0019: 15 2c 00 000000b1   jeq get_kernel_syms 0046 (false 001a)
 001a: 15 2b 00 000000b5   jeq getpmsg 0046 (false 001b)
 001b: 15 2a 00 000000b6   jeq putpmsg 0046 (false 001c)
 001c: 15 29 00 000000b2   jeq query_module 0046 (false 001d)
 001d: 15 28 00 000000b9   jeq security 0046 (false 001e)
 001e: 15 27 00 0000008b   jeq sysfs 0046 (false 001f)
 001f: 15 26 00 000000b8   jeq tuxcall 0046 (false 0020)
 0020: 15 25 00 00000086   jeq uselib 0046 (false 0021)
 0021: 15 24 00 00000088   jeq ustat 0046 (false 0022)
 0022: 15 23 00 000000ec   jeq vserver 0046 (false 0023)
 0023: 15 22 00 000000ad   jeq ioperm 0046 (false 0024)
 0024: 15 21 00 000000ac   jeq iopl 0046 (false 0025)
 0025: 15 20 00 000000f6   jeq kexec_load 0046 (false 0026)
 0026: 15 1f 00 00000140   jeq kexec_file_load 0046 (false 0027)
 0027: 15 1e 00 000000a9   jeq reboot 0046 (false 0028)
 0028: 15 1d 00 000000a7   jeq swapon 0046 (false 0029)
 0029: 15 1c 00 000000a8   jeq swapoff 0046 (false 002a)
 002a: 15 1b 00 00000130   jeq open_by_handle_at 0046 (false 002b)
 002b: 15 1a 00 0000012f   jeq name_to_handle_at 0046 (false 002c)
 002c: 15 19 00 000000fb   jeq ioprio_set 0046 (false 002d)
 002d: 15 18 00 00000067   jeq syslog 0046 (false 002e)
 002e: 15 17 00 0000012c   jeq fanotify_init 0046 (false 002f)
 002f: 15 16 00 000000f8   jeq add_key 0046 (false 0030)
 0030: 15 15 00 000000f9   jeq request_key 0046 (false 0031)
 0031: 15 14 00 000000ed   jeq mbind 0046 (false 0032)
 0032: 15 13 00 00000100   jeq migrate_pages 0046 (false 0033)
 0033: 15 12 00 00000117   jeq move_pages 0046 (false 0034)
 0034: 15 11 00 000000fa   jeq keyctl 0046 (false 0035)
 0035: 15 10 00 000000ce   jeq io_setup 0046 (false 0036)
 0036: 15 0f 00 000000cf   jeq io_destroy 0046 (false 0037)
 0037: 15 0e 00 000000d0   jeq io_getevents 0046 (false 0038)
 0038: 15 0d 00 000000d1   jeq io_submit 0046 (false 0039)
 0039: 15 0c 00 000000d2   jeq io_cancel 0046 (false 003a)
 003a: 15 0b 00 000000d8   jeq remap_file_pages 0046 (false 003b)
 003b: 15 0a 00 00000143   jeq userfaultfd 0046 (false 003c)
 003c: 15 09 00 000000a3   jeq acct 0046 (false 003d)
 003d: 15 08 00 00000141   jeq bpf 0046 (false 003e)
 003e: 15 07 00 000000b4   jeq nfsservctl 0046 (false 003f)
 003f: 15 06 00 000000ab   jeq setdomainname 0046 (false 0040)
 0040: 15 05 00 000000aa   jeq sethostname 0046 (false 0041)
 0041: 15 04 00 00000099   jeq vhangup 0046 (false 0042)
 0042: 15 03 00 00000065   jeq ptrace 0046 (false 0043)
 0043: 15 02 00 00000087   jeq personality 0046 (false 0044)
 0044: 15 01 00 00000136   jeq process_vm_readv 0046 (false 0045)
 0045: 06 00 00 7fff0000   ret ALLOW
 0046: 06 00 00 00050001   ret ERRNO(1)
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
8801 8004 0:279 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=8801 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             220 ..
-rw-r--r-- root     root             568 seccomp
-rw-r--r-- root     root             432 seccomp.32
-rw-r--r-- root     root             114 seccomp.list
-rw-r--r-- root     root               0 seccomp.postexec
-rw-r--r-- root     root               0 seccomp.postexec32
-rw-r--r-- root     root             176 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Set caps filter 34c0
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 0, gid 0, force_nogroups 0
No supplementary groups
AppArmor enabled
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Running '/usr/bin/dnsmasq'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: '/usr/bin/dnsmasq' 
Child process initialized in 103.27 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter

dnsmasq: failed to open pidfile /var/run/dnsmasq.pid: File exists
monitoring pid 9

Sandbox monitor: waitpid 9 retval 9 status 768
Sandbox monitor: monitoring 10
monitoring pid 10

Sandbox monitor: waitpid 10 retval 10 status 0

Parent is shutting down, bye...

Originally created by @itoffshore on GitHub (Apr 3, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5089 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description The default libvirt bridge network fails to start with: ``` virsh # net-start default error: Failed to start network default error: internal error: Child process (VIR_BRIDGE_NAME=virbr0 /usr/local/bin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/lib/libvirt/libvirt_leaseshelper) unexpected exit status 1: Error: PATH environment variable not set ``` ### Steps to Reproduce `virsh # net-start default` 1. Run in bash `LC_ALL=C firejail PROGRAM` ``` [root]$ LC_ALL=C firejail /usr/bin/dnsmasq dnsmasq: failed to open pidfile /var/run/dnsmasq.pid: Permission denied ``` ### Expected behavior `libvirtd.service` start successfully ### Actual behavior `libvirtd.service` fails to start ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ``` Parent pid 12239, child pid 12240 The new log directory is /proc/12240/root/var/log Child process initialized in 18.62 ms ``` ### Additional context this problem appeared recently with `libvirt 1.8.1 / 1.8.2` (it did not exist in `1.8.0`) owner of the `pid` now: ``` [stuart@endeavour ~]$ ll /var/run/dnsmasq.pid -rw-r--r-- 1 nobody nobody 2 Apr 3 21:22 /var/run/dnsmasq.pid ``` ### Environment - Arch Linux - Firejail version (`firejail --version`). ``` firejail version 0.9.68 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [ x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ ] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` [root]$ LC_ALL=C firejail /usr/bin/dnsmasq dnsmasq: failed to open pidfile /var/run/dnsmasq.pid: Permission denied ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` [root]# LC_ALL=C firejail --debug /usr/bin/dnsmasq Autoselecting /bin/bash as shell Building quoted command line: '/usr/bin/dnsmasq' Command name #dnsmasq# Found dnsmasq.profile profile in /etc/firejail directory Reading profile /etc/firejail/dnsmasq.profile Found globals.local profile in /etc/firejail directory Reading profile /etc/firejail/globals.local Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found disable-xdg.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-xdg.inc [profile] combined protocol list: "unix,inet,inet6,netlink" DISPLAY is not set Enabling IPC namespace Using the local network stack Parent pid 12753, child pid 12754 The new log directory is /proc/12754/root/var/log Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 0, gid 0, force_nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 8007 7912 0:25 /@/etc /etc ro,noatime master:1 - btrfs /dev/mapper/luks-b5c8aa83-2e49-42ed-8807-893adcfdafb3 rw,compress=zstd:3,ssd,space_cache,autodefrag,subvolid=256,subvol=/@ mountid=8007 fsname=/@/etc dir=/etc fstype=btrfs Mounting read-only /var 8033 8008 0:277 / /var/lib/lxd/devlxd rw,relatime master:641 - tmpfs tmpfs rw,size=100k,mode=755,inode64 mountid=8033 fsname=/ dir=/var/lib/lxd/devlxd fstype=tmpfs Mounting read-only /var/tmp 8034 8012 0:97 /@var-tmp /var/tmp ro,nosuid,nodev,noexec,noatime master:94 - btrfs /dev/mapper/cryptvar rw,compress=zstd:3,space_cache,autodefrag,subvolid=315,subvol=/@var-tmp mountid=8034 fsname=/@var-tmp dir=/var/tmp fstype=btrfs Mounting read-only /var/build 8037 8035 253:2 / /var/build/sources rw,nosuid,nodev,noexec,noatime master:109 - ext4 /dev/zram2 rw,discard mountid=8037 fsname=/ dir=/var/build/sources fstype=ext4 Mounting read-only /var/build/makepkg 8038 8036 253:1 / /var/build/makepkg ro,nosuid,nodev,noatime master:106 - ext4 /dev/zram1 rw,discard mountid=8038 fsname=/ dir=/var/build/makepkg fstype=ext4 Mounting read-only /var/build/sources 8039 8037 253:2 / /var/build/sources ro,nosuid,nodev,noexec,noatime master:109 - ext4 /dev/zram2 rw,discard mountid=8039 fsname=/ dir=/var/build/sources fstype=ext4 Mounting read-only /var/cache/pacman/pkg 8040 8016 0:97 /@var-cache-pacman-pkg /var/cache/pacman/pkg ro,nosuid,nodev,noexec,noatime master:103 - btrfs /dev/mapper/cryptvar rw,compress=zstd:3,space_cache,autodefrag,subvolid=296,subvol=/@var-cache-pacman-pkg mountid=8040 fsname=/@var-cache-pacman-pkg dir=/var/cache/pacman/pkg fstype=btrfs Mounting read-only /var/log 8041 8017 0:97 /@var-log /var/log ro,nosuid,nodev,noexec,noatime master:112 - btrfs /dev/mapper/cryptvar rw,compress=zstd:3,space_cache,autodefrag,subvolid=297,subvol=/@var-log mountid=8041 fsname=/@var-log dir=/var/log fstype=btrfs Mounting read-only /var/lib/lxcfs 8042 8031 0:275 / /var/lib/lxcfs ro,nosuid,nodev,relatime master:568 - fuse.lxcfs lxcfs rw,user_id=0,group_id=0,allow_other mountid=8042 fsname=/ dir=/var/lib/lxcfs fstype=fuse.lxcfs Mounting read-only /var/lib/lxd/shmounts 8043 8032 0:276 / /var/lib/lxd/shmounts ro,relatime master:630 - tmpfs tmpfs rw,size=100k,mode=711,inode64 mountid=8043 fsname=/ dir=/var/lib/lxd/shmounts fstype=tmpfs Mounting read-only /var/lib/lxd/devlxd 8044 8033 0:277 / /var/lib/lxd/devlxd ro,relatime master:641 - tmpfs tmpfs rw,size=100k,mode=755,inode64 mountid=8044 fsname=/ dir=/var/lib/lxd/devlxd fstype=tmpfs Mounting read-only /usr 8045 7912 0:25 /@/usr /usr ro,noatime master:1 - btrfs /dev/mapper/luks-b5c8aa83-2e49-42ed-8807-893adcfdafb3 rw,compress=zstd:3,ssd,space_cache,autodefrag,subvolid=256,subvol=/@ mountid=8045 fsname=/@/usr dir=/usr fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Drop privileges: pid 3, uid 0, gid 0, force_nogroups 0 No supplementary groups Mounting a new /root directory Mounting a new /home directory Drop privileges: pid 4, uid 0, gid 0, force_nogroups 0 No supplementary groups Drop privileges: pid 5, uid 0, gid 0, force_nogroups 0 No supplementary groups Mounting tmpfs on /dev Process /dev/shm directory blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /tmp/.X11-unix Disable /etc/xdg/autostart Mounting read-only /root/.Xauthority 8074 8051 0:284 /.Xauthority /root/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=700,inode64 mountid=8074 fsname=/.Xauthority dir=/root/.Xauthority fstype=tmpfs Disable /usr/bin/systemctl Disable /usr/bin/systemd-run Disable /etc/systemd/network Disable /etc/systemd/system Disable /var/lib/systemd Disable /var/cache/libvirt Disable /var/lib/libvirt Disable /var/log/libvirt Disable /var/cache/pacman Disable /var/lib/dkms Disable /var/lib/pacman Disable /var/lib/upower Disable /var/spool/mail (requested /var/mail) Disable /var/opt Disable /run/screens (requested /var/run/screens) Disable /var/spool/anacron Disable /var/spool/cron Disable /var/spool/mail Disable /etc/anacrontab Disable /etc/apparmor.d Disable /etc/apparmor Disable /etc/cron.d Disable /etc/cron.daily Disable /etc/cron.hourly Disable /etc/cron.monthly Disable /etc/cron.weekly Disable /etc/cron.allow Disable /etc/cron.deny Disable /etc/default Disable /etc/dkms Disable /etc/grub.d Disable /etc/kernel Disable /etc/logrotate.d Disable /etc/logrotate.conf Disable /etc/modules-load.d Disable /etc/profile.d Disable /etc/rc.local Mounting read-only /root/.bashrc 8112 8051 0:284 /.bashrc /root/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=700,inode64 mountid=8112 fsname=/.bashrc dir=/root/.bashrc fstype=tmpfs Disable /tmp/ssh-XXXXXXhWNvJr Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Not blacklist /sbin Disable /usr/local/sbin Not blacklist /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/crontab Disable /usr/bin/expiry Disable /usr/bin/fusermount Disable /usr/bin/gpasswd Disable /usr/bin/ksu Disable /usr/bin/mount Disable /usr/bin/netcat (requested /usr/bin/nc) Disable /usr/bin/ncat Disable /usr/bin/nmap Disable /usr/bin/newgidmap Disable /usr/bin/newgrp Disable /usr/bin/newuidmap Disable /usr/bin/ntfs-3g Disable /usr/bin/pkexec Disable /usr/bin/sg Disable /usr/bin/su Disable /usr/bin/sudo Disable /usr/bin/tcpdump Disable /usr/bin/umount Disable /usr/bin/unix_chkpwd Disable /usr/bin/xinput Disable /usr/lib/ssh Disable /usr/bin/passwd Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper Disable /usr/lib/chromium/chrome-sandbox Disable /usr/bin/hostname Disable /usr/bin/netstat Disable /usr/bin/nm-online Disable /usr/bin/nmcli Disable /usr/bin/nmtui Disable /usr/bin/nmtui (requested /usr/bin/nmtui-connect) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-edit) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-hostname) Disable /usr/bin/networkctl Disable /usr/bin/ss Disable /usr/bin/traceroute Disable /usr/bin/xfce4-terminal Disable /.snapshots Disable /usr/bin/bwrap Disable /var/lib/flatpak/repo Disable /var/lib/flatpak/.changed Disable /var/lib/flatpak/runtime Disable /var/lib/flatpak/app Not blacklist /var/lib/flatpak/exports Disable /var/lib/flatpak/.removed Disable /proc/config.gz Disable /usr/bin/dig Disable /usr/bin/dnssec-cds Disable /usr/bin/dnssec-dsfromkey Disable /usr/bin/dnssec-importkey Disable /usr/bin/dnssec-keyfromlabel Disable /usr/bin/dnssec-keygen Disable /usr/bin/dnssec-revoke Disable /usr/bin/dnssec-settime Disable /usr/bin/dnssec-signzone Disable /usr/bin/dnssec-verify Disable /usr/bin/drill Disable /usr/bin/host Disable /usr/bin/ldns-chaos Disable /usr/bin/ldns-compare-zones Disable /usr/bin/ldns-config Disable /usr/bin/ldns-dane Disable /usr/bin/ldns-dpa Disable /usr/bin/ldns-gen-zone Disable /usr/bin/ldns-key2ds Disable /usr/bin/ldns-keyfetcher Disable /usr/bin/ldns-keygen Disable /usr/bin/ldns-mx Disable /usr/bin/ldns-notify Disable /usr/bin/ldns-nsec3-hash Disable /usr/bin/ldns-read-zone Disable /usr/bin/ldns-resolver Disable /usr/bin/ldns-revoke Disable /usr/bin/ldns-rrsig Disable /usr/bin/ldns-signzone Disable /usr/bin/ldns-test-edns Disable /usr/bin/ldns-testns Disable /usr/bin/ldns-update Disable /usr/bin/ldns-verify-zone Disable /usr/bin/ldns-version Disable /usr/bin/ldns-walk Disable /usr/bin/ldns-zcat Disable /usr/bin/ldns-zsplit Disable /usr/bin/ldnsd Disable /usr/bin/nslookup Disable /usr/bin/resolvectl Disable /usr/bin/unbound-host Disable /usr/bin/ftp Disable /usr/bin/ssh Disable /usr/bin/telnet Disable /usr/bin/as Disable /usr/bin/gcc (requested /usr/bin/cc) Disable /usr/bin/c++filt Disable /usr/bin/c++ Disable /usr/bin/c89 Disable /usr/bin/c99 Disable /usr/bin/cpp Disable /usr/bin/g++ Disable /usr/bin/gcc Disable /usr/bin/gcc-ar Disable /usr/bin/gcc-nm Disable /usr/bin/gcc-ranlib Disable /usr/bin/ld Disable /usr/bin/x86_64-pc-linux-gnu-gcc Disable /usr/bin/x86_64-pc-linux-gnu-gcc-11.2.0 Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib Disable /usr/bin/x86_64-pc-linux-gnu-g++ Disable /usr/bin/x86_64-pc-linux-gnu-gcc Disable /usr/bin/x86_64-pc-linux-gnu-gcc-11.2.0 Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib Disable /usr/bin/x86_64-pc-linux-gnu-g++ Disable /usr/lib/go/bin/go (requested /usr/bin/go) Disable /usr/lib/go/bin/gofmt (requested /usr/bin/gofmt) Disable /usr/lib/jvm/java-17-openjdk/bin/java (requested /usr/bin/java) Disable /usr/lib/jvm/java-17-openjdk/bin/java (requested /usr/lib/jvm/default/bin/java) Disable /usr/lib/jvm/java-17-openjdk/bin/javac (requested /usr/bin/javac) Disable /usr/lib/jvm/java-17-openjdk/bin/javac (requested /usr/lib/jvm/default/bin/javac) Disable /usr/share/java Disable /usr/bin/openssl Disable /usr/bin/openssl-1.0 Disable /usr/lib/valgrind Disable /usr/src Disable /usr/local/src Disable /usr/include Disable /usr/local/include Disable /usr/bin/lua5.3 Disable /usr/bin/luac5.3 Disable /usr/bin/lua5.1 Disable /usr/bin/luac5.1 Disable /usr/bin/lua5.2 Disable /usr/bin/luac5.2 Disable /usr/bin/lua Disable /usr/bin/lua (requested /usr/bin/lua5.4) Disable /usr/bin/luac Disable /usr/bin/luac (requested /usr/bin/luac5.4) Disable /usr/bin/luajit-2.1.0-beta3 (requested /usr/bin/luajit) Disable /usr/bin/luajit-2.1.0-beta3 Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua.so.5.3) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua.so.5.3.6) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua5.3.so) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua5.3.so.5.3) Disable /usr/lib/liblua5.3.so.5.3.6 Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua.so.5.1) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua.so.5.1.5) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua5.1.so) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib/liblua5.1.so.5.1) Disable /usr/lib/liblua5.1.so.5.1.5 Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua.so.5.2) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua.so.5.2.4) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua5.2.so) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua5.2.so.5.2) Disable /usr/lib/liblua5.2.so.5.2.4 Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua.so) Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua.so.5.4) Disable /usr/lib/liblua.so.5.4.4 Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua5.4.so) Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib/libluajit-5.1.so) Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib/libluajit-5.1.so.2) Disable /usr/lib/libluajit-5.1.so.2.1.0 Disable /usr/lib/lua Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua.so.5.3) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua.so.5.3.6) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so.5.3) Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so.5.3.6) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua.so.5.1) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua.so.5.1.5) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua5.1.so) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua5.1.so.5.1) Disable /usr/lib/liblua5.1.so.5.1.5 (requested /usr/lib64/liblua5.1.so.5.1.5) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua.so.5.2) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua.so.5.2.4) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so.5.2) Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so.5.2.4) Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so) Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so.5.4) Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so.5.4.4) Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua5.4.so) Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so) Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so.2) Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so.2.1.0) Disable /usr/lib/lua (requested /usr/lib64/lua) Disable /usr/share/lua Disable /usr/share/luajit-2.1.0-beta3 Disable /usr/lib/libmozjs-78.so Disable /usr/lib/libmozjs-78.so (requested /usr/lib64/libmozjs-78.so) Disable /usr/bin/node Disable /usr/bin/core_perl Disable /usr/bin/perl Disable /usr/bin/site_perl Disable /usr/bin/vendor_perl Disable /usr/lib/perl5 Disable /usr/lib/perl5 (requested /usr/lib64/perl5) Disable /usr/share/perl5 Disable /usr/lib/ruby Disable /usr/lib/ruby (requested /usr/lib64/ruby) Disable /usr/bin/python2.7 (requested /usr/bin/python2) Disable /usr/bin/python2.7-config (requested /usr/bin/python2-config) Disable /usr/bin/python2.7 Disable /usr/bin/python2.7-config Disable /usr/lib/python2.7 Disable /usr/bin/python3.10 (requested /usr/bin/python3) Disable /usr/bin/python3.10-config (requested /usr/bin/python3-config) Disable /usr/bin/python3.10 Disable /usr/bin/python3.10-config Disable /usr/lib/python3.10 Disable /usr/lib/python3.10 (requested /usr/lib64/python3.10) Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount Disable /run/media disable pulseaudio disable pipewire rebuilding /etc directory Creating empty /run/firejail/mnt/dns-etc/NetworkManager directory Creating empty /run/firejail/mnt/dns-etc/UPower directory Creating empty /run/firejail/mnt/dns-etc/X11 directory Creating empty /run/firejail/mnt/dns-etc/alsa directory Creating empty /run/firejail/mnt/dns-etc/audit directory Creating empty /run/firejail/mnt/dns-etc/avahi directory Creating empty /run/firejail/mnt/dns-etc/binfmt.d directory Creating empty /run/firejail/mnt/dns-etc/bluetooth directory Creating empty /run/firejail/mnt/dns-etc/ca-certificates directory Creating empty /run/firejail/mnt/dns-etc/cifs-utils directory Creating empty /run/firejail/mnt/dns-etc/conf.d directory Creating empty /run/firejail/mnt/dns-etc/dconf directory Creating empty /run/firejail/mnt/dns-etc/depmod.d directory Creating empty /run/firejail/mnt/dns-etc/exports.d directory Creating empty /run/firejail/mnt/dns-etc/fonts directory Creating empty /run/firejail/mnt/dns-etc/gss directory Creating empty /run/firejail/mnt/dns-etc/gssproxy directory Creating empty /run/firejail/mnt/dns-etc/gtk-2.0 directory Creating empty /run/firejail/mnt/dns-etc/gtk-3.0 directory Creating empty /run/firejail/mnt/dns-etc/ifplugd directory Creating empty /run/firejail/mnt/dns-etc/iproute2 directory Creating empty /run/firejail/mnt/dns-etc/keyutils directory Creating empty /run/firejail/mnt/dns-etc/ld.so.conf.d directory Creating empty /run/firejail/mnt/dns-etc/libblockdev directory Creating empty /run/firejail/mnt/dns-etc/libnl directory Creating empty /run/firejail/mnt/dns-etc/lightdm directory Creating empty /run/firejail/mnt/dns-etc/lvm directory Creating empty /run/firejail/mnt/dns-etc/mkinitcpio.d directory Creating empty /run/firejail/mnt/dns-etc/modprobe.d directory Creating empty /run/firejail/mnt/dns-etc/nbd-server directory Creating empty /run/firejail/mnt/dns-etc/ndctl directory Creating empty /run/firejail/mnt/dns-etc/netctl directory Creating empty /run/firejail/mnt/dns-etc/nginx directory Creating empty /run/firejail/mnt/dns-etc/nvme directory Creating empty /run/firejail/mnt/dns-etc/openldap directory Creating empty /run/firejail/mnt/dns-etc/openvpn directory Creating empty /run/firejail/mnt/dns-etc/pacman.d directory Creating empty /run/firejail/mnt/dns-etc/pam.d directory Creating empty /run/firejail/mnt/dns-etc/pipewire directory Creating empty /run/firejail/mnt/dns-etc/pkcs11 directory Creating empty /run/firejail/mnt/dns-etc/polkit-1 directory Creating empty /run/firejail/mnt/dns-etc/ppp directory Creating empty /run/firejail/mnt/dns-etc/pulse directory Creating empty /run/firejail/mnt/dns-etc/rc_keymaps directory Creating empty /run/firejail/mnt/dns-etc/rdnssd directory Creating empty /run/firejail/mnt/dns-etc/refind.d directory Creating empty /run/firejail/mnt/dns-etc/request-key.d directory Creating empty /run/firejail/mnt/dns-etc/security directory Creating empty /run/firejail/mnt/dns-etc/sensors.d directory Creating empty /run/firejail/mnt/dns-etc/skel directory Creating empty /run/firejail/mnt/dns-etc/ssl directory Creating empty /run/firejail/mnt/dns-etc/sudoers.d directory Creating empty /run/firejail/mnt/dns-etc/sysctl.d directory Creating empty /run/firejail/mnt/dns-etc/systemd directory Creating empty /run/firejail/mnt/dns-etc/tlp.d directory Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory Creating empty /run/firejail/mnt/dns-etc/udev directory Creating empty /run/firejail/mnt/dns-etc/udisks2 directory Creating empty /run/firejail/mnt/dns-etc/usb_modeswitch.d directory Creating empty /run/firejail/mnt/dns-etc/vpnc directory Creating empty /run/firejail/mnt/dns-etc/wpa_supplicant directory Creating empty /run/firejail/mnt/dns-etc/xdg directory Creating empty /run/firejail/mnt/dns-etc/xinetd.d directory Creating empty /run/firejail/mnt/dns-etc/xl2tpd directory Creating empty /run/firejail/mnt/dns-etc/.pwd.lock file Creating empty /run/firejail/mnt/dns-etc/crypttab file Creating empty /run/firejail/mnt/dns-etc/environment file Creating empty /run/firejail/mnt/dns-etc/fstab file Creating empty /run/firejail/mnt/dns-etc/hostname file Creating empty /run/firejail/mnt/dns-etc/hosts file Creating empty /run/firejail/mnt/dns-etc/locale.conf file Creating empty /run/firejail/mnt/dns-etc/locale.gen file Creating empty /run/firejail/mnt/dns-etc/nilfs_cleanerd.conf file Creating empty /run/firejail/mnt/dns-etc/ntp.conf file Creating empty /run/firejail/mnt/dns-etc/openswap.conf file Creating empty /run/firejail/mnt/dns-etc/pacman.conf file Creating empty /run/firejail/mnt/dns-etc/request-key.conf file Creating empty /run/firejail/mnt/dns-etc/shells file Creating empty /run/firejail/mnt/dns-etc/slsh.rc file Creating empty /run/firejail/mnt/dns-etc/smartd.conf file Creating empty /run/firejail/mnt/dns-etc/trusted-key.key file Creating empty /run/firejail/mnt/dns-etc/machine-id file Creating empty /run/firejail/mnt/dns-etc/timezone file Creating empty /run/firejail/mnt/dns-etc/vconsole.conf file Creating empty /run/firejail/mnt/dns-etc/adjtime file Creating empty /run/firejail/mnt/dns-etc/iwd directory Creating empty /run/firejail/mnt/dns-etc/ts.conf file Creating empty /run/firejail/mnt/dns-etc/zfs directory Creating empty /run/firejail/mnt/dns-etc/healthd.conf file Creating empty /run/firejail/mnt/dns-etc/sensors3.conf file Creating empty /run/firejail/mnt/dns-etc/libinput directory Creating empty /run/firejail/mnt/dns-etc/initcpio directory Creating empty /run/firejail/mnt/dns-etc/openmpi directory Creating empty /run/firejail/mnt/dns-etc/ImageMagick-7 directory Creating empty /run/firejail/mnt/dns-etc/spacefm directory Creating empty /run/firejail/mnt/dns-etc/libpaper.d directory Creating empty /run/firejail/mnt/dns-etc/papersize file Creating empty /run/firejail/mnt/dns-etc/gimp directory Creating empty /run/firejail/mnt/dns-etc/dbus-1 directory Creating empty /run/firejail/mnt/dns-etc/zstore directory Creating empty /run/firejail/mnt/dns-etc/tor directory Creating empty /run/firejail/mnt/dns-etc/libreoffice directory Creating empty /run/firejail/mnt/dns-etc/firejail directory Creating empty /run/firejail/mnt/dns-etc/ld.so.preload file Creating empty /run/firejail/mnt/dns-etc/libvirt directory Creating empty /run/firejail/mnt/dns-etc/sasl2 directory Creating empty /run/firejail/mnt/dns-etc/brlapi.key file Creating empty /run/firejail/mnt/dns-etc/vde directory Creating empty /run/firejail/mnt/dns-etc/vde2 directory Creating empty /run/firejail/mnt/dns-etc/zrepl directory Creating empty /run/firejail/mnt/dns-etc/ufw directory Creating empty /run/firejail/mnt/dns-etc/gufw directory Creating empty /run/firejail/mnt/dns-etc/lxc directory Creating empty /run/firejail/mnt/dns-etc/subgid file Creating empty /run/firejail/mnt/dns-etc/subuid file Creating empty /run/firejail/mnt/dns-etc/linkding directory Creating empty /run/firejail/mnt/dns-etc/pinentry directory Creating empty /run/firejail/mnt/dns-etc/java-openjdk directory Creating empty /run/firejail/mnt/dns-etc/apcupsd directory Creating empty /run/firejail/mnt/dns-etc/opensnitchd directory Creating empty /run/firejail/mnt/dns-etc/updatedb.conf file Creating empty /run/firejail/mnt/dns-etc/uniconf.conf file Creating empty /run/firejail/mnt/dns-etc/ansible directory Creating empty /run/firejail/mnt/dns-etc/mailcap file Creating empty /run/firejail/mnt/dns-etc/mime.types file Creating empty /run/firejail/mnt/dns-etc/bindresvport.blacklist file Creating empty /run/firejail/mnt/dns-etc/netconfig file Creating empty /run/firejail/mnt/dns-etc/profile file Creating empty /run/firejail/mnt/dns-etc/nfs.conf file Creating empty /run/firejail/mnt/dns-etc/opt directory Creating empty /run/firejail/mnt/dns-etc/brave directory Creating empty /run/firejail/mnt/dns-etc/ctdb directory Creating empty /run/firejail/mnt/dns-etc/samba directory Creating empty /run/firejail/mnt/dns-etc/passwd.OLD file Creating empty /run/firejail/mnt/dns-etc/udevil directory Creating empty /run/firejail/mnt/dns-etc/jack directory Creating empty /run/firejail/mnt/dns-etc/rsyncd.conf file Creating empty /run/firejail/mnt/dns-etc/xml directory Creating empty /run/firejail/mnt/dns-etc/geoclue directory Creating empty /run/firejail/mnt/dns-etc/atmsigd.conf file Creating empty /run/firejail/mnt/dns-etc/hosts.atm file Creating empty /run/firejail/mnt/dns-etc/mkinitcpio.conf.old file Creating empty /run/firejail/mnt/dns-etc/mkinitcpio.conf file Creating empty /run/firejail/mnt/dns-etc/unbound directory Creating empty /run/firejail/mnt/dns-etc/makepkg.conf.old file Creating empty /run/firejail/mnt/dns-etc/makepkg.conf file Creating empty /run/firejail/mnt/dns-etc/fuse.conf file Creating empty /run/firejail/mnt/dns-etc/snapper directory Creating empty /run/firejail/mnt/dns-etc/dnsmasq.conf file Creating empty /run/firejail/mnt/dns-etc/mbuffer.rc file Creating empty /run/firejail/mnt/dns-etc/nanorc file Creating empty /run/firejail/mnt/dns-etc/rc_maps.cfg file Creating empty /run/firejail/mnt/dns-etc/krb5.conf file Creating empty /run/firejail/mnt/dns-etc/snap-pac.ini file Creating empty /run/firejail/mnt/dns-etc/arch-release file Creating empty /run/firejail/mnt/dns-etc/host.conf file Creating empty /run/firejail/mnt/dns-etc/ld.so.conf file Creating empty /run/firejail/mnt/dns-etc/nsswitch.conf file Creating empty /run/firejail/mnt/dns-etc/securetty file Creating empty /run/firejail/mnt/dns-etc/daxctl.conf.d directory Creating empty /run/firejail/mnt/dns-etc/ndctl.conf.d directory Creating empty /run/firejail/mnt/dns-etc/cni directory Creating empty /run/firejail/mnt/dns-etc/containers directory Creating empty /run/firejail/mnt/dns-etc/mail.rc file Creating empty /run/firejail/mnt/dns-etc/pcurses.conf file Creating empty /run/firejail/mnt/dns-etc/reflector-simple-tool.conf file Creating empty /run/firejail/mnt/dns-etc/reflector-simple.conf file Creating empty /run/firejail/mnt/dns-etc/eos-rankmirrors.conf file Creating empty /run/firejail/mnt/dns-etc/bash.bash_logout file Creating empty /run/firejail/mnt/dns-etc/bash.bashrc file Creating empty /run/firejail/mnt/dns-etc/idmapd.conf file Creating empty /run/firejail/mnt/dns-etc/exports file Creating empty /run/firejail/mnt/dns-etc/nfs.conf.pacnew file Creating empty /run/firejail/mnt/dns-etc/nfsmount.conf file Creating empty /run/firejail/mnt/dns-etc/issue file Creating empty /run/firejail/mnt/dns-etc/xattr.conf file Creating empty /run/firejail/mnt/dns-etc/inputrc file Creating empty /run/firejail/mnt/dns-etc/libaudit.conf file Creating empty /run/firejail/mnt/dns-etc/login.defs file Creating empty /run/firejail/mnt/dns-etc/screenrc file Creating empty /run/firejail/mnt/dns-etc/brltty.conf file Creating empty /run/firejail/mnt/dns-etc/rarfiles.lst file Creating empty /run/firejail/mnt/dns-etc/protocols file Creating empty /run/firejail/mnt/dns-etc/services file Creating empty /run/firejail/mnt/dns-etc/e2scrub.conf file Creating empty /run/firejail/mnt/dns-etc/mke2fs.conf file Creating empty /run/firejail/mnt/dns-etc/tpm2-tss directory Creating empty /run/firejail/mnt/dns-etc/nanorc.pacnew file Creating empty /run/firejail/mnt/dns-etc/whois.conf file Creating empty /run/firejail/mnt/dns-etc/lsb-release file Creating empty /run/firejail/mnt/dns-etc/passwd file Creating empty /run/firejail/mnt/dns-etc/makepkg.conf.pacnew file Creating empty /run/firejail/mnt/dns-etc/pacman.conf.pacnew file Creating empty /run/firejail/mnt/dns-etc/libva.conf file Creating empty /run/firejail/mnt/dns-etc/mtools.conf file Creating empty /run/firejail/mnt/dns-etc/sudo.conf file Creating empty /run/firejail/mnt/dns-etc/sudo_logsrvd.conf file Creating empty /run/firejail/mnt/dns-etc/sudoers.pacnew file Creating empty /run/firejail/mnt/dns-etc/tlp.conf file Creating empty /run/firejail/mnt/dns-etc/usb_modeswitch.conf file Creating empty /run/firejail/mnt/dns-etc/usb_modeswitch.setup file Creating empty /run/firejail/mnt/dns-etc/vdpau_wrapper.cfg file Creating empty /run/firejail/mnt/dns-etc/bind.keys file Creating empty /run/firejail/mnt/dns-etc/named.conf file Creating empty /run/firejail/mnt/dns-etc/arptables.conf file Creating empty /run/firejail/mnt/dns-etc/ebtables.conf file Creating empty /run/firejail/mnt/dns-etc/ethertypes file Creating empty /run/firejail/mnt/dns-etc/iptables directory Creating empty /run/firejail/mnt/dns-etc/man_db.conf file Creating empty /run/firejail/mnt/dns-etc/gai.conf file Creating empty /run/firejail/mnt/dns-etc/locale.gen.pacnew file Creating empty /run/firejail/mnt/dns-etc/nscd.conf file Creating empty /run/firejail/mnt/dns-etc/rpc file Creating empty /run/firejail/mnt/dns-etc/eos-script-lib-yad.conf file Creating empty /run/firejail/mnt/dns-etc/eos-sendlog.conf file Creating empty /run/firejail/mnt/dns-etc/wgetrc file Creating empty /run/firejail/mnt/dns-etc/sudoers file Creating empty /run/firejail/mnt/dns-etc/nftables.conf file Creating empty /run/firejail/mnt/dns-etc/cpufreq-bench.conf file Creating empty /run/firejail/mnt/dns-etc/eos-rankmirrors.conf.pacnew file Creating empty /run/firejail/mnt/dns-etc/eos-update-notifier.conf file Creating empty /run/firejail/mnt/dns-etc/group file Creating empty /run/firejail/mnt/dns-etc/mdadm.conf file Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file Creating empty /run/firejail/mnt/dns-etc/.updated file Creating empty /run/firejail/mnt/dns-etc/resolv.conf file Mount-bind /run/firejail/mnt/dns-etc on top of /etc Current directory: /etc/libvirt DISPLAY is not set Install protocol filter: unix,inet,inet6,netlink configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 6, uid 0, gid 0, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 01 00000010 jeq 10 0014 (false 0015) 0014: 06 00 00 7fff0000 ret ALLOW 0015: 06 00 00 0005005f ret ERRNO(95) configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 7, uid 0, gid 0, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00050001 ret ERRNO(1) Dual 32/64 bit seccomp filter configured configuring 71 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 8, uid 0, gid 0, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 3e 00 0000009f jeq adjtimex 0046 (false 0008) 0008: 15 3d 00 00000131 jeq clock_adjtime 0046 (false 0009) 0009: 15 3c 00 000000e3 jeq clock_settime 0046 (false 000a) 000a: 15 3b 00 000000a4 jeq settimeofday 0046 (false 000b) 000b: 15 3a 00 0000009a jeq modify_ldt 0046 (false 000c) 000c: 15 39 00 000000d4 jeq lookup_dcookie 0046 (false 000d) 000d: 15 38 00 0000012a jeq perf_event_open 0046 (false 000e) 000e: 15 37 00 00000137 jeq process_vm_writev 0046 (false 000f) 000f: 15 36 00 000000b0 jeq delete_module 0046 (false 0010) 0010: 15 35 00 00000139 jeq finit_module 0046 (false 0011) 0011: 15 34 00 000000af jeq init_module 0046 (false 0012) 0012: 15 33 00 000000a1 jeq chroot 0046 (false 0013) 0013: 15 32 00 000000a5 jeq mount 0046 (false 0014) 0014: 15 31 00 0000009b jeq pivot_root 0046 (false 0015) 0015: 15 30 00 000000a6 jeq umount2 0046 (false 0016) 0016: 15 2f 00 0000009c jeq _sysctl 0046 (false 0017) 0017: 15 2e 00 000000b7 jeq afs_syscall 0046 (false 0018) 0018: 15 2d 00 000000ae jeq create_module 0046 (false 0019) 0019: 15 2c 00 000000b1 jeq get_kernel_syms 0046 (false 001a) 001a: 15 2b 00 000000b5 jeq getpmsg 0046 (false 001b) 001b: 15 2a 00 000000b6 jeq putpmsg 0046 (false 001c) 001c: 15 29 00 000000b2 jeq query_module 0046 (false 001d) 001d: 15 28 00 000000b9 jeq security 0046 (false 001e) 001e: 15 27 00 0000008b jeq sysfs 0046 (false 001f) 001f: 15 26 00 000000b8 jeq tuxcall 0046 (false 0020) 0020: 15 25 00 00000086 jeq uselib 0046 (false 0021) 0021: 15 24 00 00000088 jeq ustat 0046 (false 0022) 0022: 15 23 00 000000ec jeq vserver 0046 (false 0023) 0023: 15 22 00 000000ad jeq ioperm 0046 (false 0024) 0024: 15 21 00 000000ac jeq iopl 0046 (false 0025) 0025: 15 20 00 000000f6 jeq kexec_load 0046 (false 0026) 0026: 15 1f 00 00000140 jeq kexec_file_load 0046 (false 0027) 0027: 15 1e 00 000000a9 jeq reboot 0046 (false 0028) 0028: 15 1d 00 000000a7 jeq swapon 0046 (false 0029) 0029: 15 1c 00 000000a8 jeq swapoff 0046 (false 002a) 002a: 15 1b 00 00000130 jeq open_by_handle_at 0046 (false 002b) 002b: 15 1a 00 0000012f jeq name_to_handle_at 0046 (false 002c) 002c: 15 19 00 000000fb jeq ioprio_set 0046 (false 002d) 002d: 15 18 00 00000067 jeq syslog 0046 (false 002e) 002e: 15 17 00 0000012c jeq fanotify_init 0046 (false 002f) 002f: 15 16 00 000000f8 jeq add_key 0046 (false 0030) 0030: 15 15 00 000000f9 jeq request_key 0046 (false 0031) 0031: 15 14 00 000000ed jeq mbind 0046 (false 0032) 0032: 15 13 00 00000100 jeq migrate_pages 0046 (false 0033) 0033: 15 12 00 00000117 jeq move_pages 0046 (false 0034) 0034: 15 11 00 000000fa jeq keyctl 0046 (false 0035) 0035: 15 10 00 000000ce jeq io_setup 0046 (false 0036) 0036: 15 0f 00 000000cf jeq io_destroy 0046 (false 0037) 0037: 15 0e 00 000000d0 jeq io_getevents 0046 (false 0038) 0038: 15 0d 00 000000d1 jeq io_submit 0046 (false 0039) 0039: 15 0c 00 000000d2 jeq io_cancel 0046 (false 003a) 003a: 15 0b 00 000000d8 jeq remap_file_pages 0046 (false 003b) 003b: 15 0a 00 00000143 jeq userfaultfd 0046 (false 003c) 003c: 15 09 00 000000a3 jeq acct 0046 (false 003d) 003d: 15 08 00 00000141 jeq bpf 0046 (false 003e) 003e: 15 07 00 000000b4 jeq nfsservctl 0046 (false 003f) 003f: 15 06 00 000000ab jeq setdomainname 0046 (false 0040) 0040: 15 05 00 000000aa jeq sethostname 0046 (false 0041) 0041: 15 04 00 00000099 jeq vhangup 0046 (false 0042) 0042: 15 03 00 00000065 jeq ptrace 0046 (false 0043) 0043: 15 02 00 00000087 jeq personality 0046 (false 0044) 0044: 15 01 00 00000136 jeq process_vm_readv 0046 (false 0045) 0045: 06 00 00 7fff0000 ret ALLOW 0046: 06 00 00 00050001 ret ERRNO(1) seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 8801 8004 0:279 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=8801 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 220 .. -rw-r--r-- root root 568 seccomp -rw-r--r-- root root 432 seccomp.32 -rw-r--r-- root root 114 seccomp.list -rw-r--r-- root root 0 seccomp.postexec -rw-r--r-- root root 0 seccomp.postexec32 -rw-r--r-- root root 176 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Set caps filter 34c0 NO_NEW_PRIVS set Drop privileges: pid 1, uid 0, gid 0, force_nogroups 0 No supplementary groups AppArmor enabled Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Running '/usr/bin/dnsmasq' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: '/usr/bin/dnsmasq' Child process initialized in 103.27 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter dnsmasq: failed to open pidfile /var/run/dnsmasq.pid: File exists monitoring pid 9 Sandbox monitor: waitpid 9 retval 9 status 768 Sandbox monitor: monitoring 10 monitoring pid 10 Sandbox monitor: waitpid 10 retval 10 status 0 Parent is shutting down, bye... ``` </p> </details>
gitea-mirror 2026-05-05 09:32:08 -06:00
gitea-mirror commented 2026-05-05 09:32:12 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 10, 2022):

Possibly because libvirt_leaseshelper wants to write to /var/lib/libvirt/dnsmasq. This fails because this directory is blacklisted, and if it wasn't blacklisted, it would be still read-only.

Can you try:

noblacklist /var/lib/libvirt
writable-var

If that works, try adding:

whitelist /var/lib/libvirt/dnsmasq
whitelist /var/run
<!-- gh-comment-id:1094275675 --> @smitsohu commented on GitHub (Apr 10, 2022): Possibly because libvirt_leaseshelper wants to write to `/var/lib/libvirt/dnsmasq`. This fails because this directory is blacklisted, and if it wasn't blacklisted, it would be still read-only. Can you try: ``` noblacklist /var/lib/libvirt writable-var ``` If that works, try adding: ``` whitelist /var/lib/libvirt/dnsmasq whitelist /var/run ```
gitea-mirror commented 2026-05-05 09:32:13 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 10, 2022):

If the problem is related to the pid file, it might be necessary to allow more capabilities.

caps.keep chown,dac_override,net_admin,net_bind_service,net_raw,setgid,setuid

<!-- gh-comment-id:1094276371 --> @smitsohu commented on GitHub (Apr 10, 2022): If the problem is related to the pid file, it might be necessary to allow more capabilities. `caps.keep chown,dac_override,net_admin,net_bind_service,net_raw,setgid,setuid`
gitea-mirror commented 2026-05-05 09:32:14 -06:00
Author
Owner
Copy link

@itoffshore commented on GitHub (Apr 10, 2022):

Both of these fixes work (tested separately) - many thanks:

noblacklist /var/lib/libvirt
writable-var

------

whitelist /var/lib/libvirt/dnsmasq
whitelist /var/run

virsh # net-list --all
 Name              State      Autostart   Persistent
------------------------------------------------------
 default           active     yes         yes
<!-- gh-comment-id:1094277575 --> @itoffshore commented on GitHub (Apr 10, 2022): Both of these fixes work (tested separately) - many thanks: ``` noblacklist /var/lib/libvirt writable-var ------ whitelist /var/lib/libvirt/dnsmasq whitelist /var/run ``` ``` virsh # net-list --all Name State Autostart Persistent ------------------------------------------------------ default active yes yes ```
gitea-mirror commented 2026-05-05 09:32:15 -06:00
Author
Owner
Copy link

@smitsohu commented on GitHub (Apr 10, 2022):

Great!

<!-- gh-comment-id:1094277800 --> @smitsohu commented on GitHub (Apr 10, 2022): Great!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2875
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?