github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5390] discord: Failed to move to new namespace (userns) #2982

New issue
Closed
opened 2026-05-05 09:38:17 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 09:38:17 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Oct 1, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5390

Description

Discord is not starting, neither via *.desktop file nor called via terminal.

Steps to Reproduce

  1. sudo pacman -S discord
  2. sudo firecfg
  3. discord

Expected behavior

Discord should start running.

Actual behavior

Reading profile /etc/firejail/discord.profile
Reading profile /etc/firejail/discord-common.profile
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 82691, child pid 82692
Private /opt installed in 429.66 ms
17 programs installed in 20.89 ms
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping password for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 31.43 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping ca-certificates for private /usr/etc
Warning: skipping crypto-policies for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping group for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping localtime for private /usr/etc
Warning: skipping login.defs for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Warning: skipping password for private /usr/etc
Warning: skipping pki for private /usr/etc
Warning: skipping pulse for private /usr/etc
Warning: skipping resolv.conf for private /usr/etc
Warning: skipping ssl for private /usr/etc
Private /usr/etc installed in 0.10 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Child process initialized in 539.25 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

Behavior without a profile

Parent pid 83777, child pid 83778
Child process initialized in 15.45 ms
The setuid sandbox is not running as root. Common causes:
  * An unprivileged process using ptrace on it, like a debugger.
  * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...)
Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted

Parent is shutting down, bye...

Environment

firejail version 0.9.70

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is enabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

  • [ x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • [ x] I can reproduce the issue without custom modifications (e.g. globals.local).
  • [x ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • [ x] I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Output of LC_ALL=C firejail --debug /path/to/program 

Comment is too long to paste here (maximum is 65536 characters)

Originally created by @ghost on GitHub (Oct 1, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5390 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Discord is not starting, neither via *.desktop file nor called via terminal. ### Steps to Reproduce 1. sudo pacman -S discord 2. sudo firecfg 3. discord ### Expected behavior Discord should start running. ### Actual behavior ``` Reading profile /etc/firejail/discord.profile Reading profile /etc/firejail/discord-common.profile Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 82691, child pid 82692 Private /opt installed in 429.66 ms 17 programs installed in 20.89 ms Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping password for private /etc Warning: skipping pki for private /etc Private /etc installed in 31.43 ms Warning: skipping alternatives for private /usr/etc Warning: skipping ca-certificates for private /usr/etc Warning: skipping crypto-policies for private /usr/etc Warning: skipping fonts for private /usr/etc Warning: skipping group for private /usr/etc Warning: skipping ld.so.cache for private /usr/etc Warning: skipping ld.so.preload for private /usr/etc Warning: skipping localtime for private /usr/etc Warning: skipping login.defs for private /usr/etc Warning: skipping machine-id for private /usr/etc Warning: skipping password for private /usr/etc Warning: skipping pki for private /usr/etc Warning: skipping pulse for private /usr/etc Warning: skipping resolv.conf for private /usr/etc Warning: skipping ssl for private /usr/etc Private /usr/etc installed in 0.10 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1000/gvfs Child process initialized in 539.25 ms The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Parent is shutting down, bye... ``` ### Behavior without a profile ``` Parent pid 83777, child pid 83778 Child process initialized in 15.45 ms The setuid sandbox is not running as root. Common causes: * An unprivileged process using ptrace on it, like a debugger. * A parent process set prctl(PR_SET_NO_NEW_PRIVS, ...) Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted Parent is shutting down, bye... ``` ### Environment - ArchLinux - Kernel: 5.19.8-hardened2-1-hardened - [Followed instructions to harden firejail!](https://wiki.archlinux.org/title/Firejail#Hardening_Firejail) ``` firejail version 0.9.70 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is enabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [ x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [ x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` Comment is too long to paste here (maximum is 65536 characters) ``` </p> </details>
gitea-mirror 2026-05-05 09:38:17 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:38:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 1, 2022):

You can not run chromium* in firejail and set NNP if you use Linux hardened.

Duplicate of [long list here]

<!-- gh-comment-id:1264469186 --> @rusty-snake commented on GitHub (Oct 1, 2022): You can not run chromium\* in firejail and set NNP if you use Linux hardened. Duplicate of [long list here]
gitea-mirror commented 2026-05-05 09:38:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 1, 2022):

I can reproduce the issue without custom modifications (e.g. globals.local

You can not.

<!-- gh-comment-id:1264469541 --> @rusty-snake commented on GitHub (Oct 1, 2022): > I can reproduce the issue without custom modifications (e.g. globals.local You can not.
gitea-mirror commented 2026-05-05 09:38:21 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Oct 2, 2022):

@rusty-snake OK, to verify that I did understand this correctly, linux-hardened has deactivated support for unprivileged user namespace usage, and since those are used for sandboxing by firejail certain applications can't be sandboxed. Did I understand this right?

<!-- gh-comment-id:1264630730 --> @ghost commented on GitHub (Oct 2, 2022): @rusty-snake OK, to verify that I did understand this correctly, linux-hardened has deactivated support for unprivileged user namespace usage, and since those are used for sandboxing by firejail certain applications can't be sandboxed. Did I understand this right?
gitea-mirror commented 2026-05-05 09:38:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 2, 2022):

linux-hardened has deactivated support for unprivileged user namespace

correct

and since those are used for sandboxing by firejail

The usernamespace created by firejail's noroot option is created by a privileged user (root).

The problem are chromium* programs because they have an own sandbox (and webkit4gtk too but different). This chrome-sandbox always wants to create a new usernamespace and if it can not, it refuses to run. This user-ns is created unprivileged if possible (blocked by linux-hardened) or by a privileged helper (blocked by NNP). => disabled (unprivileged) user-ns + NNP + chromium is the problem.

Followed instructions to harden firejail!

However, this can break specific applications. On Arch Linux, VirtualBox doesn't start anymore. With the linux-hardened kernel Wireshark and Chromium-based browsers are also affected.

<!-- gh-comment-id:1264695358 --> @rusty-snake commented on GitHub (Oct 2, 2022): > linux-hardened has deactivated support for unprivileged user namespace correct > and since those are used for sandboxing by firejail The usernamespace created by firejail's `noroot` option is created by a privileged user (root). The problem are chromium\* programs because they have an own sandbox (and webkit4gtk too but different). This chrome-sandbox always wants to create a new usernamespace and if it can not, it refuses to run. This user-ns is created unprivileged if possible (blocked by linux-hardened) or by a privileged helper (blocked by NNP). => disabled (unprivileged) user-ns + NNP + chromium is the problem. > [Followed instructions to harden firejail!](https://wiki.archlinux.org/title/Firejail#Hardening_Firejail) > However, this can break specific applications. On Arch Linux, VirtualBox doesn't start anymore. **With the [linux-hardened](https://archlinux.org/packages/?name=linux-hardened) kernel** Wireshark and **Chromium-based** browsers are also affected.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2982
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?