[GH-ISSUE #5703] Custom seccomp list and apparmor do not work well together #3072

New issue

Open

opened 2026-05-05 09:42:46 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented 2026-05-05 09:42:46 -06:00

Owner

Copy link

Originally created by @NetSysFire on GitHub (Mar 1, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5703

Description

See https://github.com/netblue30/firejail/pull/5646#pullrequestreview-1287071576

CC @glitsj16 because its theirs.

Steps to Reproduce

In that specific case:

1. Use seccomp !tgkill
2. Also use apparmor
3. AppArmor blocks tgkill, regardless of seccomp settings.

Expected behavior

AppArmor using firejails seccomp list or it not filtering syscalls when that profile is already using seccomp.

Actual behavior

AppArmor does syscall filtering no matter what seccomp shenanigans are done in the profile, resulting in issues because some syscalls are still blocked.

Behavior without a profile

n/a

Additional context

n/a

Environment

• Linux distribution and version: Arch Linux
• Firejail version: 0.9.72

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

See PR.

Originally created by @NetSysFire on GitHub (Mar 1, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5703 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description See https://github.com/netblue30/firejail/pull/5646#pullrequestreview-1287071576 CC @glitsj16 because its theirs. ### Steps to Reproduce In that specific case: 1. Use `seccomp !tgkill` 2. Also use `apparmor` 3. AppArmor blocks `tgkill`, regardless of seccomp settings. ### Expected behavior AppArmor using firejails seccomp list or it not filtering syscalls when that profile is already using seccomp. ### Actual behavior AppArmor does syscall filtering no matter what seccomp shenanigans are done in the profile, resulting in issues because some syscalls are still blocked. ### Behavior without a profile n/a ### Additional context n/a ### Environment - Linux distribution and version: Arch Linux - Firejail version: 0.9.72 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log See PR.

gitea-mirror added the

enhancement

label 2026-05-05 09:42:46 -06:00

gitea-mirror commented 2026-05-05 09:42:48 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 1, 2023):

AA has it's own configuration that hasn't any integration with other commands be it seccomp, caps, noexec or read-only. Labeling as enhancemnt.

<!-- gh-comment-id:1450505270 --> @rusty-snake commented on GitHub (Mar 1, 2023): AA has it's own configuration that hasn't any integration with other commands be it seccomp, caps, noexec or read-only. Labeling as enhancemnt.

gitea-mirror commented 2026-05-05 09:42:49 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 2, 2023):

@NetSysFire Hello. I've installed this from AUR yesterday and ran parsecd via firejail for a while with an as-is parsecd.profile (so needing all the steps to reproduce). Sadly I cannot reproduce anything of what was reported in #5646.

I noticed when ctrl+c'ing the application it complains of
mty_sleep: 'nanosleep' failed with errno 4
and in the journal:
Feb 11 17:59:16 archlinux kernel: audit: type=1300 audit(1676134756.097:498): arch=c000003e syscall=234 success=no exit=-13 a0=c a1=c a2=f a3=8 items=0 ppid=7627 pid=7639 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=2 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined key=(null)
But i explicitely noblacklisted that syscall with !tgkill

Ctrl+c'ing acts without any complaints and nothing shows up in journalcl either. Did you make any changes to /etc/apparmor.d/firejail-default, or have a custom /etc/apparmor.d/local/firejail-default that might throw some light on this issue?

<!-- gh-comment-id:1451676931 --> @ghost commented on GitHub (Mar 2, 2023): @NetSysFire Hello. I've installed [this](https://aur.archlinux.org/packages/parsec-bin) from AUR yesterday and ran parsecd via firejail for a while with an as-is parsecd.profile (so needing all the steps to reproduce). Sadly I cannot reproduce anything of what was reported in [#5646](https://github.com/netblue30/firejail/pull/5646#discussion_r1103663883). > I noticed when ctrl+c'ing the application it complains of mty_sleep: 'nanosleep' failed with errno 4 and in the journal: Feb 11 17:59:16 archlinux kernel: audit: type=1300 audit(1676134756.097:498): arch=c000003e syscall=234 success=no exit=-13 a0=c a1=c a2=f a3=8 items=0 ppid=7627 pid=7639 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts3 ses=2 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined key=(null) But i explicitely noblacklisted that syscall with !tgkill Ctrl+c'ing acts without any complaints and nothing shows up in journalcl either. Did you make any changes to /etc/apparmor.d/firejail-default, or have a custom /etc/apparmor.d/local/firejail-default that might throw some light on this issue?

gitea-mirror commented 2026-05-05 09:42:50 -06:00

Author

Owner

Copy link

@NetSysFire commented on GitHub (Mar 2, 2023):

Output of running parsecd and ctrl+c'ing after:

$ firejail parsecd
Reading profile /etc/firejail/parsecd.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !tgkill, check list: @default-keep, prelist: unknown,
Parent pid 3235017, child pid 3235018
2 programs installed in 3.50 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !tgkill, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 124.41 ms
[D 2023-03-02 12:02:42] log: Parsec release9 (150-86e)
^C
Parent received signal 2, shutting down the child process...
[D 2023-03-02 12:02:45] mty_sleep: 'nanosleep' failed with errno 4

Child received signal 2, shutting down the sandbox...
[D 2023-03-02 12:02:45] mty_sleep: 'nanosleep' failed with errno 4

Parent is shutting down, bye...

local firejail-default:

$ cat /etc/apparmor.d/local/firejail-default
# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/apparmor.d/local/README.

# Here are some examples to allow running programs from home directory.
# Don't enable all of these, just pick a specific one or write a custom rule
# instead as done below for torbrowser-launcher.
#owner @HOME/** ix,
#owner @HOME/bin/** ix
#owner @HOME/.local/bin/** ix

# Uncomment to opt-in to apparmor for brave + ipfs
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix,

# Uncomment to opt-in to apparmor for brave + tor
#owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix,

# Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm)
#owner @{HOME}/.mozilla/firefox/*/gm*/** ix,

# Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME}
#owner @{HOME}/.mozilla/native-messaging-hosts/** ix,

# Uncomment to opt-in to apparmor for torbrowser-launcher
#owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix,

firejail-default:

$ cat /etc/apparmor.d/firejail-default
#########################################
# Generic Firejail AppArmor profile
#########################################

# AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict>
# and <abstractions/dbus-session-strict>.
#include <tunables/global>

##########
# A simple PID declaration based on Ubuntu's @{pid}
# Ubuntu keeps it under tunables/kernelvars and include it via tunables/global.
# We don't know if this definition is available outside Debian and Ubuntu, so
# we declare our own here.
##########
@{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}

profile firejail-default flags=(attach_disconnected,mediate_deleted) {

##########
# Allow D-Bus access. It may negatively affect security. Comment those lines or
# use 'nodbus' option in profile if you don't need D-Bus functionality.
##########
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
dbus,
# Add rule in order to avoid dbus-*=filter breakage (#3432)
owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w,

##########
# With ptrace it is possible to inspect and hijack running programs.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=@{profile_name},
ptrace (read,readby) peer=@{profile_name}//&unconfined,

##########
# Allow read access to whole filesystem and control it from firejail.
##########
/{,**} rklm,

##########
# Allow write access to paths writable in firejail which aren't used for
# executing programs. /run, /proc and /sys are handled separately.
# Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes.
##########
/{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w,

##########
# Whitelist writable paths under /run, /proc and /sys.
##########
owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w,
owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w,
owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w,

# Allow writing to /var/mail and /var/spool/mail (for mail clients)
# Uncomment to enable
#owner /var/{mail,spool/mail}/** w,

# Allow writing to removable media
owner /{,var/}run/media/** w,

# Allow logging Firejail blacklist violations to journal
/{,var/}run/systemd/journal/socket w,
/{,var/}run/systemd/journal/dev-log w,

# Allow access to cups printing socket.
/{,var/}run/cups/cups.sock w,

# Allow access to avahi-daemon socket.
/{,var/}run/avahi-daemon/socket w,

# Allow access to pcscd socket (smartcards)
/{,var/}run/pcscd/pcscd.comm w,

# Needed for browser self-sandboxing
owner /proc/@{PID}/{uid_map,gid_map,setgroups} w,

# Needed for electron apps
/proc/@{PID}/comm w,
# Needed for nslookup, dig, host
/proc/@{PID}/task/@{PID}/comm w,

# Used by chromium
owner /proc/@{PID}/oom_score_adj w,
owner /proc/@{PID}/clear_refs w,

##########
# Allow running programs only from well-known system directories. If you need
# to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix,"
# or similar to /etc/apparmor.d/local/firejail-default (without the quotes).
##########
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix,
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix,
#/{,run/firejail/mnt/oroot/}home/** ix,

# Appimage support
/{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix,

##########
# Blacklist specific sensitive paths.
##########
deny /**/.fscrypt/ rw,
deny /**/.fscrypt/** rwklmx,
deny /**/.snapshots/ rw,
deny /**/.snapshots/** rwklmx,

##########
# Allow all networking functionality, and control it from Firejail.
##########
network inet,
network inet6,
network unix,
network netlink,
network raw,
# needed for wireshark, tcpdump etc
network bluetooth,
network packet,

##########
# There is no equivalent in Firejail for filtering signals.
##########
signal (send) peer=@{profile_name}//&unconfined,
signal (send) peer=@{profile_name},
signal (receive),

##########
# We let Firejail deal with capabilities, but ensure that
# some AppArmor related capabilities will not be available.
##########
# The list of recognized capabilities varies from one apparmor version to another.
# For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available
# We allow all caps by default and remove the ones we don't like:
capability,
deny capability audit_write,
deny capability audit_control,
deny capability mac_override,
deny capability mac_admin,

# Site-specific additions and overrides. See local/README for details.
#include <local/firejail-default>
}

journalctl -r from just now:

Mar 02 12:02:45 archlinux kernel: audit: type=1327 audit(1677754965.693:28947): proctitle="parsecd"
Mar 02 12:02:45 archlinux kernel: audit: type=1300 audit(1677754965.693:28947): arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=f a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux kernel: audit: type=1400 audit(1677754965.693:28947): apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=term peer="firejail-default//&unconfined"
Mar 02 12:02:45 archlinux audit: PROCTITLE proctitle="parsecd"
Mar 02 12:02:45 archlinux audit[3235034]: SYSCALL arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=f a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux audit[3235034]: AVC apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=term peer="firejail-default//&unconfined"
Mar 02 12:02:45 archlinux kernel: audit: type=1327 audit(1677754965.683:28946): proctitle="parsecd"
Mar 02 12:02:45 archlinux kernel: audit: type=1300 audit(1677754965.683:28946): arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=2 a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux kernel: audit: type=1400 audit(1677754965.683:28946): apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=int peer="firejail-default//&unconfined"
Mar 02 12:02:45 archlinux audit: PROCTITLE proctitle="parsecd"
Mar 02 12:02:45 archlinux audit[3235034]: SYSCALL arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=2 a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null)
Mar 02 12:02:45 archlinux audit[3235034]: AVC apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=int peer="firejail-default//&unconfined"

Validation I did not touch anything (/etc/apparmor.d/firejail-default is not listed because it is not a backup file and thus apparently not tracked):

pacman -Qii firejail
Name            : firejail
Version         : 0.9.72-1
Description     : Linux namespaces sandbox program
Architecture    : x86_64
URL             : https://github.com/netblue30/firejail
Licenses        : GPL2
Groups          : None
Provides        : None
Depends On      : apparmor
Optional Deps   : xdg-dbus-proxy: for D-Bus filtering [installed]
Required By     : None
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 2.38 MiB
Packager        : T.J. Townsend <blakkheim@archlinux.org>
Build Date      : Mon 16 Jan 2023 05:18:57 PM CET
Install Date    : Sat 04 Feb 2023 10:11:54 AM CET
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : Signature
Backup Files    :
UNMODIFIED	/etc/apparmor.d/local/firejail-default
MODIFIED	/etc/firejail/firecfg.config
MODIFIED	/etc/firejail/firejail.config
UNMODIFIED	/etc/firejail/login.users

-Qkk firejail also only reports /etc/firejail stuff to have changed:

backup file: firejail: /etc/firejail/firecfg.config (Modification time mismatch)
backup file: firejail: /etc/firejail/firecfg.config (Size mismatch)
backup file: firejail: /etc/firejail/firecfg.config (MD5 checksum mismatch)
backup file: firejail: /etc/firejail/firecfg.config (SHA256 checksum mismatch)
backup file: firejail: /etc/firejail/firejail.config (Modification time mismatch)
backup file: firejail: /etc/firejail/firejail.config (Size mismatch)
backup file: firejail: /etc/firejail/firejail.config (MD5 checksum mismatch)
backup file: firejail: /etc/firejail/firejail.config (SHA256 checksum mismatch)
firejail: 1338 total files, 0 altered files

<!-- gh-comment-id:1451703412 --> @NetSysFire commented on GitHub (Mar 2, 2023): Output of running parsecd and ctrl+c'ing after: ``` $ firejail parsecd Reading profile /etc/firejail/parsecd.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !tgkill, check list: @default-keep, prelist: unknown, Parent pid 3235017, child pid 3235018 2 programs installed in 3.50 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !tgkill, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 124.41 ms [D 2023-03-02 12:02:42] log: Parsec release9 (150-86e) ^C Parent received signal 2, shutting down the child process... [D 2023-03-02 12:02:45] mty_sleep: 'nanosleep' failed with errno 4 Child received signal 2, shutting down the sandbox... [D 2023-03-02 12:02:45] mty_sleep: 'nanosleep' failed with errno 4 Parent is shutting down, bye... ``` local firejail-default: ``` $ cat /etc/apparmor.d/local/firejail-default # Site-specific additions and overrides for 'firejail-default'. # For more details, please see /etc/apparmor.d/local/README. # Here are some examples to allow running programs from home directory. # Don't enable all of these, just pick a specific one or write a custom rule # instead as done below for torbrowser-launcher. #owner @HOME/** ix, #owner @HOME/bin/** ix #owner @HOME/.local/bin/** ix # Uncomment to opt-in to apparmor for brave + ipfs #owner @{HOME}/.config/BraveSoftware/Brave-Browser/oecghfpdmkjlhnfpmmjegjacfimiafjp/*/** ix, # Uncomment to opt-in to apparmor for brave + tor #owner @{HOME}/.config/BraveSoftware/Brave-Browser/biahpgbdmdkfgndcmfiipgcebobojjkp/*/** ix, # Uncomment to opt-in to apparmor for firefox DRM (gmp-widevinecdm) #owner @{HOME}/.mozilla/firefox/*/gm*/** ix, # Uncomment to opt-in to apparmor for firefox native-messaging-hosts under ${HOME} #owner @{HOME}/.mozilla/native-messaging-hosts/** ix, # Uncomment to opt-in to apparmor for torbrowser-launcher #owner @{HOME}/.local/share/torbrowser/tbb/{i686,x86_64}/tor-browser_*/Browser/** ix, ``` firejail-default: ``` $ cat /etc/apparmor.d/firejail-default ######################################### # Generic Firejail AppArmor profile ######################################### # AppArmor 3.0 uses the @{run} variable in <abstractions/dbus-strict> # and <abstractions/dbus-session-strict>. #include <tunables/global> ########## # A simple PID declaration based on Ubuntu's @{pid} # Ubuntu keeps it under tunables/kernelvars and include it via tunables/global. # We don't know if this definition is available outside Debian and Ubuntu, so # we declare our own here. ########## @{PID}={[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]} profile firejail-default flags=(attach_disconnected,mediate_deleted) { ########## # Allow D-Bus access. It may negatively affect security. Comment those lines or # use 'nodbus' option in profile if you don't need D-Bus functionality. ########## #include <abstractions/dbus-strict> #include <abstractions/dbus-session-strict> dbus, # Add rule in order to avoid dbus-*=filter breakage (#3432) owner /{,var/}run/firejail/dbus/[0-9]*/[0-9]*-user w, ########## # With ptrace it is possible to inspect and hijack running programs. ########## # Uncomment this line to allow all ptrace access #ptrace, # Allow obtaining some process information, but not ptrace(2) ptrace (read,readby) peer=@{profile_name}, ptrace (read,readby) peer=@{profile_name}//&unconfined, ########## # Allow read access to whole filesystem and control it from firejail. ########## /{,**} rklm, ########## # Allow write access to paths writable in firejail which aren't used for # executing programs. /run, /proc and /sys are handled separately. # Line starting with /run/firejail/mnt/oroot deal with --overlay sandboxes. ########## /{,run/firejail/mnt/oroot/}{dev,etc,home,media,mnt,root,srv,tmp,var}/** w, ########## # Whitelist writable paths under /run, /proc and /sys. ########## owner /{,run/firejail/mnt/oroot/}{,var/}run/firejail/mnt/trace w, owner /{,run/firejail/mnt/oroot/}{,var/}run/user/[0-9]*/** w, owner /{,run/firejail/mnt/oroot/}{run,dev}/shm/** w, # Allow writing to /var/mail and /var/spool/mail (for mail clients) # Uncomment to enable #owner /var/{mail,spool/mail}/** w, # Allow writing to removable media owner /{,var/}run/media/** w, # Allow logging Firejail blacklist violations to journal /{,var/}run/systemd/journal/socket w, /{,var/}run/systemd/journal/dev-log w, # Allow access to cups printing socket. /{,var/}run/cups/cups.sock w, # Allow access to avahi-daemon socket. /{,var/}run/avahi-daemon/socket w, # Allow access to pcscd socket (smartcards) /{,var/}run/pcscd/pcscd.comm w, # Needed for browser self-sandboxing owner /proc/@{PID}/{uid_map,gid_map,setgroups} w, # Needed for electron apps /proc/@{PID}/comm w, # Needed for nslookup, dig, host /proc/@{PID}/task/@{PID}/comm w, # Used by chromium owner /proc/@{PID}/oom_score_adj w, owner /proc/@{PID}/clear_refs w, ########## # Allow running programs only from well-known system directories. If you need # to run programs from your home directory, add "/{,run/firejail/mnt/oroot/}home/** ix," # or similar to /etc/apparmor.d/local/firejail-default (without the quotes). ########## /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}bin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}sbin/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}games/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}lib{,32,64,exec}/** ix, /{,run/firejail/mnt/oroot/}{,usr/,usr/local/}opt/** ix, #/{,run/firejail/mnt/oroot/}home/** ix, # Appimage support /{,run/firejail/mnt/oroot/}{,var/}run/firejail/appimage/** ix, ########## # Blacklist specific sensitive paths. ########## deny /**/.fscrypt/ rw, deny /**/.fscrypt/** rwklmx, deny /**/.snapshots/ rw, deny /**/.snapshots/** rwklmx, ########## # Allow all networking functionality, and control it from Firejail. ########## network inet, network inet6, network unix, network netlink, network raw, # needed for wireshark, tcpdump etc network bluetooth, network packet, ########## # There is no equivalent in Firejail for filtering signals. ########## signal (send) peer=@{profile_name}//&unconfined, signal (send) peer=@{profile_name}, signal (receive), ########## # We let Firejail deal with capabilities, but ensure that # some AppArmor related capabilities will not be available. ########## # The list of recognized capabilities varies from one apparmor version to another. # For example on Debian 10 (apparmor 2.13.2) checkpoint_restore, perfmon, bpf are not available # We allow all caps by default and remove the ones we don't like: capability, deny capability audit_write, deny capability audit_control, deny capability mac_override, deny capability mac_admin, # Site-specific additions and overrides. See local/README for details. #include <local/firejail-default> } ``` journalctl -r from just now: ``` Mar 02 12:02:45 archlinux kernel: audit: type=1327 audit(1677754965.693:28947): proctitle="parsecd" Mar 02 12:02:45 archlinux kernel: audit: type=1300 audit(1677754965.693:28947): arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=f a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null) Mar 02 12:02:45 archlinux kernel: audit: type=1400 audit(1677754965.693:28947): apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=term peer="firejail-default//&unconfined" Mar 02 12:02:45 archlinux audit: PROCTITLE proctitle="parsecd" Mar 02 12:02:45 archlinux audit[3235034]: SYSCALL arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=f a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null) Mar 02 12:02:45 archlinux audit[3235034]: AVC apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=term peer="firejail-default//&unconfined" Mar 02 12:02:45 archlinux kernel: audit: type=1327 audit(1677754965.683:28946): proctitle="parsecd" Mar 02 12:02:45 archlinux kernel: audit: type=1300 audit(1677754965.683:28946): arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=2 a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null) Mar 02 12:02:45 archlinux kernel: audit: type=1400 audit(1677754965.683:28946): apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=int peer="firejail-default//&unconfined" Mar 02 12:02:45 archlinux audit: PROCTITLE proctitle="parsecd" Mar 02 12:02:45 archlinux audit[3235034]: SYSCALL arch=c000003e syscall=234 success=no exit=-13 a0=d a1=d a2=2 a3=8 items=0 ppid=3235018 pid=3235034 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts5 ses=11 comm="parsecd" exe="/usr/local/bin/parsecd" subj=firejail-default//&unconfined (enforce) key=(null) Mar 02 12:02:45 archlinux audit[3235034]: AVC apparmor="DENIED" operation="signal" profile="firejail-default" pid=3235034 comm="parsecd" requested_mask="send" denied_mask="send" signal=int peer="firejail-default//&unconfined" ``` Validation I did not touch anything (/etc/apparmor.d/firejail-default is not listed because it is not a backup file and thus apparently not tracked): ``` pacman -Qii firejail Name : firejail Version : 0.9.72-1 Description : Linux namespaces sandbox program Architecture : x86_64 URL : https://github.com/netblue30/firejail Licenses : GPL2 Groups : None Provides : None Depends On : apparmor Optional Deps : xdg-dbus-proxy: for D-Bus filtering [installed] Required By : None Optional For : None Conflicts With : None Replaces : None Installed Size : 2.38 MiB Packager : T.J. Townsend <blakkheim@archlinux.org> Build Date : Mon 16 Jan 2023 05:18:57 PM CET Install Date : Sat 04 Feb 2023 10:11:54 AM CET Install Reason : Explicitly installed Install Script : Yes Validated By : Signature Backup Files : UNMODIFIED /etc/apparmor.d/local/firejail-default MODIFIED /etc/firejail/firecfg.config MODIFIED /etc/firejail/firejail.config UNMODIFIED /etc/firejail/login.users ``` -Qkk firejail also only reports /etc/firejail stuff to have changed: ``` backup file: firejail: /etc/firejail/firecfg.config (Modification time mismatch) backup file: firejail: /etc/firejail/firecfg.config (Size mismatch) backup file: firejail: /etc/firejail/firecfg.config (MD5 checksum mismatch) backup file: firejail: /etc/firejail/firecfg.config (SHA256 checksum mismatch) backup file: firejail: /etc/firejail/firejail.config (Modification time mismatch) backup file: firejail: /etc/firejail/firejail.config (Size mismatch) backup file: firejail: /etc/firejail/firejail.config (MD5 checksum mismatch) backup file: firejail: /etc/firejail/firejail.config (SHA256 checksum mismatch) firejail: 1338 total files, 0 altered files ```

gitea-mirror commented 2026-05-05 09:42:51 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 2, 2023):

Thanks for posting your firejail-default files. Both are unedited, exact copies of what we have in git allright. So that's not an avenue for trying to debug.

Validation I did not touch anything (/etc/apparmor.d/firejail-default is not listed because it is not a backup file and thus apparently not tracked):

Yep, that makes sense from a packaging point of view. Users are supposed to make their changes to /etc/apparmor.d/firejail-default in /etc/apparmor.d/local/firejail-default. Again, no clues what might cause the differences we're both getting with parsecd.

At the moment I only have a long shot idea on how to proceed, and that's audit rules. I do have a few extra's in /etc/audit/rules.d. But those are copies of the examples under /usr/share/audit/sample-rules (meaning I didn't change their content and definately nothing is in there that relates to parsec AFAICT)... Perhaps you can double-check your /etc/audit/audit.rules and whether journalctl reports anything 'fishy' about those. A quick journalctl | grep audit.rules and journalctl | grep augenrules should clear up whether that's involved here or not.

<!-- gh-comment-id:1451752962 --> @ghost commented on GitHub (Mar 2, 2023): Thanks for posting your firejail-default files. Both are unedited, exact copies of what we have in git allright. So that's not an avenue for trying to debug. > Validation I did not touch anything (/etc/apparmor.d/firejail-default is not listed because it is not a backup file and thus apparently not tracked): Yep, that makes sense from a packaging point of view. Users are supposed to make their changes to /etc/apparmor.d/firejail-default in /etc/apparmor.d/local/firejail-default. Again, no clues what might cause the differences we're both getting with parsecd. At the moment I only have a long shot idea on how to proceed, and that's audit rules. I do have a few extra's in /etc/audit/rules.d. But those are copies of the examples under /usr/share/audit/sample-rules (meaning I didn't change their content and definately nothing is in there that relates to parsec AFAICT)... Perhaps you can double-check your /etc/audit/audit.rules and whether journalctl reports anything 'fishy' about those. A quick `journalctl | grep audit.rules` and `journalctl | grep augenrules` should clear up whether that's involved here or not.

gitea-mirror commented 2026-05-05 09:42:51 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 2, 2023):

I'm out of ideas. Still unable to reproduce after testing without my audit/apparmor customizations. Running a quick seccomp check confirms the tgkill syscall is allowed in the sandbox:

$ firejail --name=parsecd /usr/bin/parsecd
[D 2023-03-02 15:15:20] log: Parsec release17 (150-87)
[D 2023-03-02 15:16:10] login_pre_frame: Auth success: Standard

in anoter terminal:

$ firejail --seccomp.print=parsecd

FILE: /run/firejail/mnt/seccomp/seccomp.protocol
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000009   jmp 000f
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 35 01 00 40000000   jge X32_ABI 000c (false 000b)
 000b: 35 01 00 00000000   jge read 000d (false 000c)
 000c: 06 00 00 00050001   ret ERRNO(1)
 000d: 15 01 00 00000029   jeq socket 000f (false 000e)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 20 00 00 00000010   ld  data.args[0]
 0010: 15 00 01 00000001   jeq 1 0011 (false 0012)
 0011: 06 00 00 7fff0000   ret ALLOW
 0012: 15 00 01 00000002   jeq 2 0013 (false 0014)
 0013: 06 00 00 7fff0000   ret ALLOW
 0014: 15 00 01 0000000a   jeq a 0015 (false 0016)
 0015: 06 00 00 7fff0000   ret ALLOW
 0016: 15 00 01 00000010   jeq 10 0017 (false 0018)
 0017: 06 00 00 7fff0000   ret ALLOW
 0018: 06 00 00 0005005f   ret ERRNO(95)

FILE: /run/firejail/mnt/seccomp/seccomp.block_secondary
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 00050001   ret ERRNO(1)
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 06 00000087   jeq personality 0008 (false 000e)
 0008: 20 00 00 00000010   ld  data.args[0]
 0009: 15 01 00 00000000   jeq 0 000b (false 000a)
 000a: 15 00 02 ffffffff   jeq ffffffff 000b (false 000d)
 000b: 20 00 00 00000014   ld  data.args[4]
 000c: 15 01 00 00000000   jeq 0 000e (false 000d)
 000d: 06 00 00 00050001   ret ERRNO(1)
 000e: 06 00 00 7fff0000   ret ALLOW

FILE: /run/firejail/mnt/seccomp/seccomp
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 000000ea   jeq tgkill 0008 (false 0009)    <---- tgkill
 0008: 06 00 00 7fff0000   ret ALLOW                                    <---- is allowed
 0009: 15 47 00 0000009f   jeq adjtimex 0051 (false 000a)
 000a: 15 46 00 00000131   jeq clock_adjtime 0051 (false 000b)
 000b: 15 45 00 000000e3   jeq clock_settime 0051 (false 000c)
 000c: 15 44 00 000000a4   jeq settimeofday 0051 (false 000d)
 000d: 15 43 00 0000009a   jeq modify_ldt 0051 (false 000e)
 000e: 15 42 00 000000d4   jeq lookup_dcookie 0051 (false 000f)
 000f: 15 41 00 0000012a   jeq perf_event_open 0051 (false 0010)
 0010: 15 40 00 000001b6   jeq pidfd_getfd 0051 (false 0011)
 0011: 15 3f 00 00000137   jeq process_vm_writev 0051 (false 0012)
 0012: 15 3e 00 000000b0   jeq delete_module 0051 (false 0013)
 0013: 15 3d 00 00000139   jeq finit_module 0051 (false 0014)
 0014: 15 3c 00 000000af   jeq init_module 0051 (false 0015)
 0015: 15 3b 00 000000a1   jeq chroot 0051 (false 0016)
 0016: 15 3a 00 000001af   jeq fsconfig 0051 (false 0017)
 0017: 15 39 00 000001b0   jeq fsmount 0051 (false 0018)
 0018: 15 38 00 000001ae   jeq fsopen 0051 (false 0019)
 0019: 15 37 00 000001b1   jeq fspick 0051 (false 001a)
 001a: 15 36 00 000000a5   jeq mount 0051 (false 001b)
 001b: 15 35 00 000001ad   jeq move_mount 0051 (false 001c)
 001c: 15 34 00 000001ac   jeq open_tree 0051 (false 001d)
 001d: 15 33 00 0000009b   jeq pivot_root 0051 (false 001e)
 001e: 15 32 00 000000a6   jeq umount2 0051 (false 001f)
 001f: 15 31 00 0000009c   jeq _sysctl 0051 (false 0020)
 0020: 15 30 00 000000b7   jeq afs_syscall 0051 (false 0021)
 0021: 15 2f 00 000000ae   jeq create_module 0051 (false 0022)
 0022: 15 2e 00 000000b1   jeq get_kernel_syms 0051 (false 0023)
 0023: 15 2d 00 000000b5   jeq getpmsg 0051 (false 0024)
 0024: 15 2c 00 000000b6   jeq putpmsg 0051 (false 0025)
 0025: 15 2b 00 000000b2   jeq query_module 0051 (false 0026)
 0026: 15 2a 00 000000b9   jeq security 0051 (false 0027)
 0027: 15 29 00 0000008b   jeq sysfs 0051 (false 0028)
 0028: 15 28 00 000000b8   jeq tuxcall 0051 (false 0029)
 0029: 15 27 00 00000086   jeq uselib 0051 (false 002a)
 002a: 15 26 00 00000088   jeq ustat 0051 (false 002b)
 002b: 15 25 00 000000ec   jeq vserver 0051 (false 002c)
 002c: 15 24 00 000000ad   jeq ioperm 0051 (false 002d)
 002d: 15 23 00 000000ac   jeq iopl 0051 (false 002e)
 002e: 15 22 00 000000f6   jeq kexec_load 0051 (false 002f)
 002f: 15 21 00 00000140   jeq kexec_file_load 0051 (false 0030)
 0030: 15 20 00 000000a9   jeq reboot 0051 (false 0031)
 0031: 15 1f 00 000000a7   jeq swapon 0051 (false 0032)
 0032: 15 1e 00 000000a8   jeq swapoff 0051 (false 0033)
 0033: 15 1d 00 00000130   jeq open_by_handle_at 0051 (false 0034)
 0034: 15 1c 00 0000012f   jeq name_to_handle_at 0051 (false 0035)
 0035: 15 1b 00 000000fb   jeq ioprio_set 0051 (false 0036)
 0036: 15 1a 00 00000067   jeq syslog 0051 (false 0037)
 0037: 15 19 00 0000012c   jeq fanotify_init 0051 (false 0038)
 0038: 15 18 00 000000f8   jeq add_key 0051 (false 0039)
 0039: 15 17 00 000000f9   jeq request_key 0051 (false 003a)
 003a: 15 16 00 000000ed   jeq mbind 0051 (false 003b)
 003b: 15 15 00 00000100   jeq migrate_pages 0051 (false 003c)
 003c: 15 14 00 00000117   jeq move_pages 0051 (false 003d)
 003d: 15 13 00 000000fa   jeq keyctl 0051 (false 003e)
 003e: 15 12 00 000000ce   jeq io_setup 0051 (false 003f)
 003f: 15 11 00 000000cf   jeq io_destroy 0051 (false 0040)
 0040: 15 10 00 000000d0   jeq io_getevents 0051 (false 0041)
 0041: 15 0f 00 000000d1   jeq io_submit 0051 (false 0042)
 0042: 15 0e 00 000000d2   jeq io_cancel 0051 (false 0043)
 0043: 15 0d 00 000000d8   jeq remap_file_pages 0051 (false 0044)
 0044: 15 0c 00 000000ee   jeq set_mempolicy 0051 (false 0045)
 0045: 15 0b 00 00000116   jeq vmsplice 0051 (false 0046)
 0046: 15 0a 00 00000143   jeq userfaultfd 0051 (false 0047)
 0047: 15 09 00 000000a3   jeq acct 0051 (false 0048)
 0048: 15 08 00 00000141   jeq bpf 0051 (false 0049)
 0049: 15 07 00 000000b4   jeq nfsservctl 0051 (false 004a)
 004a: 15 06 00 000000ab   jeq setdomainname 0051 (false 004b)
 004b: 15 05 00 000000aa   jeq sethostname 0051 (false 004c)
 004c: 15 04 00 00000099   jeq vhangup 0051 (false 004d)
 004d: 15 03 00 00000065   jeq ptrace 0051 (false 004e)
 004e: 15 02 00 00000087   jeq personality 0051 (false 004f)
 004f: 15 01 00 00000136   jeq process_vm_readv 0051 (false 0050)
 0050: 06 00 00 7fff0000   ret ALLOW
 0051: 06 00 01 00050001   ret ERRNO(1)

FILE: /run/firejail/mnt/seccomp/seccomp.mdwx
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 05 00000009   jeq mmap 0008 (false 000d)
 0008: 20 00 00 00000020   ld  data.args[10]
 0009: 54 00 00 00000006   and 00000006
 000a: 15 00 01 00000006   jeq 6 000b (false 000c)
 000b: 06 00 00 00050001   ret ERRNO(1)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 05 0000000a   jeq a 000e (false 0013)
 000e: 20 00 00 00000020   ld  data.args[10]
 000f: 54 00 00 00000004   and 00000004
 0010: 15 00 01 00000004   jeq 4 0011 (false 0012)
 0011: 06 00 00 00050001   ret ERRNO(1)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 05 00000149   jeq 149 0014 (false 0019)
 0014: 20 00 00 00000020   ld  data.args[10]
 0015: 54 00 00 00000004   and 00000004
 0016: 15 00 01 00000004   jeq 4 0017 (false 0018)
 0017: 06 00 00 00050001   ret ERRNO(1)
 0018: 06 00 00 7fff0000   ret ALLOW
 0019: 15 00 05 0000001e   jeq 1e 001a (false 001f)
 001a: 20 00 00 00000020   ld  data.args[10]
 001b: 54 00 00 00008000   and 00008000
 001c: 15 00 01 00008000   jeq 8000 001d (false 001e)
 001d: 06 00 00 00050001   ret ERRNO(1)
 001e: 06 00 00 7fff0000   ret ALLOW
 001f: 15 00 01 0000013f   jeq 13f 0020 (false 0021)
 0020: 06 00 00 00050001   ret ERRNO(1)
 0021: 06 00 00 7fff0000   ret ALLOW
 0022: 06 00 00 7fff0000   ret ALLOW

FILE: /run/firejail/mnt/seccomp/seccomp.mdwx.32
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 01 0000005a   jeq 5a 0005 (false 0006)
 0005: 06 00 00 00050001   ret ERRNO(1)
 0006: 15 00 05 000000c0   jeq c0 0007 (false 000c)
 0007: 20 00 00 00000020   ld  data.args[10]
 0008: 54 00 00 00000006   and 00000006
 0009: 15 00 01 00000006   jeq 6 000a (false 000b)
 000a: 06 00 00 00050001   ret ERRNO(1)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 15 00 05 0000007d   jeq 7d 000d (false 0012)
 000d: 20 00 00 00000020   ld  data.args[10]
 000e: 54 00 00 00000004   and 00000004
 000f: 15 00 01 00000004   jeq 4 0010 (false 0011)
 0010: 06 00 00 00050001   ret ERRNO(1)
 0011: 06 00 00 7fff0000   ret ALLOW
 0012: 15 00 05 0000017c   jeq 17c 0013 (false 0018)
 0013: 20 00 00 00000020   ld  data.args[10]
 0014: 54 00 00 00000004   and 00000004
 0015: 15 00 01 00000004   jeq 4 0016 (false 0017)
 0016: 06 00 00 00050001   ret ERRNO(1)
 0017: 06 00 00 7fff0000   ret ALLOW
 0018: 15 00 05 0000018d   jeq 18d 0019 (false 001e)
 0019: 20 00 00 00000020   ld  data.args[10]
 001a: 54 00 00 00008000   and 00008000
 001b: 15 00 01 00008000   jeq 8000 001c (false 001d)
 001c: 06 00 00 00050001   ret ERRNO(1)
 001d: 06 00 00 7fff0000   ret ALLOW
 001e: 15 00 01 00000164   jeq 164 001f (false 0020)
 001f: 06 00 00 00050001   ret ERRNO(1)
 0020: 06 00 00 7fff0000   ret ALLOW
 0021: 06 00 00 7fff0000   ret ALLOW

FILE: /run/firejail/mnt/seccomp/seccomp.namespaces
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 04 00000038   jeq clone 0008 (false 000c)
 0008: 20 00 00 00000010   ld  data.args[0]
 0009: 45 00 01 7e020000   jset 7e020000 000a (false 000b)
 000a: 06 00 00 00050001   ret ERRNO(1)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 15 00 01 000001b3   jeq 1b3 000d (false 000e)
 000d: 06 00 00 00050026   ret ERRNO(38)
 000e: 15 00 04 00000110   jeq 110 000f (false 0013)
 000f: 20 00 00 00000010   ld  data.args[0]
 0010: 45 00 01 7e020080   jset 7e020080 0011 (false 0012)
 0011: 06 00 00 00050001   ret ERRNO(1)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 04 00000134   jeq 134 0014 (false 0018)
 0014: 20 00 00 00000018   ld  data.args[8]
 0015: 15 01 00 00000000   jeq 0 0017 (false 0016)
 0016: 45 00 01 7e020080   jset 7e020080 0017 (false 0018)
 0017: 06 00 00 00050001   ret ERRNO(1)
 0018: 06 00 00 7fff0000   ret ALLOW
 0019: 06 00 00 7fff0000   ret ALLOW

FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 04 00000078   jeq 78 0005 (false 0009)
 0005: 20 00 00 00000010   ld  data.args[0]
 0006: 45 00 01 7e020000   jset 7e020000 0007 (false 0008)
 0007: 06 00 00 00050001   ret ERRNO(1)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 000001b3   jeq 1b3 000a (false 000b)
 000a: 06 00 00 00050026   ret ERRNO(38)
 000b: 15 00 04 00000136   jeq 136 000c (false 0010)
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 45 00 01 7e020080   jset 7e020080 000e (false 000f)
 000e: 06 00 00 00050001   ret ERRNO(1)
 000f: 06 00 00 7fff0000   ret ALLOW
 0010: 15 00 04 0000015a   jeq 15a 0011 (false 0015)
 0011: 20 00 00 00000018   ld  data.args[8]
 0012: 15 01 00 00000000   jeq 0 0014 (false 0013)
 0013: 45 00 01 7e020080   jset 7e020080 0014 (false 0015)
 0014: 06 00 00 00050001   ret ERRNO(1)
 0015: 06 00 00 7fff0000   ret ALLOW
 0016: 06 00 00 7fff0000   ret ALLOW

<!-- gh-comment-id:1451975211 --> @ghost commented on GitHub (Mar 2, 2023): I'm out of ideas. Still unable to reproduce after testing without my audit/apparmor customizations. Running a quick seccomp check confirms the `tgkill` syscall is allowed in the sandbox: ```console $ firejail --name=parsecd /usr/bin/parsecd [D 2023-03-02 15:15:20] log: Parsec release17 (150-87) [D 2023-03-02 15:16:10] login_pre_frame: Auth success: Standard ``` in anoter terminal: <details> <summary> $ firejail --seccomp.print=parsecd </summary> ``` FILE: /run/firejail/mnt/seccomp/seccomp.protocol line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000009 jmp 000f 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 35 01 00 40000000 jge X32_ABI 000c (false 000b) 000b: 35 01 00 00000000 jge read 000d (false 000c) 000c: 06 00 00 00050001 ret ERRNO(1) 000d: 15 01 00 00000029 jeq socket 000f (false 000e) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 20 00 00 00000010 ld data.args[0] 0010: 15 00 01 00000001 jeq 1 0011 (false 0012) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 15 00 01 00000002 jeq 2 0013 (false 0014) 0013: 06 00 00 7fff0000 ret ALLOW 0014: 15 00 01 0000000a jeq a 0015 (false 0016) 0015: 06 00 00 7fff0000 ret ALLOW 0016: 15 00 01 00000010 jeq 10 0017 (false 0018) 0017: 06 00 00 7fff0000 ret ALLOW 0018: 06 00 00 0005005f ret ERRNO(95) FILE: /run/firejail/mnt/seccomp/seccomp.block_secondary line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 00050001 ret ERRNO(1) 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 06 00000087 jeq personality 0008 (false 000e) 0008: 20 00 00 00000010 ld data.args[0] 0009: 15 01 00 00000000 jeq 0 000b (false 000a) 000a: 15 00 02 ffffffff jeq ffffffff 000b (false 000d) 000b: 20 00 00 00000014 ld data.args[4] 000c: 15 01 00 00000000 jeq 0 000e (false 000d) 000d: 06 00 00 00050001 ret ERRNO(1) 000e: 06 00 00 7fff0000 ret ALLOW FILE: /run/firejail/mnt/seccomp/seccomp line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 000000ea jeq tgkill 0008 (false 0009) <---- tgkill 0008: 06 00 00 7fff0000 ret ALLOW <---- is allowed 0009: 15 47 00 0000009f jeq adjtimex 0051 (false 000a) 000a: 15 46 00 00000131 jeq clock_adjtime 0051 (false 000b) 000b: 15 45 00 000000e3 jeq clock_settime 0051 (false 000c) 000c: 15 44 00 000000a4 jeq settimeofday 0051 (false 000d) 000d: 15 43 00 0000009a jeq modify_ldt 0051 (false 000e) 000e: 15 42 00 000000d4 jeq lookup_dcookie 0051 (false 000f) 000f: 15 41 00 0000012a jeq perf_event_open 0051 (false 0010) 0010: 15 40 00 000001b6 jeq pidfd_getfd 0051 (false 0011) 0011: 15 3f 00 00000137 jeq process_vm_writev 0051 (false 0012) 0012: 15 3e 00 000000b0 jeq delete_module 0051 (false 0013) 0013: 15 3d 00 00000139 jeq finit_module 0051 (false 0014) 0014: 15 3c 00 000000af jeq init_module 0051 (false 0015) 0015: 15 3b 00 000000a1 jeq chroot 0051 (false 0016) 0016: 15 3a 00 000001af jeq fsconfig 0051 (false 0017) 0017: 15 39 00 000001b0 jeq fsmount 0051 (false 0018) 0018: 15 38 00 000001ae jeq fsopen 0051 (false 0019) 0019: 15 37 00 000001b1 jeq fspick 0051 (false 001a) 001a: 15 36 00 000000a5 jeq mount 0051 (false 001b) 001b: 15 35 00 000001ad jeq move_mount 0051 (false 001c) 001c: 15 34 00 000001ac jeq open_tree 0051 (false 001d) 001d: 15 33 00 0000009b jeq pivot_root 0051 (false 001e) 001e: 15 32 00 000000a6 jeq umount2 0051 (false 001f) 001f: 15 31 00 0000009c jeq _sysctl 0051 (false 0020) 0020: 15 30 00 000000b7 jeq afs_syscall 0051 (false 0021) 0021: 15 2f 00 000000ae jeq create_module 0051 (false 0022) 0022: 15 2e 00 000000b1 jeq get_kernel_syms 0051 (false 0023) 0023: 15 2d 00 000000b5 jeq getpmsg 0051 (false 0024) 0024: 15 2c 00 000000b6 jeq putpmsg 0051 (false 0025) 0025: 15 2b 00 000000b2 jeq query_module 0051 (false 0026) 0026: 15 2a 00 000000b9 jeq security 0051 (false 0027) 0027: 15 29 00 0000008b jeq sysfs 0051 (false 0028) 0028: 15 28 00 000000b8 jeq tuxcall 0051 (false 0029) 0029: 15 27 00 00000086 jeq uselib 0051 (false 002a) 002a: 15 26 00 00000088 jeq ustat 0051 (false 002b) 002b: 15 25 00 000000ec jeq vserver 0051 (false 002c) 002c: 15 24 00 000000ad jeq ioperm 0051 (false 002d) 002d: 15 23 00 000000ac jeq iopl 0051 (false 002e) 002e: 15 22 00 000000f6 jeq kexec_load 0051 (false 002f) 002f: 15 21 00 00000140 jeq kexec_file_load 0051 (false 0030) 0030: 15 20 00 000000a9 jeq reboot 0051 (false 0031) 0031: 15 1f 00 000000a7 jeq swapon 0051 (false 0032) 0032: 15 1e 00 000000a8 jeq swapoff 0051 (false 0033) 0033: 15 1d 00 00000130 jeq open_by_handle_at 0051 (false 0034) 0034: 15 1c 00 0000012f jeq name_to_handle_at 0051 (false 0035) 0035: 15 1b 00 000000fb jeq ioprio_set 0051 (false 0036) 0036: 15 1a 00 00000067 jeq syslog 0051 (false 0037) 0037: 15 19 00 0000012c jeq fanotify_init 0051 (false 0038) 0038: 15 18 00 000000f8 jeq add_key 0051 (false 0039) 0039: 15 17 00 000000f9 jeq request_key 0051 (false 003a) 003a: 15 16 00 000000ed jeq mbind 0051 (false 003b) 003b: 15 15 00 00000100 jeq migrate_pages 0051 (false 003c) 003c: 15 14 00 00000117 jeq move_pages 0051 (false 003d) 003d: 15 13 00 000000fa jeq keyctl 0051 (false 003e) 003e: 15 12 00 000000ce jeq io_setup 0051 (false 003f) 003f: 15 11 00 000000cf jeq io_destroy 0051 (false 0040) 0040: 15 10 00 000000d0 jeq io_getevents 0051 (false 0041) 0041: 15 0f 00 000000d1 jeq io_submit 0051 (false 0042) 0042: 15 0e 00 000000d2 jeq io_cancel 0051 (false 0043) 0043: 15 0d 00 000000d8 jeq remap_file_pages 0051 (false 0044) 0044: 15 0c 00 000000ee jeq set_mempolicy 0051 (false 0045) 0045: 15 0b 00 00000116 jeq vmsplice 0051 (false 0046) 0046: 15 0a 00 00000143 jeq userfaultfd 0051 (false 0047) 0047: 15 09 00 000000a3 jeq acct 0051 (false 0048) 0048: 15 08 00 00000141 jeq bpf 0051 (false 0049) 0049: 15 07 00 000000b4 jeq nfsservctl 0051 (false 004a) 004a: 15 06 00 000000ab jeq setdomainname 0051 (false 004b) 004b: 15 05 00 000000aa jeq sethostname 0051 (false 004c) 004c: 15 04 00 00000099 jeq vhangup 0051 (false 004d) 004d: 15 03 00 00000065 jeq ptrace 0051 (false 004e) 004e: 15 02 00 00000087 jeq personality 0051 (false 004f) 004f: 15 01 00 00000136 jeq process_vm_readv 0051 (false 0050) 0050: 06 00 00 7fff0000 ret ALLOW 0051: 06 00 01 00050001 ret ERRNO(1) FILE: /run/firejail/mnt/seccomp/seccomp.mdwx line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 05 00000009 jeq mmap 0008 (false 000d) 0008: 20 00 00 00000020 ld data.args[10] 0009: 54 00 00 00000006 and 00000006 000a: 15 00 01 00000006 jeq 6 000b (false 000c) 000b: 06 00 00 00050001 ret ERRNO(1) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 05 0000000a jeq a 000e (false 0013) 000e: 20 00 00 00000020 ld data.args[10] 000f: 54 00 00 00000004 and 00000004 0010: 15 00 01 00000004 jeq 4 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 05 00000149 jeq 149 0014 (false 0019) 0014: 20 00 00 00000020 ld data.args[10] 0015: 54 00 00 00000004 and 00000004 0016: 15 00 01 00000004 jeq 4 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 15 00 05 0000001e jeq 1e 001a (false 001f) 001a: 20 00 00 00000020 ld data.args[10] 001b: 54 00 00 00008000 and 00008000 001c: 15 00 01 00008000 jeq 8000 001d (false 001e) 001d: 06 00 00 00050001 ret ERRNO(1) 001e: 06 00 00 7fff0000 ret ALLOW 001f: 15 00 01 0000013f jeq 13f 0020 (false 0021) 0020: 06 00 00 00050001 ret ERRNO(1) 0021: 06 00 00 7fff0000 ret ALLOW 0022: 06 00 00 7fff0000 ret ALLOW FILE: /run/firejail/mnt/seccomp/seccomp.mdwx.32 line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 0000005a jeq 5a 0005 (false 0006) 0005: 06 00 00 00050001 ret ERRNO(1) 0006: 15 00 05 000000c0 jeq c0 0007 (false 000c) 0007: 20 00 00 00000020 ld data.args[10] 0008: 54 00 00 00000006 and 00000006 0009: 15 00 01 00000006 jeq 6 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 05 0000007d jeq 7d 000d (false 0012) 000d: 20 00 00 00000020 ld data.args[10] 000e: 54 00 00 00000004 and 00000004 000f: 15 00 01 00000004 jeq 4 0010 (false 0011) 0010: 06 00 00 00050001 ret ERRNO(1) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 15 00 05 0000017c jeq 17c 0013 (false 0018) 0013: 20 00 00 00000020 ld data.args[10] 0014: 54 00 00 00000004 and 00000004 0015: 15 00 01 00000004 jeq 4 0016 (false 0017) 0016: 06 00 00 00050001 ret ERRNO(1) 0017: 06 00 00 7fff0000 ret ALLOW 0018: 15 00 05 0000018d jeq 18d 0019 (false 001e) 0019: 20 00 00 00000020 ld data.args[10] 001a: 54 00 00 00008000 and 00008000 001b: 15 00 01 00008000 jeq 8000 001c (false 001d) 001c: 06 00 00 00050001 ret ERRNO(1) 001d: 06 00 00 7fff0000 ret ALLOW 001e: 15 00 01 00000164 jeq 164 001f (false 0020) 001f: 06 00 00 00050001 ret ERRNO(1) 0020: 06 00 00 7fff0000 ret ALLOW 0021: 06 00 00 7fff0000 ret ALLOW FILE: /run/firejail/mnt/seccomp/seccomp.namespaces line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 04 00000038 jeq clone 0008 (false 000c) 0008: 20 00 00 00000010 ld data.args[0] 0009: 45 00 01 7e020000 jset 7e020000 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 01 000001b3 jeq 1b3 000d (false 000e) 000d: 06 00 00 00050026 ret ERRNO(38) 000e: 15 00 04 00000110 jeq 110 000f (false 0013) 000f: 20 00 00 00000010 ld data.args[0] 0010: 45 00 01 7e020080 jset 7e020080 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 04 00000134 jeq 134 0014 (false 0018) 0014: 20 00 00 00000018 ld data.args[8] 0015: 15 01 00 00000000 jeq 0 0017 (false 0016) 0016: 45 00 01 7e020080 jset 7e020080 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 06 00 00 7fff0000 ret ALLOW FILE: /run/firejail/mnt/seccomp/seccomp.namespaces.32 line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 04 00000078 jeq 78 0005 (false 0009) 0005: 20 00 00 00000010 ld data.args[0] 0006: 45 00 01 7e020000 jset 7e020000 0007 (false 0008) 0007: 06 00 00 00050001 ret ERRNO(1) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 000001b3 jeq 1b3 000a (false 000b) 000a: 06 00 00 00050026 ret ERRNO(38) 000b: 15 00 04 00000136 jeq 136 000c (false 0010) 000c: 20 00 00 00000010 ld data.args[0] 000d: 45 00 01 7e020080 jset 7e020080 000e (false 000f) 000e: 06 00 00 00050001 ret ERRNO(1) 000f: 06 00 00 7fff0000 ret ALLOW 0010: 15 00 04 0000015a jeq 15a 0011 (false 0015) 0011: 20 00 00 00000018 ld data.args[8] 0012: 15 01 00 00000000 jeq 0 0014 (false 0013) 0013: 45 00 01 7e020080 jset 7e020080 0014 (false 0015) 0014: 06 00 00 00050001 ret ERRNO(1) 0015: 06 00 00 7fff0000 ret ALLOW 0016: 06 00 00 7fff0000 ret ALLOW ``` </details>

gitea-mirror commented 2026-05-05 09:42:52 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 2, 2023):

Note that the usage of nanosleep can depend on libc version, architecture, kernel, ... rather low level details.

<!-- gh-comment-id:1452491176 --> @rusty-snake commented on GitHub (Mar 2, 2023): Note that the usage of nanosleep can depend on libc version, architecture, kernel, ... rather low level details.

gitea-mirror commented 2026-05-05 09:42:52 -06:00

Author

Owner

Copy link

@NetSysFire commented on GitHub (Mar 18, 2023):

At the moment I only have a long shot idea on how to proceed, and that's audit rules.

I have no custom audit rules. Both of your journalctl | grep commands do not return anything either. Also pacman -Qkk audit says audit: 206 total files, 0 altered files, too.

<!-- gh-comment-id:1474831592 --> @NetSysFire commented on GitHub (Mar 18, 2023): >At the moment I only have a long shot idea on how to proceed, and that's audit rules. I have no custom audit rules. Both of your `journalctl | grep` commands do not return anything either. Also `pacman -Qkk audit` says `audit: 206 total files, 0 altered files`, too.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3072

No description provided.