github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6195] landlock: "Invalid argument" error when creating the ruleset #3217

New issue
Closed
opened 2026-05-05 09:49:48 -06:00 by gitea-mirror · 10 comments
gitea-mirror commented 2026-05-05 09:49:48 -06:00
Owner
Copy link

Originally created by @curiosityseeker on GitHub (Feb 5, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6195

Description

After adding several Landlock rules I'm seeing errors after today's update of firejail-git

Steps to Reproduce

Steps to reproduce the behavior

Add the following rules to ~/.config/firejail/firefox:

landlock.enforce

landlock.write ${HOME}/.cache/mozilla/firefox
landlock.write ${HOME}/.mozilla
landlock.write ${HOME}/.local/share/pki
landlock.write ${HOME}/.pki
landlock.write ${DOWNLOADS}
landlock.write /media/Multimedia/Downloads
landlock.write ${RUNUSER}/*firefox*
landlock.write ${RUNUSER}/psd/*firefox*
ignore landlock.write ${HOME}
ignore landlock.execute /opt
ignore landlock.execute /usr/local/sbin
ignore landlock.execute /usr/local/games
include landlock-common.inc

Expected behavior

Until yesterday I haven't seen Landlock-related errors.

Actual behavior

ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.cache/mozilla/firefox: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.mozilla: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.local/share/pki: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/V/.pki: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/V/Downloads: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /media/Multimedia/Downloads: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_makeipc: failed to add Landlock rule (abi=4 fs=600) for /: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /run/user/1000: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /dev: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /proc: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /tmp: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /run/firejail: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /bin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /sbin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/bin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/sbin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/bin: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib64: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib32: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib64: Bad file descriptor
ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/lib: Bad file descriptor

Environment

Originally created by @curiosityseeker on GitHub (Feb 5, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6195 ### Description After adding several Landlock rules I'm seeing errors after today's update of firejail-git ### Steps to Reproduce _Steps to reproduce the behavior_ Add the following rules to ~/.config/firejail/firefox: ``` landlock.enforce landlock.write ${HOME}/.cache/mozilla/firefox landlock.write ${HOME}/.mozilla landlock.write ${HOME}/.local/share/pki landlock.write ${HOME}/.pki landlock.write ${DOWNLOADS} landlock.write /media/Multimedia/Downloads landlock.write ${RUNUSER}/*firefox* landlock.write ${RUNUSER}/psd/*firefox* ignore landlock.write ${HOME} ignore landlock.execute /opt ignore landlock.execute /usr/local/sbin ignore landlock.execute /usr/local/games include landlock-common.inc ``` ### Expected behavior Until yesterday I haven't seen Landlock-related errors. ### Actual behavior ``` ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.cache/mozilla/firefox: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.mozilla: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.local/share/pki: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/V/.pki: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/V/Downloads: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /media/Multimedia/Downloads: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_makeipc: failed to add Landlock rule (abi=4 fs=600) for /: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /run/user/1000: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /dev: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /proc: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /tmp: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /run/firejail: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /bin: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /sbin: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/bin: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/sbin: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/bin: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib64: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib32: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib64: Bad file descriptor ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/lib: Bad file descriptor ``` ### Environment - Arch Linux - firejail-git - 1c9494769c9ed46385ba79dc97de689ce1af19fc
gitea-mirror 2026-05-05 09:49:48 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 09:49:51 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 6, 2024):

Add the following rules to ~/.config/firejail/firefox:

ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument

Cannot reproduce it on Artix with:

firejail --profile=firefox true

What is the command-line used?

What is the kernel version?

PR #6187 has Landlock-related changes but it did not change the full ruleset.

Can you try to bisect?

<!-- gh-comment-id:1928644224 --> @kmk3 commented on GitHub (Feb 6, 2024): > Add the following rules to ~/.config/firejail/firefox: > ``` > ll_create_full_ruleset: Error: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument > ``` Cannot reproduce it on Artix with: ```sh firejail --profile=firefox true ``` What is the command-line used? What is the kernel version? PR #6187 has Landlock-related changes but it did not change the full ruleset. Can you try to bisect?
gitea-mirror commented 2026-05-05 09:49:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 6, 2024):

I can (fully) reproduce on my Arch Linux. Will try to find some time to bisect.

<!-- gh-comment-id:1929194390 --> @ghost commented on GitHub (Feb 6, 2024): I can (fully) reproduce on my Arch Linux. Will try to find some time to bisect.
gitea-mirror commented 2026-05-05 09:49:53 -06:00
Author
Owner
Copy link

@curiosityseeker commented on GitHub (Feb 6, 2024):

What is the command-line used?

Nothing special. Just firefox with the default profile and the additions to the local profile as mentioned above.

What is the kernel version?

6.7.3-arch1-2

The latest 2 commits didn't change anything:

Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.cache/mozilla/firefox: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.mozilla: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.local/share/pki: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.pki: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_makeipc: failed to add Landlock rule (abi=4 fs=600) for /: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /run/user/1000: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /dev: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /proc: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /tmp: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /run/firejail: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /bin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /sbin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/bin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/sbin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/bin: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib64: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib32: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib64: Bad file descriptor
Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument
Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/lib: Bad file descriptor
<!-- gh-comment-id:1929329847 --> @curiosityseeker commented on GitHub (Feb 6, 2024): > What is the command-line used? Nothing special. Just `firefox` with the default profile and the additions to the local profile as mentioned above. > > What is the kernel version? 6.7.3-arch1-2 The latest 2 commits didn't change anything: ``` Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.cache/mozilla/firefox: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.mozilla: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.local/share/pki: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /home/seeker/.pki: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_read: failed to add Landlock rule (abi=4 fs=c) for /proc: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_makeipc: failed to add Landlock rule (abi=4 fs=600) for /: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /run/user/1000: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /dev: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /proc: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_write: failed to add Landlock rule (abi=4 fs=11b2) for /tmp: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /run/firejail: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /bin: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /sbin: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/bin: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/sbin: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/bin: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /lib64: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib32: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/lib64: Bad file descriptor Error: ll_create_full_ruleset: failed to create Landlock ruleset (abi=4 fs=1fff): Invalid argument Error: ll_exec: failed to add Landlock rule (abi=4 fs=1) for /usr/local/lib: Bad file descriptor ```
gitea-mirror commented 2026-05-05 09:49:54 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 6, 2024):

Bisecting shows 760f50f78a as the first commit where this starts to show. As it happens that is the commit that introduced landlock.enforce. Anything after that doesn't affect this (up and including latest git build).

<!-- gh-comment-id:1929393111 --> @ghost commented on GitHub (Feb 6, 2024): Bisecting shows https://github.com/netblue30/firejail/commit/760f50f78ad13664d7a32b4577381c0341ab2d4a as the first commit where this starts to show. As it happens that is the commit that introduced `landlock.enforce`. Anything after that doesn't affect this (up and including latest git build).
gitea-mirror commented 2026-05-05 09:49:55 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 6, 2024):

@glitsj16 on Feb 6:

Bisecting shows
760f50f
as the first commit where this starts to show. As it happens that is the
commit that introduced landlock.enforce. Anything after that doesn't affect
this (up and including latest git build).

Are the firefox profile changes needed to reproduce the errors (other than
landlock.enforce / landlock)? If so, which line(s) seem to cause them?

Could you run the following in 760f50f and post the output?

firejail --debug --profile=firefox --landlock true
<!-- gh-comment-id:1930065385 --> @kmk3 commented on GitHub (Feb 6, 2024): @glitsj16 [on Feb 6](https://github.com/netblue30/firejail/issues/6195#issuecomment-1929393111): > Bisecting shows > [760f50f](https://github.com/netblue30/firejail/commit/760f50f78ad13664d7a32b4577381c0341ab2d4a) > as the first commit where this starts to show. As it happens that is the > commit that introduced `landlock.enforce`. Anything after that doesn't affect > this (up and including latest git build). Are the firefox profile changes needed to reproduce the errors (other than `landlock.enforce` / `landlock`)? If so, which line(s) seem to cause them? Could you run the following in 760f50f and post the output? ```sh firejail --debug --profile=firefox --landlock true ```
gitea-mirror commented 2026-05-05 09:49:56 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 6, 2024):

@curiosityseeker on Feb 6:

What is the command-line used?

Nothing special. Just firefox with the default profile and the additions to
the local profile as mentioned above.

Does it work without the profile changes (but with landlock.enforce)?

Could you run the following and post the output in a gist?

firejail --debug --profile=firefox --landlock.enforce true

At least from the Active seccomp files: line until the end.

<!-- gh-comment-id:1930087092 --> @kmk3 commented on GitHub (Feb 6, 2024): @curiosityseeker [on Feb 6](https://github.com/netblue30/firejail/issues/6195#issuecomment-1929329847): > > What is the command-line used? > > Nothing special. Just `firefox` with the default profile and the additions to > the local profile as mentioned above. Does it work without the profile changes (but with `landlock.enforce`)? Could you run the following and post the output in a gist? ```sh firejail --debug --profile=firefox --landlock.enforce true ``` At least from the `Active seccomp files:` line until the end.
gitea-mirror commented 2026-05-05 09:49:57 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 6, 2024):

@kmk3

Are the firefox profile changes needed to reproduce the errors (other than
landlock.enforce / landlock)? If so, which line(s) seem to cause them?

Negative. The errors show, even when there's only one line in the firefox.local: include landlock-common.inc.

Could you run the following in 760f50f78a and post the output?

Here are the logs.

<!-- gh-comment-id:1930399439 --> @ghost commented on GitHub (Feb 6, 2024): @kmk3 > Are the firefox profile changes needed to reproduce the errors (other than landlock.enforce / landlock)? If so, which line(s) seem to cause them? Negative. The errors show, even when there's only one line in the firefox.local: `include landlock-common.inc`. > Could you run the following in https://github.com/netblue30/firejail/commit/760f50f78ad13664d7a32b4577381c0341ab2d4a and post the output? Here are the logs. - test 01 :: including landlock-common.inc fj.6195.debug.01.log https://gist.github.com/glitsj16/09e5453d0d3d36d6be5be936a8384831 Reproducable cfr. OP's report. - test 02 :: WITHOUT including landlock-common.inc fj.6195.debug.02.log https://gist.github.com/glitsj16/839ef34908016c663c38ef8fce3a2827 No surprises here...
gitea-mirror commented 2026-05-05 09:49:58 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 7, 2024):

The only thing that I could imagine being an invalid argument in that syscall
was if a struct had some wrong value/uninitialized field. And indeed, after
looking at linux/landlock.h I noticed that there was a new field. I was able
to reproduce it after upgrading linux-api-headers and initializing the structs
to 0 fixed the issue.

It should be fixed in #6200.

@curiosityseeker @glitsj16

Thanks for reporting/testing/bisecting.

<!-- gh-comment-id:1932314081 --> @kmk3 commented on GitHub (Feb 7, 2024): The only thing that I could imagine being an invalid argument in that syscall was if a struct had some wrong value/uninitialized field. And indeed, after looking at linux/landlock.h I noticed that there was a new field. I was able to reproduce it after upgrading linux-api-headers and initializing the structs to 0 fixed the issue. It should be fixed in #6200. @curiosityseeker @glitsj16 Thanks for reporting/testing/bisecting.
gitea-mirror commented 2026-05-05 09:49:58 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 7, 2024):

@kmk3

It should be fixed in #6200.

Confirmed, just checked with a firejail build carrying the patch from #6200. All fine now. Thanks for your speedy and intense detective-work on this issue!

<!-- gh-comment-id:1932465482 --> @ghost commented on GitHub (Feb 7, 2024): @kmk3 > It should be fixed in #6200. Confirmed, just checked with a firejail build carrying the patch from #6200. All fine now. Thanks for your speedy and intense detective-work on this issue!
gitea-mirror commented 2026-05-05 09:49:59 -06:00
Author
Owner
Copy link

@curiosityseeker commented on GitHub (Feb 8, 2024):

Cool! I can confirm that that commit fixed the Issue:

32 Landlock rules initialized in 0.23 ms

Thanks a lot, @kmk3 !

<!-- gh-comment-id:1933805926 --> @curiosityseeker commented on GitHub (Feb 8, 2024): Cool! I can confirm that that commit fixed the Issue: `32 Landlock rules initialized in 0.23 ms` Thanks a lot, @kmk3 !
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3217
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?