[GH-ISSUE #413] existing sandbox issue with tor-browser #298

New issue

Closed

opened 2026-05-05 05:33:07 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented 2026-05-05 05:33:07 -06:00

Owner

Copy link

Originally created by @suedi on GitHub (Apr 6, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/413

This was working OK with Firejail 0.9.8

Threw away that and built 0.9.40-rc1
Now trying to start tor-browser I get the "Warning: an existing sandbox was detected!" message

May be related to #401 but I don't have apparmor or grsec compiled kernel.
I am running kernel 4.1.6 with AUFS. Mounting /proc with hidepid=2 though.

The only thing I changed was Firejail so should work, right!?

It works with --force but I don't want to "run without any additional sandboxing features"
that is output in the warning, I want those additional features.

What gives?

Originally created by @suedi on GitHub (Apr 6, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/413 This was working OK with Firejail 0.9.8 Threw away that and built 0.9.40-rc1 Now trying to start tor-browser I get the "Warning: an existing sandbox was detected!" message May be related to #401 but I don't have apparmor or grsec compiled kernel. I am running kernel 4.1.6 with AUFS. Mounting /proc with hidepid=2 though. The only thing I changed was Firejail so should work, right!? It works with --force but I don't want to "run without any additional sandboxing features" that is output in the warning, I want those additional features. What gives?

gitea-mirror 2026-05-05 05:33:07 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 05:33:12 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 6, 2016):

Try the profile with those includes instead:

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

<!-- gh-comment-id:206511189 --> @ghost commented on GitHub (Apr 6, 2016): Try the profile with those includes instead: ``` include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc ```

gitea-mirror commented 2026-05-05 05:33:14 -06:00

Author

Owner

Copy link

@suedi commented on GitHub (Apr 6, 2016):

Trying with your suggestions instead

#   include /etc/firejail/disable-mgmt.inc
#   include /etc/firejail/disable-secret.inc
#   include /etc/firejail/disable-common.inc
#   include /etc/firejail/disable-devel.inc

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

If I use --force it seems to work, without --force still the same

short explanation please

<!-- gh-comment-id:206516192 --> @suedi commented on GitHub (Apr 6, 2016): Trying with your suggestions instead ``` # include /etc/firejail/disable-mgmt.inc # include /etc/firejail/disable-secret.inc # include /etc/firejail/disable-common.inc # include /etc/firejail/disable-devel.inc include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc ``` If I use --force it seems to work, without --force still the same short explanation please

gitea-mirror commented 2026-05-05 05:33:17 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 6, 2016):

No, I meant replacing the previous includes with the new ones.

I am only guessing here, but I remember having a similar problem. Unfortunately I don't remember what fixed it... but it could have been the new profiles, I don't remember.

<!-- gh-comment-id:206521409 --> @ghost commented on GitHub (Apr 6, 2016): No, I meant replacing the previous includes with the new ones. I am only guessing here, but I remember having a similar problem. Unfortunately I don't remember what fixed it... but it could have been the new profiles, I don't remember.

gitea-mirror commented 2026-05-05 05:33:18 -06:00

Author

Owner

Copy link

@suedi commented on GitHub (Apr 6, 2016):

Yeah, and thats what I did.

Just included what I had before, They are commented out
Sorry for not being obvious about it.

I thought they would be useful in discussing why your solution worked

<!-- gh-comment-id:206522025 --> @suedi commented on GitHub (Apr 6, 2016): Yeah, and thats what I did. Just included what I had before, They are commented out Sorry for not being obvious about it. I thought they would be useful in discussing why your solution worked

gitea-mirror commented 2026-05-05 05:33:20 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Apr 6, 2016):

I am sorry, I have no solution for this right now. netblue will most likely be able to help you, though.

<!-- gh-comment-id:206525837 --> @ghost commented on GitHub (Apr 6, 2016): I am sorry, I have no solution for this right now. netblue will most likely be able to help you, though.

gitea-mirror commented 2026-05-05 05:33:22 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Apr 7, 2016):

I'll have to look into it, thanks!

<!-- gh-comment-id:206826599 --> @netblue30 commented on GitHub (Apr 7, 2016): I'll have to look into it, thanks!

gitea-mirror commented 2026-05-05 05:33:25 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Apr 7, 2016):

Mounting /proc with hidepid=2 though.

I think this was already fixed for Grsecurity, where we have a similar situation with /proc entries unavailable for other users. The git version on the master branch should fix the problem. A temporary solution is to insert --force option on the command line: firejail --force program-and-arguments.

<!-- gh-comment-id:206969002 --> @netblue30 commented on GitHub (Apr 7, 2016): > Mounting /proc with hidepid=2 though. I think this was already fixed for Grsecurity, where we have a similar situation with /proc entries unavailable for other users. The git version on the master branch should fix the problem. A temporary solution is to insert --force option on the command line: firejail --force program-and-arguments.

gitea-mirror commented 2026-05-05 05:33:27 -06:00

Author

Owner

Copy link

@suedi commented on GitHub (Apr 7, 2016):

Confirm that git version works!

Good Job

<!-- gh-comment-id:207011611 --> @suedi commented on GitHub (Apr 7, 2016): Confirm that git version works! Good Job

gitea-mirror commented 2026-05-05 05:33:29 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Apr 9, 2016):

Thanks!

<!-- gh-comment-id:207817265 --> @netblue30 commented on GitHub (Apr 9, 2016): Thanks!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#298

No description provided.