github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #5676] kitty + ssh: Error: too long arguments: argv[22] len (5056) >= MAX_ARG_LEN (4128) #3059

New issue
Closed
opened 2026-05-05 09:42:09 -06:00 by gitea-mirror · 19 comments
gitea-mirror commented 2026-05-05 09:42:09 -06:00
Owner
Copy link

Originally created by @StandingPadAnimations on GitHub (Feb 21, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5676

Description

When using firejail with SSH, I receive the following error:

$ ssh pi@IP_ADDRESS -p 42069
Error: too long arguments: argv[22] len (5056) >= MAX_ARG_LEN (4128)

Steps to Reproduce

  1. perform sudo firecfg
  2. Attempt to connect to server with SSH

Expected behavior

For SSH to not complain

Actual behavior

SSH not connecting due to too long arguments

Behavior without a profile

SSH was able to work perfectly fine

Additional context

Environment

Arch Linux
Firejail 0.9.72

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • [ x I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • [ x I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Reading profile /home/mahid/.config/firejail/ssh.profile
Reading profile /home/mahid/.config/firejail/common.inc
Warning: "shell none" command in the profile file is done by default; the command will be deprecated
Warning: private-lib feature is disabled in Firejail configuration file
Parent pid 13449, child pid 13451
Warning: skipping emp for private /opt
Private /opt installed in 0.12 ms
Warning: skipping emp for private /srv
Private /srv installed in 0.05 ms
1 program installed in 3.04 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 9.43 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/doc
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 27.64 ms
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]

Output of LC_ALL=C firejail --debug /path/to/program 

Building quoted command line: '/usr/bin/ssh' 
Command name #ssh#
Found ssh.profile profile in /home/mahid/.config/firejail directory
Reading profile /home/mahid/.config/firejail/ssh.profile
Reading profile /home/mahid/.config/firejail/common.inc
Warning: "shell none" command in the profile file is done by default; the command will be deprecated
Warning: private-lib feature is disabled in Firejail configuration file
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 13496, child pid 13498
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1102 1019 0:23 /@/etc /etc ro,noatime master:1 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=285,subvol=/@
mountid=1102 fsname=/@/etc dir=/etc fstype=btrfs
Mounting noexec /etc
1103 1102 0:23 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=285,subvol=/@
mountid=1103 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
1106 1104 0:23 /@log /var/log rw,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log
mountid=1106 fsname=/@log dir=/var/log fstype=btrfs
Mounting read-only /var/cache
1107 1105 0:23 /@cache /var/cache ro,noatime master:48 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=258,subvol=/@cache
mountid=1107 fsname=/@cache dir=/var/cache fstype=btrfs
Mounting read-only /var/log
1108 1106 0:23 /@log /var/log ro,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log
mountid=1108 fsname=/@log dir=/var/log fstype=btrfs
Mounting noexec /var
1113 1112 0:23 /@log /var/log ro,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log
mountid=1113 fsname=/@log dir=/var/log fstype=btrfs
Mounting noexec /var/cache
1114 1111 0:23 /@cache /var/cache ro,nosuid,nodev,noexec,noatime master:48 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=258,subvol=/@cache
mountid=1114 fsname=/@cache dir=/var/cache fstype=btrfs
Mounting noexec /var/log
1115 1113 0:23 /@log /var/log ro,nosuid,nodev,noexec,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log
mountid=1115 fsname=/@log dir=/var/log fstype=btrfs
Mounting read-only /usr
1116 1019 0:23 /@/usr /usr ro,noatime master:1 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=285,subvol=/@
mountid=1116 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Generating a new machine-id
installing a new /etc/machine-id
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mahid/.dotfiles/firejail/.config/firejail (requested /home/mahid/.config/firejail)
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/input directory
Process /dev/shm directory
Copying files in the new /opt directory:
Warning: file /opt/emp not found.
Warning: skipping emp for private /opt
Mount-bind /run/firejail/mnt/opt on top of /opt
Private /opt installed in 0.25 ms
Copying files in the new /srv directory:
Warning: file /srv/emp not found.
Warning: skipping emp for private /srv
Mount-bind /run/firejail/mnt/srv on top of /srv
Private /srv installed in 0.14 ms
Copying files in the new bin directory
Checking /usr/local/bin/ssh
Checking /usr/bin/ssh
sbox run: /run/firejail/lib/fcopy /usr/bin/ssh /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
1 program installed in 5.46 ms
Generate private-tmp whitelist commands
Creating empty /run/firejail/mnt/dbus directory
Creating empty /run/firejail/mnt/dbus/user file
blacklist /run/user/1000/bus
Creating empty /run/firejail/mnt/dbus/system file
blacklist /run/dbus/system_bus_socket
blacklist /run/firejail/dbus
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules/6.1.12-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /proc/kmsg
Copying files in the new /etc directory:
Copying /etc/ssh to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/ssh /run/firejail/mnt/etc/ssh 
Copying /etc/resolv.conf to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/resolv.conf /run/firejail/mnt/etc 
Copying /etc/nsswitch.conf to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/nsswitch.conf /run/firejail/mnt/etc 
Copying /etc/hosts to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/hosts /run/firejail/mnt/etc 
Copying /etc/passwd to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/passwd /run/firejail/mnt/etc 
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 11.66 ms
Cannot find /usr/etc: No such file or directory
Mount-bind /run/firejail/mnt/usretc on top of /usr/etc
Cannot find /usr/etc: No such file or directory
Private /usr/etc installed in 0.04 ms
Debug 588: whitelist ${DOWNLOADS}
Directory ${DOWNLOADS} resolved as Downloads
Debug 609: expanded: /home/mahid/Downloads
Debug 620: new_name: /home/mahid/Downloads
Debug 630: dir: /home/mahid
Adding whitelist top level directory /home/mahid
Debug 588: whitelist ${HOME}/.local/share/ssh
Debug 609: expanded: /home/mahid/.local/share/ssh
Debug 620: new_name: /home/mahid/.local/share/ssh
Debug 630: dir: /home/mahid
Removed path: whitelist ${HOME}/.local/share/ssh
	new_name: /home/mahid/.local/share/ssh
	realpath: (null)
	No such file or directory
Debug 588: whitelist /tmp/.X11-unix
Debug 609: expanded: /tmp/.X11-unix
Debug 620: new_name: /tmp/.X11-unix
Debug 630: dir: /tmp
Adding whitelist top level directory /tmp
Debug 588: whitelist /tmp/sndio
Debug 609: expanded: /tmp/sndio
Debug 620: new_name: /tmp/sndio
Debug 630: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Mounting tmpfs on /tmp, check owner: no
1177 1047 0:105 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=1177 fsname=/ dir=/tmp fstype=tmpfs
Mounting a new /root directory
Mounting a new /home directory
Create a new user directory
Drop privileges: pid 8, uid 1000, gid 1000, force_nogroups 0
nogroups command not ignored
No supplementary groups
Whitelisting /home/mahid/Downloads
1180 1179 0:23 /@home/mahid/Downloads /home/mahid/Downloads rw,noatime master:45 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home
mountid=1180 fsname=/@home/mahid/Downloads dir=/home/mahid/Downloads fstype=btrfs
Whitelisting /tmp/.X11-unix
1181 1177 0:33 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64
mountid=1181 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /usr/local/bin
Disable /usr/local/sbin
Disable /boot
Mounting read-only /tmp/.X11-unix
1185 1181 0:33 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64
mountid=1185 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /home/mahid/Downloads
1186 1180 0:23 /@home/mahid/Downloads /home/mahid/Downloads rw,nosuid,nodev,noexec,noatime master:45 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home
mountid=1186 fsname=/@home/mahid/Downloads dir=/home/mahid/Downloads fstype=btrfs
Mounting noexec /tmp
1189 1188 0:33 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64
mountid=1189 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1190 1189 0:33 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64
mountid=1190 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /run/user/1000
1193 1191 0:21 /firejail/firejail.ro.file /run/user/1000/bus ro,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64
mountid=1193 fsname=/firejail/firejail.ro.file dir=/run/user/1000/bus fstype=tmpfs
Warning: not remounting /run/user/1000/doc
Mounting noexec /run/user/1000/bus
1194 1193 0:21 /firejail/firejail.ro.file /run/user/1000/bus ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64
mountid=1194 fsname=/firejail/firejail.ro.file dir=/run/user/1000/bus fstype=tmpfs
Disable /usr/share (requested /usr/share/)
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /media
Disable /run/mount
disable pulseaudio
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse
disable pipewire
blacklist /run/user/1000/pipewire-0.lock
blacklist /run/user/1000/pipewire-0
blacklist /run/user/1000/pipewire-0.lock
blacklist /run/user/1000/pipewire-0
Current directory: /home/mahid
DISPLAY=:0 parsed as 0
configuring 15 seccomp entries in /run/firejail/mnt/seccomp/seccomp.block_secondary
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.block_secondary 
Dropping all capabilities
Drop privileges: pid 9, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 00050001   ret ERRNO(1)
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 06 00000087   jeq personality 0008 (false 000e)
 0008: 20 00 00 00000010   ld  data.args[0]
 0009: 15 01 00 00000000   jeq 0 000b (false 000a)
 000a: 15 00 02 ffffffff   jeq ffffffff 000b (false 000d)
 000b: 20 00 00 00000014   ld  data.args[4]
 000c: 15 01 00 00000000   jeq 0 000e (false 000d)
 000d: 06 00 00 00050001   ret ERRNO(1)
 000e: 06 00 00 7fff0000   ret ALLOW
Secondary arch blocking seccomp filter configured
configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 10, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 47 00 0000009f   jeq adjtimex 004f (false 0008)
 0008: 15 46 00 00000131   jeq clock_adjtime 004f (false 0009)
 0009: 15 45 00 000000e3   jeq clock_settime 004f (false 000a)
 000a: 15 44 00 000000a4   jeq settimeofday 004f (false 000b)
 000b: 15 43 00 0000009a   jeq modify_ldt 004f (false 000c)
 000c: 15 42 00 000000d4   jeq lookup_dcookie 004f (false 000d)
 000d: 15 41 00 0000012a   jeq perf_event_open 004f (false 000e)
 000e: 15 40 00 000001b6   jeq pidfd_getfd 004f (false 000f)
 000f: 15 3f 00 00000137   jeq process_vm_writev 004f (false 0010)
 0010: 15 3e 00 000000b0   jeq delete_module 004f (false 0011)
 0011: 15 3d 00 00000139   jeq finit_module 004f (false 0012)
 0012: 15 3c 00 000000af   jeq init_module 004f (false 0013)
 0013: 15 3b 00 000000a1   jeq chroot 004f (false 0014)
 0014: 15 3a 00 000001af   jeq fsconfig 004f (false 0015)
 0015: 15 39 00 000001b0   jeq fsmount 004f (false 0016)
 0016: 15 38 00 000001ae   jeq fsopen 004f (false 0017)
 0017: 15 37 00 000001b1   jeq fspick 004f (false 0018)
 0018: 15 36 00 000000a5   jeq mount 004f (false 0019)
 0019: 15 35 00 000001ad   jeq move_mount 004f (false 001a)
 001a: 15 34 00 000001ac   jeq open_tree 004f (false 001b)
 001b: 15 33 00 0000009b   jeq pivot_root 004f (false 001c)
 001c: 15 32 00 000000a6   jeq umount2 004f (false 001d)
 001d: 15 31 00 0000009c   jeq _sysctl 004f (false 001e)
 001e: 15 30 00 000000b7   jeq afs_syscall 004f (false 001f)
 001f: 15 2f 00 000000ae   jeq create_module 004f (false 0020)
 0020: 15 2e 00 000000b1   jeq get_kernel_syms 004f (false 0021)
 0021: 15 2d 00 000000b5   jeq getpmsg 004f (false 0022)
 0022: 15 2c 00 000000b6   jeq putpmsg 004f (false 0023)
 0023: 15 2b 00 000000b2   jeq query_module 004f (false 0024)
 0024: 15 2a 00 000000b9   jeq security 004f (false 0025)
 0025: 15 29 00 0000008b   jeq sysfs 004f (false 0026)
 0026: 15 28 00 000000b8   jeq tuxcall 004f (false 0027)
 0027: 15 27 00 00000086   jeq uselib 004f (false 0028)
 0028: 15 26 00 00000088   jeq ustat 004f (false 0029)
 0029: 15 25 00 000000ec   jeq vserver 004f (false 002a)
 002a: 15 24 00 000000ad   jeq ioperm 004f (false 002b)
 002b: 15 23 00 000000ac   jeq iopl 004f (false 002c)
 002c: 15 22 00 000000f6   jeq kexec_load 004f (false 002d)
 002d: 15 21 00 00000140   jeq kexec_file_load 004f (false 002e)
 002e: 15 20 00 000000a9   jeq reboot 004f (false 002f)
 002f: 15 1f 00 000000a7   jeq swapon 004f (false 0030)
 0030: 15 1e 00 000000a8   jeq swapoff 004f (false 0031)
 0031: 15 1d 00 00000130   jeq open_by_handle_at 004f (false 0032)
 0032: 15 1c 00 0000012f   jeq name_to_handle_at 004f (false 0033)
 0033: 15 1b 00 000000fb   jeq ioprio_set 004f (false 0034)
 0034: 15 1a 00 00000067   jeq syslog 004f (false 0035)
 0035: 15 19 00 0000012c   jeq fanotify_init 004f (false 0036)
 0036: 15 18 00 000000f8   jeq add_key 004f (false 0037)
 0037: 15 17 00 000000f9   jeq request_key 004f (false 0038)
 0038: 15 16 00 000000ed   jeq mbind 004f (false 0039)
 0039: 15 15 00 00000100   jeq migrate_pages 004f (false 003a)
 003a: 15 14 00 00000117   jeq move_pages 004f (false 003b)
 003b: 15 13 00 000000fa   jeq keyctl 004f (false 003c)
 003c: 15 12 00 000000ce   jeq io_setup 004f (false 003d)
 003d: 15 11 00 000000cf   jeq io_destroy 004f (false 003e)
 003e: 15 10 00 000000d0   jeq io_getevents 004f (false 003f)
 003f: 15 0f 00 000000d1   jeq io_submit 004f (false 0040)
 0040: 15 0e 00 000000d2   jeq io_cancel 004f (false 0041)
 0041: 15 0d 00 000000d8   jeq remap_file_pages 004f (false 0042)
 0042: 15 0c 00 000000ee   jeq set_mempolicy 004f (false 0043)
 0043: 15 0b 00 00000116   jeq vmsplice 004f (false 0044)
 0044: 15 0a 00 00000143   jeq userfaultfd 004f (false 0045)
 0045: 15 09 00 000000a3   jeq acct 004f (false 0046)
 0046: 15 08 00 00000141   jeq bpf 004f (false 0047)
 0047: 15 07 00 000000b4   jeq nfsservctl 004f (false 0048)
 0048: 15 06 00 000000ab   jeq setdomainname 004f (false 0049)
 0049: 15 05 00 000000aa   jeq sethostname 004f (false 004a)
 004a: 15 04 00 00000099   jeq vhangup 004f (false 004b)
 004b: 15 03 00 00000065   jeq ptrace 004f (false 004c)
 004c: 15 02 00 00000087   jeq personality 004f (false 004d)
 004d: 15 01 00 00000136   jeq process_vm_readv 004f (false 004e)
 004e: 06 00 00 7fff0000   ret ALLOW
 004f: 06 00 01 00050001   ret ERRNO(1)
seccomp filter configured
Install memory write&execute filter
configuring 35 seccomp entries in /run/firejail/mnt/seccomp/seccomp.mdwx
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.mdwx 
Dropping all capabilities
Drop privileges: pid 11, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 05 00000009   jeq mmap 0008 (false 000d)
 0008: 20 00 00 00000020   ld  data.args[10]
 0009: 54 00 00 00000006   and 00000006
 000a: 15 00 01 00000006   jeq 6 000b (false 000c)
 000b: 06 00 00 00050001   ret ERRNO(1)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 05 0000000a   jeq a 000e (false 0013)
 000e: 20 00 00 00000020   ld  data.args[10]
 000f: 54 00 00 00000004   and 00000004
 0010: 15 00 01 00000004   jeq 4 0011 (false 0012)
 0011: 06 00 00 00050001   ret ERRNO(1)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 05 00000149   jeq 149 0014 (false 0019)
 0014: 20 00 00 00000020   ld  data.args[10]
 0015: 54 00 00 00000004   and 00000004
 0016: 15 00 01 00000004   jeq 4 0017 (false 0018)
 0017: 06 00 00 00050001   ret ERRNO(1)
 0018: 06 00 00 7fff0000   ret ALLOW
 0019: 15 00 05 0000001e   jeq 1e 001a (false 001f)
 001a: 20 00 00 00000020   ld  data.args[10]
 001b: 54 00 00 00008000   and 00008000
 001c: 15 00 01 00008000   jeq 8000 001d (false 001e)
 001d: 06 00 00 00050001   ret ERRNO(1)
 001e: 06 00 00 7fff0000   ret ALLOW
 001f: 15 00 01 0000013f   jeq 13f 0020 (false 0021)
 0020: 06 00 00 00050001   ret ERRNO(1)
 0021: 06 00 00 7fff0000   ret ALLOW
 0022: 06 00 00 7fff0000   ret ALLOW
configuring 34 seccomp entries in /run/firejail/mnt/seccomp/seccomp.mdwx.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.mdwx.32 
Dropping all capabilities
Drop privileges: pid 12, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 01 0000005a   jeq 5a 0005 (false 0006)
 0005: 06 00 00 00050001   ret ERRNO(1)
 0006: 15 00 05 000000c0   jeq c0 0007 (false 000c)
 0007: 20 00 00 00000020   ld  data.args[10]
 0008: 54 00 00 00000006   and 00000006
 0009: 15 00 01 00000006   jeq 6 000a (false 000b)
 000a: 06 00 00 00050001   ret ERRNO(1)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 15 00 05 0000007d   jeq 7d 000d (false 0012)
 000d: 20 00 00 00000020   ld  data.args[10]
 000e: 54 00 00 00000004   and 00000004
 000f: 15 00 01 00000004   jeq 4 0010 (false 0011)
 0010: 06 00 00 00050001   ret ERRNO(1)
 0011: 06 00 00 7fff0000   ret ALLOW
 0012: 15 00 05 0000017c   jeq 17c 0013 (false 0018)
 0013: 20 00 00 00000020   ld  data.args[10]
 0014: 54 00 00 00000004   and 00000004
 0015: 15 00 01 00000004   jeq 4 0016 (false 0017)
 0016: 06 00 00 00050001   ret ERRNO(1)
 0017: 06 00 00 7fff0000   ret ALLOW
 0018: 15 00 05 0000018d   jeq 18d 0019 (false 001e)
 0019: 20 00 00 00000020   ld  data.args[10]
 001a: 54 00 00 00008000   and 00008000
 001b: 15 00 01 00008000   jeq 8000 001c (false 001d)
 001c: 06 00 00 00050001   ret ERRNO(1)
 001d: 06 00 00 7fff0000   ret ALLOW
 001e: 15 00 01 00000164   jeq 164 001f (false 0020)
 001f: 06 00 00 00050001   ret ERRNO(1)
 0020: 06 00 00 7fff0000   ret ALLOW
 0021: 06 00 00 7fff0000   ret ALLOW
Mounting read-only /run/firejail/mnt/seccomp
1207 1099 0:93 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1207 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             180 .
drwxr-xr-x root     root             340 ..
-rw-r--r-- mahid    1000             640 seccomp
-rw-r--r-- mahid    1000             120 seccomp.block_secondary
-rw-r--r-- mahid    1000             165 seccomp.list
-rw-r--r-- mahid    1000             280 seccomp.mdwx
-rw-r--r-- mahid    1000             272 seccomp.mdwx.32
-rw-r--r-- mahid    1000               0 seccomp.postexec
-rw-r--r-- mahid    1000               0 seccomp.postexec32
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.block_secondary
/run/firejail/mnt/seccomp/seccomp
/run/firejail/mnt/seccomp/seccomp.mdwx
/run/firejail/mnt/seccomp/seccomp.mdwx.32
Dropping all capabilities
nogroups command not ignored
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
nogroups command not ignored
No supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/ssh
Child process initialized in 59.09 ms
Installing /run/firejail/mnt/seccomp/seccomp.mdwx.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface]
           [-b bind_address] [-c cipher_spec] [-D [bind_address:]port]
           [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11]
           [-i identity_file] [-J [user@]host[:port]] [-L address]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-Q query_option] [-R address] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] destination [command [argument ...]]
monitoring pid 13

Sandbox monitor: waitpid 13 retval 13 status 65280

Parent is shutting down, bye...

Originally created by @StandingPadAnimations on GitHub (Feb 21, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5676 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description When using firejail with SSH, I receive the following error: ``` $ ssh pi@IP_ADDRESS -p 42069 Error: too long arguments: argv[22] len (5056) >= MAX_ARG_LEN (4128) ``` ### Steps to Reproduce 1. perform `sudo firecfg` 2. Attempt to connect to server with SSH ### Expected behavior For SSH to not complain ### Actual behavior SSH not connecting due to too long arguments ### Behavior without a profile SSH was able to work perfectly fine ### Additional context ### Environment Arch Linux Firejail 0.9.72 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ x I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ x I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /home/mahid/.config/firejail/ssh.profile Reading profile /home/mahid/.config/firejail/common.inc Warning: "shell none" command in the profile file is done by default; the command will be deprecated Warning: private-lib feature is disabled in Firejail configuration file Parent pid 13449, child pid 13451 Warning: skipping emp for private /opt Private /opt installed in 0.12 ms Warning: skipping emp for private /srv Private /srv installed in 0.05 ms 1 program installed in 3.04 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 9.43 ms Private /usr/etc installed in 0.00 ms Warning: not remounting /run/user/1000/doc Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 27.64 ms usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command [argument ...]] ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> ``` Building quoted command line: '/usr/bin/ssh' Command name #ssh# Found ssh.profile profile in /home/mahid/.config/firejail directory Reading profile /home/mahid/.config/firejail/ssh.profile Reading profile /home/mahid/.config/firejail/common.inc Warning: "shell none" command in the profile file is done by default; the command will be deprecated Warning: private-lib feature is disabled in Firejail configuration file DISPLAY=:0 parsed as 0 Enabling IPC namespace Using the local network stack Parent pid 13496, child pid 13498 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1102 1019 0:23 /@/etc /etc ro,noatime master:1 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=285,subvol=/@ mountid=1102 fsname=/@/etc dir=/etc fstype=btrfs Mounting noexec /etc 1103 1102 0:23 /@/etc /etc ro,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=285,subvol=/@ mountid=1103 fsname=/@/etc dir=/etc fstype=btrfs Mounting read-only /var 1106 1104 0:23 /@log /var/log rw,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log mountid=1106 fsname=/@log dir=/var/log fstype=btrfs Mounting read-only /var/cache 1107 1105 0:23 /@cache /var/cache ro,noatime master:48 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=258,subvol=/@cache mountid=1107 fsname=/@cache dir=/var/cache fstype=btrfs Mounting read-only /var/log 1108 1106 0:23 /@log /var/log ro,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log mountid=1108 fsname=/@log dir=/var/log fstype=btrfs Mounting noexec /var 1113 1112 0:23 /@log /var/log ro,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log mountid=1113 fsname=/@log dir=/var/log fstype=btrfs Mounting noexec /var/cache 1114 1111 0:23 /@cache /var/cache ro,nosuid,nodev,noexec,noatime master:48 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=258,subvol=/@cache mountid=1114 fsname=/@cache dir=/var/cache fstype=btrfs Mounting noexec /var/log 1115 1113 0:23 /@log /var/log ro,nosuid,nodev,noexec,noatime master:50 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=259,subvol=/@log mountid=1115 fsname=/@log dir=/var/log fstype=btrfs Mounting read-only /usr 1116 1019 0:23 /@/usr /usr ro,noatime master:1 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=285,subvol=/@ mountid=1116 fsname=/@/usr dir=/usr fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Generating a new machine-id installing a new /etc/machine-id Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/mahid/.dotfiles/firejail/.config/firejail (requested /home/mahid/.config/firejail) Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/input directory Process /dev/shm directory Copying files in the new /opt directory: Warning: file /opt/emp not found. Warning: skipping emp for private /opt Mount-bind /run/firejail/mnt/opt on top of /opt Private /opt installed in 0.25 ms Copying files in the new /srv directory: Warning: file /srv/emp not found. Warning: skipping emp for private /srv Mount-bind /run/firejail/mnt/srv on top of /srv Private /srv installed in 0.14 ms Copying files in the new bin directory Checking /usr/local/bin/ssh Checking /usr/bin/ssh sbox run: /run/firejail/lib/fcopy /usr/bin/ssh /run/firejail/mnt/bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin 1 program installed in 5.46 ms Generate private-tmp whitelist commands Creating empty /run/firejail/mnt/dbus directory Creating empty /run/firejail/mnt/dbus/user file blacklist /run/user/1000/bus Creating empty /run/firejail/mnt/dbus/system file blacklist /run/dbus/system_bus_socket blacklist /run/firejail/dbus Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules/6.1.12-arch1-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /proc/kmsg Copying files in the new /etc directory: Copying /etc/ssh to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/ssh /run/firejail/mnt/etc/ssh Copying /etc/resolv.conf to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/resolv.conf /run/firejail/mnt/etc Copying /etc/nsswitch.conf to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/nsswitch.conf /run/firejail/mnt/etc Copying /etc/hosts to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/hosts /run/firejail/mnt/etc Copying /etc/passwd to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/passwd /run/firejail/mnt/etc Mount-bind /run/firejail/mnt/etc on top of /etc Private /etc installed in 11.66 ms Cannot find /usr/etc: No such file or directory Mount-bind /run/firejail/mnt/usretc on top of /usr/etc Cannot find /usr/etc: No such file or directory Private /usr/etc installed in 0.04 ms Debug 588: whitelist ${DOWNLOADS} Directory ${DOWNLOADS} resolved as Downloads Debug 609: expanded: /home/mahid/Downloads Debug 620: new_name: /home/mahid/Downloads Debug 630: dir: /home/mahid Adding whitelist top level directory /home/mahid Debug 588: whitelist ${HOME}/.local/share/ssh Debug 609: expanded: /home/mahid/.local/share/ssh Debug 620: new_name: /home/mahid/.local/share/ssh Debug 630: dir: /home/mahid Removed path: whitelist ${HOME}/.local/share/ssh new_name: /home/mahid/.local/share/ssh realpath: (null) No such file or directory Debug 588: whitelist /tmp/.X11-unix Debug 609: expanded: /tmp/.X11-unix Debug 620: new_name: /tmp/.X11-unix Debug 630: dir: /tmp Adding whitelist top level directory /tmp Debug 588: whitelist /tmp/sndio Debug 609: expanded: /tmp/sndio Debug 620: new_name: /tmp/sndio Debug 630: dir: /tmp Removed path: whitelist /tmp/sndio new_name: /tmp/sndio realpath: (null) No such file or directory Mounting tmpfs on /tmp, check owner: no 1177 1047 0:105 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64 mountid=1177 fsname=/ dir=/tmp fstype=tmpfs Mounting a new /root directory Mounting a new /home directory Create a new user directory Drop privileges: pid 8, uid 1000, gid 1000, force_nogroups 0 nogroups command not ignored No supplementary groups Whitelisting /home/mahid/Downloads 1180 1179 0:23 /@home/mahid/Downloads /home/mahid/Downloads rw,noatime master:45 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1180 fsname=/@home/mahid/Downloads dir=/home/mahid/Downloads fstype=btrfs Whitelisting /tmp/.X11-unix 1181 1177 0:33 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64 mountid=1181 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /usr/local/bin Disable /usr/local/sbin Disable /boot Mounting read-only /tmp/.X11-unix 1185 1181 0:33 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64 mountid=1185 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /home/mahid/Downloads 1186 1180 0:23 /@home/mahid/Downloads /home/mahid/Downloads rw,nosuid,nodev,noexec,noatime master:45 - btrfs /dev/nvme0n1p2 rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1186 fsname=/@home/mahid/Downloads dir=/home/mahid/Downloads fstype=btrfs Mounting noexec /tmp 1189 1188 0:33 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64 mountid=1189 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 1190 1189 0:33 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:17 - tmpfs tmpfs rw,nr_inodes=1048576,inode64 mountid=1190 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /run/user/1000 1193 1191 0:21 /firejail/firejail.ro.file /run/user/1000/bus ro,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1193 fsname=/firejail/firejail.ro.file dir=/run/user/1000/bus fstype=tmpfs Warning: not remounting /run/user/1000/doc Mounting noexec /run/user/1000/bus 1194 1193 0:21 /firejail/firejail.ro.file /run/user/1000/bus ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1194 fsname=/firejail/firejail.ro.file dir=/run/user/1000/bus fstype=tmpfs Disable /usr/share (requested /usr/share/) Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount disable pulseaudio blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse disable pipewire blacklist /run/user/1000/pipewire-0.lock blacklist /run/user/1000/pipewire-0 blacklist /run/user/1000/pipewire-0.lock blacklist /run/user/1000/pipewire-0 Current directory: /home/mahid DISPLAY=:0 parsed as 0 configuring 15 seccomp entries in /run/firejail/mnt/seccomp/seccomp.block_secondary sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.block_secondary Dropping all capabilities Drop privileges: pid 9, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 00050001 ret ERRNO(1) 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 06 00000087 jeq personality 0008 (false 000e) 0008: 20 00 00 00000010 ld data.args[0] 0009: 15 01 00 00000000 jeq 0 000b (false 000a) 000a: 15 00 02 ffffffff jeq ffffffff 000b (false 000d) 000b: 20 00 00 00000014 ld data.args[4] 000c: 15 01 00 00000000 jeq 0 000e (false 000d) 000d: 06 00 00 00050001 ret ERRNO(1) 000e: 06 00 00 7fff0000 ret ALLOW Secondary arch blocking seccomp filter configured configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 10, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 47 00 0000009f jeq adjtimex 004f (false 0008) 0008: 15 46 00 00000131 jeq clock_adjtime 004f (false 0009) 0009: 15 45 00 000000e3 jeq clock_settime 004f (false 000a) 000a: 15 44 00 000000a4 jeq settimeofday 004f (false 000b) 000b: 15 43 00 0000009a jeq modify_ldt 004f (false 000c) 000c: 15 42 00 000000d4 jeq lookup_dcookie 004f (false 000d) 000d: 15 41 00 0000012a jeq perf_event_open 004f (false 000e) 000e: 15 40 00 000001b6 jeq pidfd_getfd 004f (false 000f) 000f: 15 3f 00 00000137 jeq process_vm_writev 004f (false 0010) 0010: 15 3e 00 000000b0 jeq delete_module 004f (false 0011) 0011: 15 3d 00 00000139 jeq finit_module 004f (false 0012) 0012: 15 3c 00 000000af jeq init_module 004f (false 0013) 0013: 15 3b 00 000000a1 jeq chroot 004f (false 0014) 0014: 15 3a 00 000001af jeq fsconfig 004f (false 0015) 0015: 15 39 00 000001b0 jeq fsmount 004f (false 0016) 0016: 15 38 00 000001ae jeq fsopen 004f (false 0017) 0017: 15 37 00 000001b1 jeq fspick 004f (false 0018) 0018: 15 36 00 000000a5 jeq mount 004f (false 0019) 0019: 15 35 00 000001ad jeq move_mount 004f (false 001a) 001a: 15 34 00 000001ac jeq open_tree 004f (false 001b) 001b: 15 33 00 0000009b jeq pivot_root 004f (false 001c) 001c: 15 32 00 000000a6 jeq umount2 004f (false 001d) 001d: 15 31 00 0000009c jeq _sysctl 004f (false 001e) 001e: 15 30 00 000000b7 jeq afs_syscall 004f (false 001f) 001f: 15 2f 00 000000ae jeq create_module 004f (false 0020) 0020: 15 2e 00 000000b1 jeq get_kernel_syms 004f (false 0021) 0021: 15 2d 00 000000b5 jeq getpmsg 004f (false 0022) 0022: 15 2c 00 000000b6 jeq putpmsg 004f (false 0023) 0023: 15 2b 00 000000b2 jeq query_module 004f (false 0024) 0024: 15 2a 00 000000b9 jeq security 004f (false 0025) 0025: 15 29 00 0000008b jeq sysfs 004f (false 0026) 0026: 15 28 00 000000b8 jeq tuxcall 004f (false 0027) 0027: 15 27 00 00000086 jeq uselib 004f (false 0028) 0028: 15 26 00 00000088 jeq ustat 004f (false 0029) 0029: 15 25 00 000000ec jeq vserver 004f (false 002a) 002a: 15 24 00 000000ad jeq ioperm 004f (false 002b) 002b: 15 23 00 000000ac jeq iopl 004f (false 002c) 002c: 15 22 00 000000f6 jeq kexec_load 004f (false 002d) 002d: 15 21 00 00000140 jeq kexec_file_load 004f (false 002e) 002e: 15 20 00 000000a9 jeq reboot 004f (false 002f) 002f: 15 1f 00 000000a7 jeq swapon 004f (false 0030) 0030: 15 1e 00 000000a8 jeq swapoff 004f (false 0031) 0031: 15 1d 00 00000130 jeq open_by_handle_at 004f (false 0032) 0032: 15 1c 00 0000012f jeq name_to_handle_at 004f (false 0033) 0033: 15 1b 00 000000fb jeq ioprio_set 004f (false 0034) 0034: 15 1a 00 00000067 jeq syslog 004f (false 0035) 0035: 15 19 00 0000012c jeq fanotify_init 004f (false 0036) 0036: 15 18 00 000000f8 jeq add_key 004f (false 0037) 0037: 15 17 00 000000f9 jeq request_key 004f (false 0038) 0038: 15 16 00 000000ed jeq mbind 004f (false 0039) 0039: 15 15 00 00000100 jeq migrate_pages 004f (false 003a) 003a: 15 14 00 00000117 jeq move_pages 004f (false 003b) 003b: 15 13 00 000000fa jeq keyctl 004f (false 003c) 003c: 15 12 00 000000ce jeq io_setup 004f (false 003d) 003d: 15 11 00 000000cf jeq io_destroy 004f (false 003e) 003e: 15 10 00 000000d0 jeq io_getevents 004f (false 003f) 003f: 15 0f 00 000000d1 jeq io_submit 004f (false 0040) 0040: 15 0e 00 000000d2 jeq io_cancel 004f (false 0041) 0041: 15 0d 00 000000d8 jeq remap_file_pages 004f (false 0042) 0042: 15 0c 00 000000ee jeq set_mempolicy 004f (false 0043) 0043: 15 0b 00 00000116 jeq vmsplice 004f (false 0044) 0044: 15 0a 00 00000143 jeq userfaultfd 004f (false 0045) 0045: 15 09 00 000000a3 jeq acct 004f (false 0046) 0046: 15 08 00 00000141 jeq bpf 004f (false 0047) 0047: 15 07 00 000000b4 jeq nfsservctl 004f (false 0048) 0048: 15 06 00 000000ab jeq setdomainname 004f (false 0049) 0049: 15 05 00 000000aa jeq sethostname 004f (false 004a) 004a: 15 04 00 00000099 jeq vhangup 004f (false 004b) 004b: 15 03 00 00000065 jeq ptrace 004f (false 004c) 004c: 15 02 00 00000087 jeq personality 004f (false 004d) 004d: 15 01 00 00000136 jeq process_vm_readv 004f (false 004e) 004e: 06 00 00 7fff0000 ret ALLOW 004f: 06 00 01 00050001 ret ERRNO(1) seccomp filter configured Install memory write&execute filter configuring 35 seccomp entries in /run/firejail/mnt/seccomp/seccomp.mdwx sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.mdwx Dropping all capabilities Drop privileges: pid 11, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 05 00000009 jeq mmap 0008 (false 000d) 0008: 20 00 00 00000020 ld data.args[10] 0009: 54 00 00 00000006 and 00000006 000a: 15 00 01 00000006 jeq 6 000b (false 000c) 000b: 06 00 00 00050001 ret ERRNO(1) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 05 0000000a jeq a 000e (false 0013) 000e: 20 00 00 00000020 ld data.args[10] 000f: 54 00 00 00000004 and 00000004 0010: 15 00 01 00000004 jeq 4 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 05 00000149 jeq 149 0014 (false 0019) 0014: 20 00 00 00000020 ld data.args[10] 0015: 54 00 00 00000004 and 00000004 0016: 15 00 01 00000004 jeq 4 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 15 00 05 0000001e jeq 1e 001a (false 001f) 001a: 20 00 00 00000020 ld data.args[10] 001b: 54 00 00 00008000 and 00008000 001c: 15 00 01 00008000 jeq 8000 001d (false 001e) 001d: 06 00 00 00050001 ret ERRNO(1) 001e: 06 00 00 7fff0000 ret ALLOW 001f: 15 00 01 0000013f jeq 13f 0020 (false 0021) 0020: 06 00 00 00050001 ret ERRNO(1) 0021: 06 00 00 7fff0000 ret ALLOW 0022: 06 00 00 7fff0000 ret ALLOW configuring 34 seccomp entries in /run/firejail/mnt/seccomp/seccomp.mdwx.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.mdwx.32 Dropping all capabilities Drop privileges: pid 12, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 0000005a jeq 5a 0005 (false 0006) 0005: 06 00 00 00050001 ret ERRNO(1) 0006: 15 00 05 000000c0 jeq c0 0007 (false 000c) 0007: 20 00 00 00000020 ld data.args[10] 0008: 54 00 00 00000006 and 00000006 0009: 15 00 01 00000006 jeq 6 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 05 0000007d jeq 7d 000d (false 0012) 000d: 20 00 00 00000020 ld data.args[10] 000e: 54 00 00 00000004 and 00000004 000f: 15 00 01 00000004 jeq 4 0010 (false 0011) 0010: 06 00 00 00050001 ret ERRNO(1) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 15 00 05 0000017c jeq 17c 0013 (false 0018) 0013: 20 00 00 00000020 ld data.args[10] 0014: 54 00 00 00000004 and 00000004 0015: 15 00 01 00000004 jeq 4 0016 (false 0017) 0016: 06 00 00 00050001 ret ERRNO(1) 0017: 06 00 00 7fff0000 ret ALLOW 0018: 15 00 05 0000018d jeq 18d 0019 (false 001e) 0019: 20 00 00 00000020 ld data.args[10] 001a: 54 00 00 00008000 and 00008000 001b: 15 00 01 00008000 jeq 8000 001c (false 001d) 001c: 06 00 00 00050001 ret ERRNO(1) 001d: 06 00 00 7fff0000 ret ALLOW 001e: 15 00 01 00000164 jeq 164 001f (false 0020) 001f: 06 00 00 00050001 ret ERRNO(1) 0020: 06 00 00 7fff0000 ret ALLOW 0021: 06 00 00 7fff0000 ret ALLOW Mounting read-only /run/firejail/mnt/seccomp 1207 1099 0:93 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1207 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 180 . drwxr-xr-x root root 340 .. -rw-r--r-- mahid 1000 640 seccomp -rw-r--r-- mahid 1000 120 seccomp.block_secondary -rw-r--r-- mahid 1000 165 seccomp.list -rw-r--r-- mahid 1000 280 seccomp.mdwx -rw-r--r-- mahid 1000 272 seccomp.mdwx.32 -rw-r--r-- mahid 1000 0 seccomp.postexec -rw-r--r-- mahid 1000 0 seccomp.postexec32 Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.block_secondary /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.mdwx /run/firejail/mnt/seccomp/seccomp.mdwx.32 Dropping all capabilities nogroups command not ignored noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 nogroups command not ignored No supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Closing non-standard file descriptors Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/ssh Child process initialized in 59.09 ms Installing /run/firejail/mnt/seccomp/seccomp.mdwx.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.mdwx seccomp filter Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command [argument ...]] monitoring pid 13 Sandbox monitor: waitpid 13 retval 13 status 65280 Parent is shutting down, bye... ``` </p> </details>
gitea-mirror 2026-05-05 09:42:10 -06:00
  • closed this issue
  • added the
    notourbug
         label
gitea-mirror commented 2026-05-05 09:42:13 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 21, 2023):

Reading profile /home/mahid/.config/firejail/ssh.profile
Reading profile /home/mahid/.config/firejail/common.inc

These are not the 'default' profiles that get installed to /etc/firejail. Without showing what's inside those two files there's nothing anyone can do to help.

<!-- gh-comment-id:1438419003 --> @ghost commented on GitHub (Feb 21, 2023): > Reading profile /home/mahid/.config/firejail/ssh.profile Reading profile /home/mahid/.config/firejail/common.inc These are not the 'default' profiles that get installed to /etc/firejail. Without showing what's inside those two files there's nothing anyone can do to help.
gitea-mirror commented 2026-05-05 09:42:14 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 21, 2023):

ssh: Error: too long arguments: argv[22] len (5056) >= MAX_ARG_LEN (4128)

@StandingPadAnimations

Hello, with #5677 it should now print the offending argument (argv[22]).

Can you build firejail from #5677 and re-test it?

<!-- gh-comment-id:1438628051 --> @kmk3 commented on GitHub (Feb 21, 2023): > ssh: Error: too long arguments: argv[22] len (5056) >= MAX_ARG_LEN (4128) @StandingPadAnimations Hello, with #5677 it should now print the offending argument (`argv[22]`). Can you build firejail from #5677 and re-test it?
gitea-mirror commented 2026-05-05 09:42:14 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 22, 2023):

These are not the 'default' profiles that get installed to /etc/firejail. Without showing what's inside those two files there's nothing anyone can do to help.

Sorry about that, here you go:

# Firejail profile for ssh
# Description: Secure shell client and server
# This file is overwritten after every install/update
quiet
# Persistent local customizations
include ssh.local
# Persistent global definitions
include globals.local

# nc can be used as ProxyCommand, e.g. when using tor
noblacklist ${PATH}/nc
noblacklist ${PATH}/ncat

# Allow ssh (blacklisted by disable-common.inc)
include allow-ssh.inc

include disable-common.inc
include disable-exec.inc
include disable-programs.inc

whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
whitelist ${RUNUSER}/keyring/ssh
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc

apparmor
caps.drop all
ipc-namespace
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
# noroot - see issue #1543
nosound
notv
# nou2f - OpenSSH >= 8.2 supports U2F
novideo
protocol unix,inet,inet6
seccomp
tracelog

private-cache
private-dev
# private-tmp # Breaks when exiting
writable-run-user

dbus-user none
dbus-system none

deterministic-shutdown
memory-deny-write-execute
restrict-namespaces
<!-- gh-comment-id:1441016602 --> @StandingPadAnimations commented on GitHub (Feb 22, 2023): > These are not the 'default' profiles that get installed to /etc/firejail. Without showing what's inside those two files there's nothing anyone can do to help. Sorry about that, here you go: ``` # Firejail profile for ssh # Description: Secure shell client and server # This file is overwritten after every install/update quiet # Persistent local customizations include ssh.local # Persistent global definitions include globals.local # nc can be used as ProxyCommand, e.g. when using tor noblacklist ${PATH}/nc noblacklist ${PATH}/ncat # Allow ssh (blacklisted by disable-common.inc) include allow-ssh.inc include disable-common.inc include disable-exec.inc include disable-programs.inc whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh whitelist ${RUNUSER}/keyring/ssh include whitelist-usr-share-common.inc include whitelist-runuser-common.inc apparmor caps.drop all ipc-namespace netfilter no3d nodvd nogroups noinput nonewprivs # noroot - see issue #1543 nosound notv # nou2f - OpenSSH >= 8.2 supports U2F novideo protocol unix,inet,inet6 seccomp tracelog private-cache private-dev # private-tmp # Breaks when exiting writable-run-user dbus-user none dbus-system none deterministic-shutdown memory-deny-write-execute restrict-namespaces ```
gitea-mirror commented 2026-05-05 09:42:15 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 23, 2023):

@kmk3 This is what I get

{ Distributed under terms of the GPLv3 license.dgoyal.net>EN (4128): '/bin/sh
  unalias command; 
die() { printf " ] && command rm -rf "$tdir"ho" 2> /dev/null < /dev/tty
                033[31m%s
                         033[m
                              n
    base64_encode() { command base64 | command tr -d turn 1; fi 1; fistrap_exit; exit 1; }

                                                     n

    base64_encode() { command b64encode - | command sed  }
                                                        1d;$d
                                                              | command tr -d 

                                                                              n

    pybase64() { command "$python" -c "import sys, base64; getattr(sys.stdout, r; }
                                                                               buffer
                                                                                     , sys.stdout).write(base64.standard_b64$1(getattr(sys.stdin, 
                                                                                                                                                  buffer
                                                                                                                                                        , sys.stdin).read    base64_encode() { command "$perl" -MMIME::Base64 -0777 -ne 
                                                               print encode_base64($_)
    base64_decode() { command "$perl" -MMIME::Base64 -ne                              ; }
                                                         print decode_base64($_)
dcs_to_kitty() { printf "e not present on remote host, ssh kitten cannot function."
                         033P@kitty-$1|%s
                                         033
'xec_login_shellstspassed to SSH execute it here"thenoot" ""ad SSH data from tty" /dev/nulle in the futureequires tar."
<!-- gh-comment-id:1441023504 --> @StandingPadAnimations commented on GitHub (Feb 23, 2023): @kmk3 This is what I get ``` { Distributed under terms of the GPLv3 license.dgoyal.net>EN (4128): '/bin/sh unalias command; die() { printf " ] && command rm -rf "$tdir"ho" 2> /dev/null < /dev/tty 033[31m%s 033[m n base64_encode() { command base64 | command tr -d turn 1; fi 1; fistrap_exit; exit 1; } n base64_encode() { command b64encode - | command sed } 1d;$d | command tr -d n pybase64() { command "$python" -c "import sys, base64; getattr(sys.stdout, r; } buffer , sys.stdout).write(base64.standard_b64$1(getattr(sys.stdin, buffer , sys.stdin).read base64_encode() { command "$perl" -MMIME::Base64 -0777 -ne print encode_base64($_) base64_decode() { command "$perl" -MMIME::Base64 -ne ; } print decode_base64($_) dcs_to_kitty() { printf "e not present on remote host, ssh kitten cannot function." 033P@kitty-$1|%s 033 'xec_login_shellstspassed to SSH execute it here"thenoot" ""ad SSH data from tty" /dev/nulle in the futureequires tar." ```
gitea-mirror commented 2026-05-05 09:42:16 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 23, 2023):

Sorry about that, here you go:

No worries, that can happen. Thanks for showing it. I was mostly confused by seeing in your posted log output that ssh.profile was getting loaded from ~/.config/firejail (instead of /etc/firejail) but that the include files from it were not (at least I can't spot it in the log output). Additionally, the second one that does get included isn't a firejail project file at all:

Reading profile /home/mahid/.config/firejail/common.inc

Is that a custom file you created perhaps? I realize this isn't very helpful towards finding a (quick) fix for your issue. I'm just not clear on what's actually happening because of the lacking common.inc file...

<!-- gh-comment-id:1441544015 --> @ghost commented on GitHub (Feb 23, 2023): > Sorry about that, here you go: No worries, that can happen. Thanks for showing it. I was mostly confused by seeing in your posted log output that ssh.profile was getting loaded from ~/.config/firejail (instead of /etc/firejail) but that the include files from it were not (at least I can't spot it in the log output). Additionally, the second one that does get included isn't a firejail project file at all: > Reading profile /home/mahid/.config/firejail/common.inc Is that a custom file you created perhaps? I realize this isn't very helpful towards finding a (quick) fix for your issue. I'm just not clear on what's actually happening because of the lacking `common.inc` file...
gitea-mirror commented 2026-05-05 09:42:17 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 23, 2023):

Is it this common.inc?

<!-- gh-comment-id:1442090502 --> @rusty-snake commented on GitHub (Feb 23, 2023): Is it [this `common.inc`](https://github.com/chiraag-nataraj/firejail-profiles/blob/master/common.inc)?
gitea-mirror commented 2026-05-05 09:42:17 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 23, 2023):

Is that a custom file you created perhaps? I realize this isn't very helpful towards finding a (quick) fix for your issue. I'm just not clear on what's actually happening because of the lacking common.inc file...

Here's the common.inc

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
read-only /tmp/.X11-unix
private-dev
nodvd
nosound
notv
nou2f
novideo
no3d
disable-mnt
private-opt emp
private-srv emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nogroups
net none
netfilter
memory-deny-write-execute

noexec ${HOME}
noexec /tmp
noexec ${RUNUSER}
<!-- gh-comment-id:1442557336 --> @StandingPadAnimations commented on GitHub (Feb 23, 2023): > Is that a custom file you created perhaps? I realize this isn't very helpful towards finding a (quick) fix for your issue. I'm just not clear on what's actually happening because of the lacking common.inc file... Here's the common.inc ``` blacklist /usr/local/bin blacklist /usr/local/sbin blacklist /boot private-tmp read-only /tmp/.X11-unix private-dev nodvd nosound notv nou2f novideo no3d disable-mnt private-opt emp private-srv emp shell none seccomp seccomp.block-secondary noroot caps.drop all apparmor nonewprivs ipc-namespace machine-id nodbus nogroups net none netfilter memory-deny-write-execute noexec ${HOME} noexec /tmp noexec ${RUNUSER} ```
gitea-mirror commented 2026-05-05 09:42:18 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 24, 2023):

There are several conflicting options when you use the posted common.inc file in combination with our default profiles. Let me provide one example. SSH obviously needs network access, which is why there isn't net none in /etc/firejail/ssh.profile. By additionally including that common.inc (on the command line or from a shell script) that does have net none your firejailed ssh will never work. Other potentially interfering options could be in play too (both private-tmp and noroot are known to break openssh). Instead of using this (outdated) common.inc I would suggest to make use of globals.local for any options you've tested not to break anything. And let firejail use its default profiles from /etc/firejail instead of replicating them under ~/.config/firejail. It will make debugging things for you much easier and generally keep the include logic as close to how it is designed/known to work.

What happens when you temporarily move both files out of ~/.config/firejail (or rename them) and run $ firejail --ignore=quiet /usr/bin/ssh?

<!-- gh-comment-id:1442599562 --> @ghost commented on GitHub (Feb 24, 2023): There are several conflicting options when you use the posted common.inc file in combination with our default profiles. Let me provide one example. SSH obviously needs network access, which is why there isn't `net none` in /etc/firejail/ssh.profile. By additionally including that common.inc (on the command line or from a shell script) that does have `net none` your firejailed ssh will never work. Other potentially interfering options could be in play too (both private-tmp and noroot are known to break openssh). Instead of using this (outdated) common.inc I would suggest to make use of globals.local for any options you've **tested** not to break anything. And let firejail use its default profiles from /etc/firejail instead of replicating them under ~/.config/firejail. It will make debugging things for you much easier and generally keep the include logic as close to how it is designed/known to work. What happens when you temporarily move both files out of ~/.config/firejail (or rename them) and run `$ firejail --ignore=quiet /usr/bin/ssh`?
gitea-mirror commented 2026-05-05 09:42:19 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 24, 2023):

@StandingPadAnimations on Feb 23:

@kmk3 This is what I get

{ Distributed under terms of the GPLv3 license.dgoyal.net>EN (4128): '/bin/sh
  unalias command; 
die() { printf " ] && command rm -rf "$tdir"ho" 2> /dev/null < /dev/tty
                033[31m%s
                         033[m
                              n
    base64_encode() { command base64 | command tr -d turn 1; fi 1; fistrap_exit; exit 1; }

                                                     n

    base64_encode() { command b64encode - | command sed  }
                                                        1d;$d
                                                              | command tr -d 

                                                                              n

    pybase64() { command "$python" -c "import sys, base64; getattr(sys.stdout, r; }
                                                                               buffer
                                                                                     , sys.stdout).write(base64.standard_b64$1(getattr(sys.stdin, 
                                                                                                                                                  buffer
                                                                                                                                                        , sys.stdin).read    base64_encode() { command "$perl" -MMIME::Base64 -0777 -ne 
                                                               print encode_base64($_)
    base64_decode() { command "$perl" -MMIME::Base64 -ne                              ; }
                                                         print decode_base64($_)
dcs_to_kitty() { printf "e not present on remote host, ssh kitten cannot function."
                         033P@kitty-$1|%s
                                         033
'xec_login_shellstspassed to SSH execute it here"thenoot" ""ad SSH data from tty" /dev/nulle in the futureequires tar."

Sorry, I referenced the wrong thing in my previous comment; by "#5676" I
meant "#5677" (the comment is fixed now).

Just to be clear, is this output from building and running from #5677?

If so, it looks like an entire shell script is being passed by argument (which
is rather unusual).

Edit: It mentions "kitty" and "ssh kitten"; are you trying to run kitty itself
firejailed or just ssh?

Anyway, please try what @glitsj16 said before re-running it.

<!-- gh-comment-id:1442767384 --> @kmk3 commented on GitHub (Feb 24, 2023): @StandingPadAnimations [on Feb 23](https://github.com/netblue30/firejail/issues/5676#issuecomment-1441023504): > @kmk3 This is what I get > > ``` > { Distributed under terms of the GPLv3 license.dgoyal.net>EN (4128): '/bin/sh > unalias command; > die() { printf " ] && command rm -rf "$tdir"ho" 2> /dev/null < /dev/tty > 033[31m%s > 033[m > n > base64_encode() { command base64 | command tr -d turn 1; fi 1; fistrap_exit; exit 1; } > > n > > base64_encode() { command b64encode - | command sed } > 1d;$d > | command tr -d > > n > > pybase64() { command "$python" -c "import sys, base64; getattr(sys.stdout, r; } > buffer > , sys.stdout).write(base64.standard_b64$1(getattr(sys.stdin, > buffer > , sys.stdin).read base64_encode() { command "$perl" -MMIME::Base64 -0777 -ne > print encode_base64($_) > base64_decode() { command "$perl" -MMIME::Base64 -ne ; } > print decode_base64($_) > dcs_to_kitty() { printf "e not present on remote host, ssh kitten cannot function." > 033P@kitty-$1|%s > 033 > 'xec_login_shellstspassed to SSH execute it here"thenoot" ""ad SSH data from tty" /dev/nulle in the futureequires tar." > ``` Sorry, I referenced the wrong thing in [my previous comment][1]; by "#5676" I meant "#5677" (the comment is fixed now). Just to be clear, is this output from building and running from #5677? If so, it looks like an entire shell script is being passed by argument (which is rather unusual). Edit: It mentions "kitty" and "ssh kitten"; are you trying to run kitty itself firejailed or just ssh? Anyway, please try what @glitsj16 [said][2] before re-running it. [1]: https://github.com/netblue30/firejail/issues/5676#issuecomment-1438628051 [2]: https://github.com/netblue30/firejail/issues/5676#issuecomment-1442599562
gitea-mirror commented 2026-05-05 09:42:20 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 24, 2023):

Edit: It mentions "kitty" and "ssh kitten"; are you trying to run kitty itself
firejailed or just ssh?

Kitty requires calling SSH with kitty +kitten since without it, keypresses act weirdly: https://wiki.archlinux.org/title/Kitty#Terminal_issues_with_SSH

<!-- gh-comment-id:1442799504 --> @StandingPadAnimations commented on GitHub (Feb 24, 2023): > Edit: It mentions "kitty" and "ssh kitten"; are you trying to run kitty itself firejailed or just ssh? Kitty requires calling SSH with `kitty +kitten` since without it, keypresses act weirdly: https://wiki.archlinux.org/title/Kitty#Terminal_issues_with_SSH
gitea-mirror commented 2026-05-05 09:42:21 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 24, 2023):

Just to be clear, is this output from building and running from #5677?

Yep

<!-- gh-comment-id:1442799719 --> @StandingPadAnimations commented on GitHub (Feb 24, 2023): > Just to be clear, is this output from building and running from #5677? Yep
gitea-mirror commented 2026-05-05 09:42:21 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 25, 2023):

What happens when you temporarily move both files out of ~/.config/firejail (or rename them) and run $firejail --ignore=quiet /usr/bin/ssh?

Sorry for the late reply, it works fine as such:

Reading profile /etc/firejail/ssh.profile
Reading profile /etc/firejail/allow-ssh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Parent pid 16076, child pid 16078
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 118.91 ms
Last login: Wed Feb 22 18:08:38 2023 from 192.168.1.7

But if I call ssh on it's own, the issue still persists. Interestingly enough though, if I call firejail manually with ssh (keep it mind it's aliased to prevent key-presses from being messed up), it works fine. It's only when I call ssh on its own where issues occur

<!-- gh-comment-id:1444781584 --> @StandingPadAnimations commented on GitHub (Feb 25, 2023): > What happens when you temporarily move both files out of ~/.config/firejail (or rename them) and run $firejail --ignore=quiet /usr/bin/ssh? Sorry for the late reply, it works fine as such: ```sh Reading profile /etc/firejail/ssh.profile Reading profile /etc/firejail/allow-ssh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Parent pid 16076, child pid 16078 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 118.91 ms Last login: Wed Feb 22 18:08:38 2023 from 192.168.1.7 ``` But if I call `ssh` on it's own, the issue still persists. Interestingly enough though, if I call firejail manually with ssh (keep it mind it's aliased to prevent key-presses from being messed up), it works fine. It's only when I call ssh on its own where issues occur
gitea-mirror commented 2026-05-05 09:42:22 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 25, 2023):

But if I call ssh on it's own, the issue still persists. Interestingly enough though, if I call firejail manually with ssh (keep it mind it's aliased to prevent key-presses from being messed up), it works fine. It's only when I call ssh on its own where issues occur

Thanks for confirming the firejail profiles are fine. It looks like a kitty alias issue if I understand that correctly. On the Arch wiki page you linked earlier:

[ "$TERM" = "xterm-kitty" ] && alias ssh="kitty +kitten ssh"

I would try changing that alias to

[ "$TERM" = "xterm-kitty" ] && alias ssh="kitty +kitten firejail /usr/bin/ssh"
<!-- gh-comment-id:1444977082 --> @ghost commented on GitHub (Feb 25, 2023): > But if I call ssh on it's own, the issue still persists. Interestingly enough though, if I call firejail manually with ssh (keep it mind it's aliased to prevent key-presses from being messed up), it works fine. It's only when I call ssh on its own where issues occur Thanks for confirming the firejail profiles are fine. It looks like a kitty alias issue if I understand that correctly. On the [Arch wiki page](https://wiki.archlinux.org/title/Kitty#Terminal_issues_with_SSH) you linked earlier: ``` [ "$TERM" = "xterm-kitty" ] && alias ssh="kitty +kitten ssh" ``` I would try changing that alias to ``` [ "$TERM" = "xterm-kitty" ] && alias ssh="kitty +kitten firejail /usr/bin/ssh" ```
gitea-mirror commented 2026-05-05 09:42:22 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 25, 2023):

[ "$TERM" = "xterm-kitty" ] && alias ssh="kitty +kitten firejail /usr/bin/ssh"

I tried that but I still receive the error

<!-- gh-comment-id:1445179359 --> @StandingPadAnimations commented on GitHub (Feb 25, 2023): > [ "$TERM" = "xterm-kitty" ] && alias ssh="kitty +kitten firejail /usr/bin/ssh" I tried that but I still receive the error
gitea-mirror commented 2026-05-05 09:42:23 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Feb 25, 2023):

Ok looking into it further another error occurs:

Available builtin kittens:
ssh
query_terminal
resize_window
choose
remote_file
clipboard
hints
show_error
mouse_demo
icat
unicode_input
themes
broadcast
show_key
ask
hyperlinked_grep
panel
transfer
diff
No kitten named firejail

Looks like setting the alias makes kitty very confused

<!-- gh-comment-id:1445185175 --> @StandingPadAnimations commented on GitHub (Feb 25, 2023): Ok looking into it further another error occurs: ``` Available builtin kittens: ssh query_terminal resize_window choose remote_file clipboard hints show_error mouse_demo icat unicode_input themes broadcast show_key ask hyperlinked_grep panel transfer diff No kitten named firejail ``` Looks like setting the alias makes kitty very confused
gitea-mirror commented 2026-05-05 09:42:23 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 25, 2023):

Looks like setting the alias makes kitty very confused

Not only kitty, I'm pretty confused by this as well :)
Have you tried some of the alternatives mentioned on the Arch wiki? Like here:

~/.ssh/config
Host example.com
  SetEnv TERM=xterm-256color

If that works for you there should no longer be any need for aliasing ssh via kitty +kitten voodoo...

<!-- gh-comment-id:1445217921 --> @ghost commented on GitHub (Feb 25, 2023): > Looks like setting the alias makes kitty very confused Not only kitty, I'm pretty confused by this as well :) Have you tried some of the alternatives mentioned on the Arch wiki? Like [here](https://wiki.archlinux.org/title/OpenSSH#Connecting_to_a_remote_without_the_appropriate_terminfo_entry): ``` ~/.ssh/config Host example.com SetEnv TERM=xterm-256color ``` If that works for you there should no longer be any need for aliasing ssh via kitty +kitten voodoo...
gitea-mirror commented 2026-05-05 09:42:23 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 25, 2023):

Ideally you should be able to execute ssh without kitty without issues, as
mentioned by @glitsj16.

If that does not work, considering the following constraints:

  • ssh has to be run by kitty as kitty +kitten ssh
  • ssh has to be run inside firejail (like firejail /usr/bin/ssh)

There should be a way to override the command line that gets executed when
trying to run a kitten.

That is, something like:

~/.config/kitty/ssh.conf

SSH='firejail /usr/bin/ssh'

Though unforunately I don't see anything like that on its documentation.

So maybe try creating a wrapper for ssh and see if kitty calls that instead:

~/bin/ssh:

#!/bin/sh

echo 'debug: running firejail /usr/bin/ssh'
exec firejail /usr/bin/ssh

Then try again:

PATH="$HOME/bin:$PATH"
export PATH

kitty +kitten ssh

If none of that works, I'd suggest asking about this on the kitty project (and
referencing this issue).

<!-- gh-comment-id:1445229472 --> @kmk3 commented on GitHub (Feb 25, 2023): Ideally you should be able to execute ssh without kitty without issues, [as mentioned][1] by @glitsj16. If that does not work, considering the following constraints: * ssh has to be run by kitty as `kitty +kitten ssh` * ssh has to be run inside firejail (like `firejail /usr/bin/ssh`) There should be a way to override the command line that gets executed when trying to run a kitten. That is, something like: ~/.config/kitty/ssh.conf ``` SSH='firejail /usr/bin/ssh' ``` Though unforunately I don't see anything like that on its documentation. So maybe try creating a wrapper for ssh and see if kitty calls that instead: ~/bin/ssh: ```sh #!/bin/sh echo 'debug: running firejail /usr/bin/ssh' exec firejail /usr/bin/ssh ``` Then try again: ```sh PATH="$HOME/bin:$PATH" export PATH kitty +kitten ssh ``` If none of that works, I'd suggest asking about this on the kitty project (and referencing this issue). [1]: https://github.com/netblue30/firejail/issues/5676#issuecomment-1445217921
gitea-mirror commented 2026-05-05 09:42:24 -06:00
Author
Owner
Copy link

@StandingPadAnimations commented on GitHub (Mar 1, 2023):

Looks like that works, and firejail​ --list confirms that indeed ssh runs in a sandbox, I'll just close this now
------- Original Message -------
On Saturday, February 25th, 2023 at 10:23 PM, glitsj16 @.***> wrote:

Looks like setting the alias makes kitty very confused

Not only kitty, I'm pretty confused by this as well :)
Have you tried some of the alternatives mentioned on the Arch wiki? Like here:

~/.ssh/config
Host example.com
SetEnv TERM=xterm-256color

If that works for you there should no longer be any need for aliasing ssh via kitty +kitten voodoo...


Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: @.***>

<!-- gh-comment-id:1449252661 --> @StandingPadAnimations commented on GitHub (Mar 1, 2023): Looks like that works, and `firejail​ --list` confirms that indeed ssh runs in a sandbox, I'll just close this now ------- Original Message ------- On Saturday, February 25th, 2023 at 10:23 PM, glitsj16 ***@***.***> wrote: >> Looks like setting the alias makes kitty very confused > > Not only kitty, I'm pretty confused by this as well :) > Have you tried some of the alternatives mentioned on the Arch wiki? Like [here](https://wiki.archlinux.org/title/OpenSSH#Connecting_to_a_remote_without_the_appropriate_terminfo_entry): > > ~/.ssh/config > Host example.com > SetEnv TERM=xterm-256color > > If that works for you there should no longer be any need for aliasing ssh via kitty +kitten voodoo... > > — > Reply to this email directly, [view it on GitHub](https://github.com/netblue30/firejail/issues/5676#issuecomment-1445217921), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/AR4UXCSO4GGMOWH6QSTEOE3WZKA6XANCNFSM6AAAAAAVCS4PL4). > You are receiving this because you were mentioned.Message ID: ***@***.***>
gitea-mirror commented 2026-05-05 09:42:25 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Mar 1, 2023):

(Re-closing as "not planned" since nothing was changed in firejail)

<!-- gh-comment-id:1449277568 --> @kmk3 commented on GitHub (Mar 1, 2023): (Re-closing as "not planned" since nothing was changed in firejail)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3059
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?