github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5338] No access to /tmp if blacklisted paths symlink to it #2964

New issue
Closed
opened 2026-05-05 09:37:37 -06:00 by gitea-mirror · 12 comments
gitea-mirror commented 2026-05-05 09:37:37 -06:00
Owner
Copy link

Originally created by @birdie-github on GitHub (Aug 23, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5338

firejail-0.9.66-3.fc36.x86_64

Relevant debug strings:

[birdie@localhost ~]$ firejail --debug
Mounting tmpfs on /run/firejail/mnt directory
631 630 0:24 / /var/tmp rw,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=631 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/tmp
632 631 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=632 fsname=/ dir=/var/tmp fstype=tmpfs
635 634 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=635 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/tmp
636 635 0:24 / /var/tmp ro,nosuid,nodev,noexec,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=636 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/nginx
Create the new utmp file
Mount the new utmp file
Relabeling /run/user as /run/user (system_u:object_r:user_tmp_t:s0)
Relabeling /run/user/1000 as /run/user/1000 (unconfined_u:object_r:user_tmp_t:s0)
Disable /tmp/ssh-XXXXXXsy8kyQ
Disable /tmp/.mozilla.ram (requested /home/birdie/.mozilla)
Disable /tmp (requested /home/birdie/.cache/mozilla)
Disable /tmp (requested /home/birdie/.cache/thunderbird)
1045 625 0:30 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,seclabel,mode=755
mountid=1045 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
1046 770 0:30 /pulse /home/birdie/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,seclabel,mode=755
mountid=1046 fsname=/pulse dir=/home/birdie/.config/pulse fstype=tmpfs
1049 625 0:30 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,seclabel,mode=755
mountid=1049 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs

[birdie@localhost ~]$ ls -la /tmp
ls: cannot open directory '/tmp': Permission denied

[birdie@localhost ~]$ ls -l / | grep tmp
dr--------.   2 nobody nobody    40 Aug 23 14:51 tmp

This is Fedora 36 with a custom kernel.

mount | grep " /tmp"
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,seclabel)

I am confused. The documentation makes it look like /tmp must be available.

Originally created by @birdie-github on GitHub (Aug 23, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5338 firejail-0.9.66-3.fc36.x86_64 Relevant debug strings: ``` [birdie@localhost ~]$ firejail --debug Mounting tmpfs on /run/firejail/mnt directory 631 630 0:24 / /var/tmp rw,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=631 fsname=/ dir=/var/tmp fstype=tmpfs Mounting read-only /var/tmp 632 631 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=632 fsname=/ dir=/var/tmp fstype=tmpfs 635 634 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=635 fsname=/ dir=/var/tmp fstype=tmpfs Mounting noexec /var/tmp 636 635 0:24 / /var/tmp ro,nosuid,nodev,noexec,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=636 fsname=/ dir=/var/tmp fstype=tmpfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/nginx Create the new utmp file Mount the new utmp file Relabeling /run/user as /run/user (system_u:object_r:user_tmp_t:s0) Relabeling /run/user/1000 as /run/user/1000 (unconfined_u:object_r:user_tmp_t:s0) Disable /tmp/ssh-XXXXXXsy8kyQ Disable /tmp/.mozilla.ram (requested /home/birdie/.mozilla) Disable /tmp (requested /home/birdie/.cache/mozilla) Disable /tmp (requested /home/birdie/.cache/thunderbird) 1045 625 0:30 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,seclabel,mode=755 mountid=1045 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs 1046 770 0:30 /pulse /home/birdie/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,seclabel,mode=755 mountid=1046 fsname=/pulse dir=/home/birdie/.config/pulse fstype=tmpfs 1049 625 0:30 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,seclabel,mode=755 mountid=1049 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs [birdie@localhost ~]$ ls -la /tmp ls: cannot open directory '/tmp': Permission denied [birdie@localhost ~]$ ls -l / | grep tmp dr--------. 2 nobody nobody 40 Aug 23 14:51 tmp ``` This is Fedora 36 with a custom kernel. ``` mount | grep " /tmp" tmpfs on /tmp type tmpfs (rw,nosuid,nodev,relatime,seclabel) ``` I am confused. The documentation makes it look like `/tmp` must be available.
gitea-mirror 2026-05-05 09:37:37 -06:00
gitea-mirror commented 2026-05-05 09:37:40 -06:00
Author
Owner
Copy link

@birdie-github commented on GitHub (Aug 23, 2022):

--noprofile with or without --private-tmp works:

[birdie@localhost ~]$ firejail --noprofile --private-tmp
Parent pid 308522, child pid 308523
Child process initialized in 4.17 ms
[birdie@localhost ~]$ ls -la /tmp
total 4
drwxrwxrwt.  3 root root   60 Aug 23 16:45 .
dr-xr-xr-x. 20 root root 4096 Aug 23 15:41 ..
drwxrwxrwt.  2 root root   60 Aug 23 09:13 .X11-unix
<!-- gh-comment-id:1224333207 --> @birdie-github commented on GitHub (Aug 23, 2022): `--noprofile` with or without `--private-tmp` works: ``` [birdie@localhost ~]$ firejail --noprofile --private-tmp Parent pid 308522, child pid 308523 Child process initialized in 4.17 ms [birdie@localhost ~]$ ls -la /tmp total 4 drwxrwxrwt. 3 root root 60 Aug 23 16:45 . dr-xr-xr-x. 20 root root 4096 Aug 23 15:41 .. drwxrwxrwt. 2 root root 60 Aug 23 09:13 .X11-unix ```
gitea-mirror commented 2026-05-05 09:37:41 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 23, 2022):

@birdie-github commented on Aug 23:

firejail-0.9.66-3.fc36.x86_64

That version is from over a year ago and is unsupported by us:

Does it happen with 0.9.70 or with the version from master?

Relevant debug strings:

[birdie@localhost ~]$ firejail --debug
[...]
[birdie@localhost ~]$ ls -la /tmp
ls: cannot open directory '/tmp': Permission denied

[birdie@localhost ~]$ ls -l / | grep tmp
dr--------.   2 nobody nobody    40 Aug 23 14:51 tmp

This is Fedora 36 with a custom kernel.

I cannot reproduce this on Artix with the current master:

$ firejail --quiet --profile=default ls -la /tmp >/dev/null; echo $?
0
<!-- gh-comment-id:1224498556 --> @kmk3 commented on GitHub (Aug 23, 2022): @birdie-github commented [on Aug 23](https://github.com/netblue30/firejail/issues/5338#issue-1348231911): > firejail-0.9.66-3.fc36.x86_64 That version is from over a year ago and is unsupported by us: * <https://github.com/netblue30/firejail/blob/fda7c1332edac4b4ebd9524fd272ea4444306ba6/SECURITY.md> Does it happen with 0.9.70 or with the version from master? > Relevant debug strings: > > ``` > [birdie@localhost ~]$ firejail --debug > [...] > [birdie@localhost ~]$ ls -la /tmp > ls: cannot open directory '/tmp': Permission denied > > [birdie@localhost ~]$ ls -l / | grep tmp > dr--------. 2 nobody nobody 40 Aug 23 14:51 tmp > ``` > > This is Fedora 36 with a custom kernel. I cannot reproduce this on Artix with the current master: ```console $ firejail --quiet --profile=default ls -la /tmp >/dev/null; echo $? 0 ```
gitea-mirror commented 2026-05-05 09:37:42 -06:00
Author
Owner
Copy link

@birdie-github commented on GitHub (Aug 24, 2022):

I've compiled version 0.9.70, the issue persists:

$ firejail --debug ls -la /tmp

Building quoted command line: 'ls' '-la' '/tmp' 
847 846 0:24 / /var/tmp rw,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=847 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting read-only /var/tmp
848 847 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=848 fsname=/ dir=/var/tmp fstype=tmpfs
851 850 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=851 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting noexec /var/tmp
852 851 0:24 / /var/tmp ro,nosuid,nodev,noexec,relatime master:30 - tmpfs tmpfs rw,seclabel
mountid=852 fsname=/ dir=/var/tmp fstype=tmpfs
Mounting tmpfs on /var/tmp
Disable /tmp/ssh-XXXXXXsy8kyQ
Disable /tmp (requested /home/birdie/.cache/mozilla)
Disable /tmp (requested /home/birdie/.cache/thunderbird)
Warning (blacklisting): cannot open /tmp/.wine-*: Permission denied
Warning (blacklisting): cannot open /tmp/akonadi-*: Permission denied
Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory
Running 'ls' '-la' '/tmp'  command through /bin/bash
execvp argument 2: 'ls' '-la' '/tmp' 
ls: cannot open directory '/tmp': Permission denied
<!-- gh-comment-id:1225767018 --> @birdie-github commented on GitHub (Aug 24, 2022): I've compiled version 0.9.70, the issue persists: ``` $ firejail --debug ls -la /tmp Building quoted command line: 'ls' '-la' '/tmp' 847 846 0:24 / /var/tmp rw,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=847 fsname=/ dir=/var/tmp fstype=tmpfs Mounting read-only /var/tmp 848 847 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=848 fsname=/ dir=/var/tmp fstype=tmpfs 851 850 0:24 / /var/tmp ro,nosuid,nodev,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=851 fsname=/ dir=/var/tmp fstype=tmpfs Mounting noexec /var/tmp 852 851 0:24 / /var/tmp ro,nosuid,nodev,noexec,relatime master:30 - tmpfs tmpfs rw,seclabel mountid=852 fsname=/ dir=/var/tmp fstype=tmpfs Mounting tmpfs on /var/tmp Disable /tmp/ssh-XXXXXXsy8kyQ Disable /tmp (requested /home/birdie/.cache/mozilla) Disable /tmp (requested /home/birdie/.cache/thunderbird) Warning (blacklisting): cannot open /tmp/.wine-*: Permission denied Warning (blacklisting): cannot open /tmp/akonadi-*: Permission denied Creating empty /run/firejail/mnt/dns-etc/tmpfiles.d directory Running 'ls' '-la' '/tmp' command through /bin/bash execvp argument 2: 'ls' '-la' '/tmp' ls: cannot open directory '/tmp': Permission denied ```
gitea-mirror commented 2026-05-05 09:37:43 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 28, 2022):

Disable /tmp (requested /home/birdie/.cache/mozilla)
Disable /tmp (requested /home/birdie/.cache/thunderbird)

Remove this symlinks.

${HOME}/.cache/{mozilla,thunderbird} are blacklisted by disabled programs.inc which is included in default.profile. And blacklist follows symlinks.

If you want them to be in a tmpfs, you can use firejail's private-cache feature or symlink them to somewhere in /tmp but not /tmp itself (which is risky anyway I guess) and have a look at systemd-tempfiles.

<!-- gh-comment-id:1229483867 --> @rusty-snake commented on GitHub (Aug 28, 2022): > ``` > Disable /tmp (requested /home/birdie/.cache/mozilla) > Disable /tmp (requested /home/birdie/.cache/thunderbird) > ``` Remove this symlinks. `${HOME}/.cache/{mozilla,thunderbird}` are `blacklist`ed by disabled programs.inc which is `includ`ed in default.profile. And `blacklist` follows symlinks. If you want them to be in a tmpfs, you can use firejail's `private-cache` feature or symlink them to somewhere _in_ /tmp but not /tmp itself (which is risky anyway I guess) and have a look at systemd-tempfiles.
gitea-mirror commented 2026-05-05 09:37:45 -06:00
Author
Owner
Copy link

@birdie-github commented on GitHub (Aug 28, 2022):

Without these symlinks this issue is gone but I'd love to leave everything as is.

Looks like I'll be removing these two rules from /etc/firejail/disable-programs.inc. I don't particular care if rogue applications could access my Firefox/Thunderbird cache directories. I have disk cache completely disabled anyways and these two directories are almost empty.

<!-- gh-comment-id:1229510432 --> @birdie-github commented on GitHub (Aug 28, 2022): Without these symlinks this issue is gone but I'd love to leave everything as is. Looks like I'll be removing these two rules from `/etc/firejail/disable-programs.inc`. I don't particular care if rogue applications could access my Firefox/Thunderbird cache directories. I have disk cache completely disabled anyways and these two directories are almost empty.
gitea-mirror commented 2026-05-05 09:37:46 -06:00
Author
Owner
Copy link

@birdie-github commented on GitHub (Aug 28, 2022):

Still it would be great if firejail were a tad more verbose when it detects problems like this.

/tmp is such an integral part of Linux it must say something like,

Error: /etc/firejail/disable-programs.inc contains these two rules,
blacklist ${HOME}/.cache/mozilla
blacklist ${HOME}/.cache/thunerbird
which ultimately blacklist /tmp and make it inaccessible for programs.

The reason is we have detected
${HOME}/.cache/mozilla
${HOME}/.cache/thunderbird
which are symlinks to /tmp.

I guess it could be fixed in a few lines of code. Yes, this is verbose but it will spare a ton of time for users.

<!-- gh-comment-id:1229511357 --> @birdie-github commented on GitHub (Aug 28, 2022): Still it would be great if firejail were a tad more verbose when it detects problems like this. `/tmp` is such an integral part of Linux it must say something like, ``` Error: /etc/firejail/disable-programs.inc contains these two rules, blacklist ${HOME}/.cache/mozilla blacklist ${HOME}/.cache/thunerbird which ultimately blacklist /tmp and make it inaccessible for programs. The reason is we have detected ${HOME}/.cache/mozilla ${HOME}/.cache/thunderbird which are symlinks to /tmp. ``` I guess it could be fixed in a few lines of code. Yes, this is verbose but it will spare a ton of time for users.
gitea-mirror commented 2026-05-05 09:37:46 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 28, 2022):

Firejail does what you ask it for:

  1. Please disable access to ~/.cache/mozilla
  2. Firejail finds a symlink that says that ~/.cache/mozilla is found at /tmp.
  3. Firejail disables /tmp

it must say something like,
...
I guess it could be fixed in a few lines of code. Yes, this is verbose but it will spare a ton of time for users.

We are already to complex. This should be added to firejail. If, we could develop a firelint program which analyzes profiles and gives recommendations.

/tmp is such an integral part of Linux it

This can be said about D-Bus, X11, ... as well.

<!-- gh-comment-id:1229514013 --> @rusty-snake commented on GitHub (Aug 28, 2022): Firejail does what you ask it for: 1. Please disable access to `~/.cache/mozilla` 2. Firejail finds a symlink that says that `~/.cache/mozilla` is found at `/tmp`. 3. Firejail disables /tmp --- > it must say something like, > ... > I guess it could be fixed in a few lines of code. Yes, this is verbose but it will spare a ton of time for users. We are already to complex. This should be added to firejail. If, we could develop a `firelint` program which analyzes profiles and gives recommendations. > /tmp is such an integral part of Linux it This can be said about D-Bus, X11, ... as well.
gitea-mirror commented 2026-05-05 09:37:47 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 28, 2022):

@birdie-github commented on Aug 28:

Without these symlinks this issue is gone but I'd love to leave everything as
is.

Note that there is also private-cache, which mounts a tmpfs directory at
~/.cache.

So it could be added to firefox-common.local and chromium-common.local.

Looks like I'll be removing these two rules from
/etc/firejail/disable-programs.inc. I don't particular care if rogue
applications could access my Firefox/Thunderbird cache directories. I have
disk cache completely disabled anyways and these two directories are almost
empty.

Does it work with disable-programs.inc as is + private-cache?

By the way, the rules can also be ignored by adding the following commands to
~/.config/firejail/disable-programs.local:

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.cache/thunderbird
<!-- gh-comment-id:1229515805 --> @kmk3 commented on GitHub (Aug 28, 2022): @birdie-github commented [on Aug 28](https://github.com/netblue30/firejail/issues/5338#issuecomment-1229510432): > Without these symlinks this issue is gone but I'd love to leave everything as > is. Note that there is also `private-cache`, which mounts a tmpfs directory at ~/.cache. So it could be added to firefox-common.local and chromium-common.local. > Looks like I'll be removing these two rules from > `/etc/firejail/disable-programs.inc`. I don't particular care if rogue > applications could access my Firefox/Thunderbird cache directories. I have > disk cache completely disabled anyways and these two directories are almost > empty. Does it work with disable-programs.inc as is + `private-cache`? By the way, the rules can also be ignored by adding the following commands to ~/.config/firejail/disable-programs.local: ```firejail noblacklist ${HOME}/.cache/mozilla noblacklist ${HOME}/.cache/thunderbird ```
gitea-mirror commented 2026-05-05 09:37:47 -06:00
Author
Owner
Copy link

@birdie-github commented on GitHub (Aug 28, 2022):

By the way, the rules can also be ignored by adding the following commands to
~/.config/firejail/disable-programs.local:
noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.cache/thunderbird

This works:

firejail ls -la /tmp &> /dev/null; echo $?
0
<!-- gh-comment-id:1229521770 --> @birdie-github commented on GitHub (Aug 28, 2022): > By the way, the rules can also be ignored by adding the following commands to ~/.config/firejail/disable-programs.local: > `noblacklist ${HOME}/.cache/mozilla` > `noblacklist ${HOME}/.cache/thunderbird` This works: ``` firejail ls -la /tmp &> /dev/null; echo $? 0 ```
gitea-mirror commented 2026-05-05 09:37:48 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Aug 29, 2022):

Note that there is also private-cache, which mounts a tmpfs directory at
~/.cache.

So it could be added to firefox-common.local and chromium-common.local.

I see now that /tmp is still blacklisted even with private-cache:

$ ln -s /tmp ~/.cache/tmp
$ firejail --quiet --noprofile --private-cache \
  --blacklist='${HOME}/.cache/tmp' ls /tmp >/dev/null; echo $?
ls: cannot open directory '/tmp': Permission denied
2

To avoid issues with /tmp, I'd suggest symlinking such a directory to a more
specific path, such as ${XDG_RUNTIME_DIR}/.cache/mozilla
(${XDG_RUNTIME_DIR} is also tmpfs on basically every distro AFAIK).

Note that the target directory usually does not even have to exist before
running the program (and definitely not if private-cache is used).

Example:

$ test -z XDG_RUNTIME_DIR && XDG_RUNTIME_DIR="/run/user/$(id -u)"
$ ln -s "${XDG_RUNTIME_DIR}/.cache/foo" ~/.cache/foo
$ firejail --quiet --noprofile --private-cache \
  --blacklist='${HOME}/.cache/foo' ls /tmp >/dev/null; echo $?
0
$ firejail --quiet --noprofile --private-cache \
  --blacklist='${HOME}/.cache/foo' ls -l ~/.cache
total 0

And when using symlinks in this way, I'd also suggest blacklisting the target
paths (especially if not using private-cache). For example, by adding the
following to ~/.config/firejail/disable-programs.local:

blacklist ${RUNUSER}/.cache/mozilla
blacklist ${RUNUSER}/.cache/thunderbird
<!-- gh-comment-id:1229697669 --> @kmk3 commented on GitHub (Aug 29, 2022): > Note that there is also `private-cache`, which mounts a tmpfs directory at > ~/.cache. > > So it could be added to firefox-common.local and chromium-common.local. I see now that `/tmp` is still blacklisted even with `private-cache`: ```console $ ln -s /tmp ~/.cache/tmp $ firejail --quiet --noprofile --private-cache \ --blacklist='${HOME}/.cache/tmp' ls /tmp >/dev/null; echo $? ls: cannot open directory '/tmp': Permission denied 2 ``` To avoid issues with `/tmp`, I'd suggest symlinking such a directory to a more specific path, such as `${XDG_RUNTIME_DIR}/.cache/mozilla` (`${XDG_RUNTIME_DIR}` is also tmpfs on basically every distro AFAIK). Note that the target directory usually does not even have to exist before running the program (and definitely not if `private-cache` is used). Example: ```console $ test -z XDG_RUNTIME_DIR && XDG_RUNTIME_DIR="/run/user/$(id -u)" $ ln -s "${XDG_RUNTIME_DIR}/.cache/foo" ~/.cache/foo $ firejail --quiet --noprofile --private-cache \ --blacklist='${HOME}/.cache/foo' ls /tmp >/dev/null; echo $? 0 $ firejail --quiet --noprofile --private-cache \ --blacklist='${HOME}/.cache/foo' ls -l ~/.cache total 0 ``` And when using symlinks in this way, I'd also suggest blacklisting the target paths (especially if not using `private-cache`). For example, by adding the following to ~/.config/firejail/disable-programs.local: ```firejail blacklist ${RUNUSER}/.cache/mozilla blacklist ${RUNUSER}/.cache/thunderbird ```
gitea-mirror commented 2026-05-05 09:37:48 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 29, 2022):

${XDG_RUNTIME_DIR} is also tmpfs on basically every distro AFAIK

Unlike /tmp it is required to be so IIRC.

<!-- gh-comment-id:1229802919 --> @rusty-snake commented on GitHub (Aug 29, 2022): > ${XDG_RUNTIME_DIR} is also tmpfs on basically every distro AFAIK Unlike /tmp it is required to be so IIRC.
gitea-mirror commented 2026-05-05 09:37:49 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Sep 6, 2022):

In summary, firejail is working as intended and a workaround for the reported
issue was provided.

Closing this since there hasn't been any more activity.

Feel free to post updates and to request to reopen if you have more questions.

<!-- gh-comment-id:1238059156 --> @kmk3 commented on GitHub (Sep 6, 2022): In summary, firejail is working as intended and a workaround for the reported issue was provided. Closing this since there hasn't been any more activity. Feel free to post updates and to request to reopen if you have more questions.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2964
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?