github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5445] chafa: needs "shell none" for NixOS and/or Fish shell #3000

New issue
Closed
opened 2026-05-05 09:39:16 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:39:16 -06:00
Owner
Copy link

Originally created by @revuwa on GitHub (Oct 31, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5445

Description

Thanks for the chafa profile.
Sadly I experienced Cannot start application: No such file or directory under NixOS (22.11pre) & Fish shell (v3.5.1) with that profile.

Steps to Reproduce

Just use chafa with the new firejail profile (above) under NixOS with Fish shell.

Expected behavior

If you would consider to add: shell none into the profile, it would work under NixOS and/or Fish, too.
Log snippet (after adding shell none):

Child process initialized in 166.32 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter
monitoring pid 7

***
*** The picture is shown here \o/
***

Sandbox monitor: waitpid 7 retval 7 status 0

Parent is shutting down, bye...

Actual behavior

Log snippet:

Child process initialized in 151.36 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter
Cannot start application: No such file or directory
monitoring pid 7

Sandbox monitor: waitpid 7 retval 7 status 256

Parent is shutting down, bye...

Behavior without a profile

Log snippet:

Child process initialized in 71.74 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 6

fish: Unknown command: --
fish: 
--
^
Sandbox monitor: waitpid 6 retval 6 status 32512

Parent is shutting down, bye...

Additional context

To be honest, I've no idea if the showstopper is NixOS or Fish; I just know shell none did the trick.

Environment

  • Linux distribution and version: NixOS (22.11pre)
  • Firejail version: 0.9.70

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Running '/nix/store/jqwb1hgky1s15hp72zchacwzz70277n9-chafa-1.12.3/bin/chafa' 'test.png'  command through /run/current-system/sw/bin/fish
execvp argument 0: /run/current-system/sw/bin/fish
execvp argument 1: -c
execvp argument 2: --
execvp argument 3: '/nix/store/jqwb1hgky1s15hp72zchacwzz70277n9-chafa-1.12.3/bin/chafa' 'test.png' 
Child process initialized in 147.21 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter
Cannot start application: No such file or directory
monitoring pid 7

Sandbox monitor: waitpid 7 retval 7 status 256

Parent is shutting down, bye...

Originally created by @revuwa on GitHub (Oct 31, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5445 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Thanks for the [chafa profile](https://github.com/netblue30/firejail/pull/5355). Sadly I experienced `Cannot start application: No such file or directory` under NixOS (22.11pre) & Fish shell (v3.5.1) with that profile. ### Steps to Reproduce Just use chafa with the new firejail profile (above) under NixOS with Fish shell. ### Expected behavior If you would consider to add: `shell none` into the profile, it would work under NixOS and/or Fish, too. Log snippet (after adding `shell none`): ``` Child process initialized in 166.32 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter monitoring pid 7 *** *** The picture is shown here \o/ *** Sandbox monitor: waitpid 7 retval 7 status 0 Parent is shutting down, bye... ``` ### Actual behavior Log snippet: ``` Child process initialized in 151.36 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter Cannot start application: No such file or directory monitoring pid 7 Sandbox monitor: waitpid 7 retval 7 status 256 Parent is shutting down, bye... ``` ### Behavior without a profile Log snippet: ``` Child process initialized in 71.74 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 6 fish: Unknown command: -- fish: -- ^ Sandbox monitor: waitpid 6 retval 6 status 32512 Parent is shutting down, bye... ``` ### Additional context To be honest, I've no idea if the showstopper is NixOS or Fish; I just know `shell none` did the trick. ### Environment - Linux distribution and version: NixOS (22.11pre) - Firejail version: 0.9.70 ### Checklist - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [X] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Running '/nix/store/jqwb1hgky1s15hp72zchacwzz70277n9-chafa-1.12.3/bin/chafa' 'test.png' command through /run/current-system/sw/bin/fish execvp argument 0: /run/current-system/sw/bin/fish execvp argument 1: -c execvp argument 2: -- execvp argument 3: '/nix/store/jqwb1hgky1s15hp72zchacwzz70277n9-chafa-1.12.3/bin/chafa' 'test.png' Child process initialized in 147.21 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter Cannot start application: No such file or directory monitoring pid 7 Sandbox monitor: waitpid 7 retval 7 status 256 Parent is shutting down, bye... ``` </p> </details>
gitea-mirror 2026-05-05 09:39:16 -06:00
  • closed this issue
  • added the
    notabug
         label
gitea-mirror commented 2026-05-05 09:39:19 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2022):

We had this error in the past already (ai could not find the issue). There are also more issue with fish.

Anyway, shell none is no the unconditional default, so unless you can reproduce this with firejail from git this is already fixed.

<!-- gh-comment-id:1297350976 --> @rusty-snake commented on GitHub (Oct 31, 2022): We had this error in the past already (ai could not find the issue). There are also more issue with fish. Anyway, `shell none` is no the unconditional default, so unless you can reproduce this with firejail from git this is already fixed.
gitea-mirror commented 2026-05-05 09:39:20 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2022):

Btw: using profiles from git with a stable firejail (I.e. firejail and profile release differ) isn't supported.

<!-- gh-comment-id:1297356886 --> @rusty-snake commented on GitHub (Oct 31, 2022): Btw: using profiles from git with a stable firejail (I.e. firejail and profile release differ) isn't supported.
gitea-mirror commented 2026-05-05 09:39:21 -06:00
Author
Owner
Copy link

@revuwa commented on GitHub (Oct 31, 2022):

We had this error in the past already (ai could not find the issue). There are also more issue with fish.

Thanks for the info, that it has something to do with fish (not NixOS). I couln't find anything, so I made this issue.

Anyway, shell none is no the unconditional default, so unless you can reproduce this with firejail from git this is already fixed.

Thanks a lot!
If I understand this PR correctly, shell none is the new default.

Btw: using profiles from git with a stable firejail (I.e. firejail and profile release differ) isn't supported.

Oh boy, I have never thought about that before; good point.

<!-- gh-comment-id:1297366501 --> @revuwa commented on GitHub (Oct 31, 2022): > We had this error in the past already (ai could not find the issue). There are also more issue with fish. Thanks for the info, that it has something to do with fish (not NixOS). I couln't find anything, so I made this issue. > Anyway, `shell none` is no the unconditional default, so unless you can reproduce this with firejail from git this is already fixed. Thanks a lot! If I understand this [PR](https://github.com/netblue30/firejail/commit/4d79566ae3cef90700264f962837887a2d26fcf2) correctly, `shell none` is the new default. > Btw: using profiles from git with a stable firejail (I.e. firejail and profile release differ) isn't supported. Oh boy, I have never thought about that before; good point.
gitea-mirror commented 2026-05-05 09:39:22 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Oct 31, 2022):

shell none is the new default.

Yes. It solved an entire class of bugs.

<!-- gh-comment-id:1297388699 --> @rusty-snake commented on GitHub (Oct 31, 2022): > shell none is the new default. Yes. It solved an entire class of bugs.
gitea-mirror commented 2026-05-05 09:39:23 -06:00
Author
Owner
Copy link

@revuwa commented on GitHub (Oct 31, 2022):

shell none is the new default.

Yes. It solved an entire class of bugs.

Well, thanks again.
So I use --shell=none as my new default, until a new release will arrive.

<!-- gh-comment-id:1297401647 --> @revuwa commented on GitHub (Oct 31, 2022): > > shell none is the new default. > > Yes. It solved an entire class of bugs. Well, thanks again. So I use `--shell=none` as my new default, until a new release will arrive.
gitea-mirror commented 2026-05-05 09:39:23 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 3, 2022):

(Marking notabug since this was already fixed)

(Re-closing as "not planned" since nothing was changed in firejail)

<!-- gh-comment-id:1302192003 --> @kmk3 commented on GitHub (Nov 3, 2022): (Marking `notabug` since this was already fixed) (Re-closing as "not planned" since nothing was changed in firejail)
gitea-mirror commented 2026-05-05 09:39:24 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 3, 2022):

Relates to #5196.

<!-- gh-comment-id:1302199352 --> @kmk3 commented on GitHub (Nov 3, 2022): Relates to #5196.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3000
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?