[GH-ISSUE #6368] chromium: failure due to AppArmor user namespace errors #3252

New issue

Open

opened 2026-05-05 09:51:29 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented 2026-05-05 09:51:29 -06:00

Owner

Copy link

Originally created by @luckylinux on GitHub (Jun 3, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6368

Description

Trying to run Chromium results in a AppArmor "DENIED" Message in dmesg.

Steps to Reproduce

Run in BASH firejail /usr/bin/chromium.
Result:

Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 151561, child pid 151562
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 207.51 ms
[6:6:0603/112348.640246:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/112348.640438:WARNING:exception_handler_server.cc(204)] no ptrace

I also tried to add a Custom AppArmor Profile in /etc/apparmor.d/chromium and Issueing systemctl restart apparmor but this does NOT solve the Issue:

# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile chromium /usr/bin/chromium flags=(unconfined) {
  userns,
}

Expected behavior

Chromium starting normally.

Actual behavior

Chromium refuses to start.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

It actually works (or at least starts ...)

LC_ALL=C firejail --noprofile /usr/bin/chromium 
Parent pid 169691, child pid 169692
Child process initialized in 16.07 ms
[2:31:0603/112938.212607:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

(chromium:2): IBUS-WARNING **: 11:29:39.142: Unable to connect to ibus: Could not connect: Connection refused

Parent is shutting down, bye...

Additional context

Any other detail that may help to understand/debug the problem

Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue:

# This is needed to run some AppImage (notably Electron Apps)
kernel.unprivileged_userns_clone=1

# However, make sure to restrict their activity
# Setup an AppArmor Profile based on e.g. the following references
# - https://github.com/bitwarden/clients/issues/5153
# - https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
# - https://github.com/johannesjo/super-productivity/issues/3193
# See /etc/apparmor.d/bitwarden for Rerefence
# Then Issue a systemctl restart apparmor
kernel.apparmor_restrict_unprivileged_userns=1
kernel.apparmor_restrict_unprivileged_userns_complain=0
kernel.apparmor_restrict_unprivileged_userns_force=1

kernel.apparmor_restrict_unprivileged_unconfined=1

kernel.unprivileged_userns_apparmor_policy=1

Relevant dmesg Output:

[ 3138.280909] audit: type=1400 audit(1717407068.562:853): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=175054 comm="chromium" requested="userns_create" denied="userns_create"
[ 3139.085996] audit: type=1400 audit(1717407069.367:854): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=175084 comm="chromium" requested="userns_create" denied="userns_create"

Environment

• Ubuntu 24.04 Noble AMD64
• Firejail version 0.9.72

firejail --version
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is enabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

• If you use a development version of firejail: No (using Ubuntu Noble Repositories):

Package: firejail                        
Version: 0.9.72-2ubuntu3
State: installed
Automatically installed: no
Priority: optional
Section: universe/utils
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: amd64
Uncompressed Size: 1.675 k
Depends: libapparmor1 (>= 2.10.95), libc6 (>= 2.38), libselinux1 (>= 3.1~)
Recommends: firejail-profiles, iproute2, iptables, xauth, xdg-dbus-proxy, xpra | xserver-xephyr | xvfb
Conflicts: firejail:i386
Description: sandbox to restrict the application environment
 Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.  It allows a process and all its descendants to have their
 own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Homepage: https://firejail.wordpress.com
Tags: implemented-in::c, interface::commandline, role::program, scope::utility, security::privacy, use::filtering, works-with::software:running

Package: firejail-profiles               
Version: 0.9.72-2ubuntu3
State: installed
Automatically installed: no
Priority: optional
Section: universe/utils
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Architecture: all
Uncompressed Size: 1.708 k
Depends: firejail
Breaks: firejail (< 0.9.46~rc1-1), firejail:i386 (< 0.9.46~rc1-1)
Replaces: firejail (< 0.9.46~rc1-1), firejail:i386 (< 0.9.46~rc1-1)
Description: profiles for the firejail application sandbox
 Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.  It allows a process and all its descendants to have their
 own private view of the globally shared kernel resources, such as the network stack, process table, mount table. 
 
 This package contains firejail profiles for various applications.
Homepage: https://firejail.wordpress.com
Tags: role::app-data

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Originally created by @luckylinux on GitHub (Jun 3, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6368 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Trying to run Chromium results in a AppArmor "DENIED" Message in `dmesg`. ### Steps to Reproduce Run in BASH `firejail /usr/bin/chromium`. Result: ``` Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 151561, child pid 151562 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 207.51 ms [6:6:0603/112348.640246:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13) [0603/112348.640438:WARNING:exception_handler_server.cc(204)] no ptrace ``` I also tried to add a Custom AppArmor Profile in `/etc/apparmor.d/chromium` and Issueing `systemctl restart apparmor` but this does NOT solve the Issue: ``` # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> profile chromium /usr/bin/chromium flags=(unconfined) { userns, } ``` ### Expected behavior Chromium starting normally. ### Actual behavior Chromium refuses to start. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ It actually works (or at least starts ...) ``` LC_ALL=C firejail --noprofile /usr/bin/chromium Parent pid 169691, child pid 169692 Child process initialized in 16.07 ms [2:31:0603/112938.212607:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018 (chromium:2): IBUS-WARNING **: 11:29:39.142: Unable to connect to ibus: Could not connect: Connection refused Parent is shutting down, bye... ``` ### Additional context _Any other detail that may help to understand/debug the problem_ Relevant `/etc/sysctl.d/99-userns.conf` that might be responsible for the Issue: ``` # This is needed to run some AppImage (notably Electron Apps) kernel.unprivileged_userns_clone=1 # However, make sure to restrict their activity # Setup an AppArmor Profile based on e.g. the following references # - https://github.com/bitwarden/clients/issues/5153 # - https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces # - https://github.com/johannesjo/super-productivity/issues/3193 # See /etc/apparmor.d/bitwarden for Rerefence # Then Issue a systemctl restart apparmor kernel.apparmor_restrict_unprivileged_userns=1 kernel.apparmor_restrict_unprivileged_userns_complain=0 kernel.apparmor_restrict_unprivileged_userns_force=1 kernel.apparmor_restrict_unprivileged_unconfined=1 kernel.unprivileged_userns_apparmor_policy=1 ``` Relevant `dmesg` Output: ``` [ 3138.280909] audit: type=1400 audit(1717407068.562:853): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=175054 comm="chromium" requested="userns_create" denied="userns_create" [ 3139.085996] audit: type=1400 audit(1717407069.367:854): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=175084 comm="chromium" requested="userns_create" denied="userns_create" ``` ### Environment - Ubuntu 24.04 Noble AMD64 - Firejail version 0.9.72 ``` firejail --version firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` - If you use a development version of firejail: No (using Ubuntu Noble Repositories): ``` Package: firejail Version: 0.9.72-2ubuntu3 State: installed Automatically installed: no Priority: optional Section: universe/utils Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Architecture: amd64 Uncompressed Size: 1.675 k Depends: libapparmor1 (>= 2.10.95), libc6 (>= 2.38), libselinux1 (>= 3.1~) Recommends: firejail-profiles, iproute2, iptables, xauth, xdg-dbus-proxy, xpra | xserver-xephyr | xvfb Conflicts: firejail:i386 Description: sandbox to restrict the application environment Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Homepage: https://firejail.wordpress.com Tags: implemented-in::c, interface::commandline, role::program, scope::utility, security::privacy, use::filtering, works-with::software:running ``` ``` Package: firejail-profiles Version: 0.9.72-2ubuntu3 State: installed Automatically installed: no Priority: optional Section: universe/utils Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> Architecture: all Uncompressed Size: 1.708 k Depends: firejail Breaks: firejail (< 0.9.46~rc1-1), firejail:i386 (< 0.9.46~rc1-1) Replaces: firejail (< 0.9.46~rc1-1), firejail:i386 (< 0.9.46~rc1-1) Description: profiles for the firejail application sandbox Firejail is a SUID security sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. This package contains firejail profiles for various applications. Homepage: https://firejail.wordpress.com Tags: role::app-data ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> ``` output goes here ``` </p> </details>

gitea-mirror commented 2026-05-05 09:51:30 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 3, 2024):

Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue

Is this a file installed by your OS? Or did you add it yourself? Also, please add your OS and firejail version to the report.

For now I see a few ways to try to get chromium to work as expected. Please test the below chromium-common.local overrides one by one and report back the result of each attempt.

• test 1 [use the dedicated AppArmor profile created by user]

$ cat ~/.config/firejail/chromium-common.local
apparmor /usr/bin/chromium

• test 2 [disable apparmor]

$ cat ~/.config/firejail/chromium-common.local
ignore apparmor

• test 3 [allow userns_create capability]

$ cat ~/.config/firejail/chromium-common.local
caps.keep sys_admin,sys_chroot,userns_create
ignore caps.keep

<!-- gh-comment-id:2144845997 --> @ghost commented on GitHub (Jun 3, 2024): > Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue Is this a file installed by your OS? Or did you add it yourself? Also, please add your OS and firejail version to the report. For now I see a few ways to try to get chromium to work as expected. Please test the below `chromium-common.local` overrides one by one and report back the result of each attempt. - test 1 [use the dedicated AppArmor profile created by user] ```sh $ cat ~/.config/firejail/chromium-common.local apparmor /usr/bin/chromium ``` - test 2 [disable apparmor] ```sh $ cat ~/.config/firejail/chromium-common.local ignore apparmor ``` - test 3 [allow userns_create capability] ```sh $ cat ~/.config/firejail/chromium-common.local caps.keep sys_admin,sys_chroot,userns_create ignore caps.keep ```

gitea-mirror commented 2026-05-05 09:51:31 -06:00

Author

Owner

Copy link

@luckylinux commented on GitHub (Jun 3, 2024):

Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue

Is this a file installed by your OS? Or did you add it yourself? Also, please add your OS and firejail version to the report.
Thank you for your quick Answer.

I added the File /etc/sysctl.d/99-userns.conf myself.

According to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Ubuntu should enforce AppArmor Profiles by default now, but lots of back and forths while trying to have a Hardened GNU/Linux System, especially with Electron Apps refusing to work (particularly Bitwarden AppImage).

Hence I prefer to show the File that reflects the current Configuration.

* test 1 [use the dedicated AppArmor profile created by user]

(More or less) same Result as before

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 411801, child pid 411802
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 197.58 ms
[6:6:0603/124730.469542:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/124730.469786:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

* test 2 [disable apparmor]

Chromium starts, but Keyboard disabled (GTK_IM_MODULE=xim might solve this, untested).

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 414964, child pid 414965
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 198.60 ms
[6:38:0603/124832.094464:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:46:0603/124832.174249:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:46:0603/124832.174293:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.356952:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357001:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357066:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357091:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[6:91:0603/124832.357110:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied

(chromium:6): dbind-WARNING **: 12:48:32.361: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
[6:37:0603/124832.791458:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

(chromium:6): IBUS-WARNING **: 12:48:33.936: Unable to connect to ibus: Could not connect: Connection refused

[59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202

(chromium:6): IBUS-WARNING **: 12:49:03.005: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.005: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.010: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.098: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.428: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.428: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.474: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.478: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.585: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.585: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.621: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.624: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.625: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.658: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.690: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.712: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.750: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.756: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.789: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:03.807: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.072: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.091: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.232: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.313: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.484: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.565: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.878: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:04.966: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.286: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.296: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.347: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.358: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.369: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.383: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.710: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.714: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.718: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.765: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.795: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.796: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.820: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.821: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.858: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.863: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.903: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.905: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:05.982: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:06.046: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:06.050: Events queue growing too big, will start to drop.

(chromium:6): IBUS-WARNING **: 12:49:06.082: Events queue growing too big, will start to drop.

Parent is shutting down, bye...

* test 3 [allow userns_create capability]

Possible Typo in your File ? userns_create is not recognized

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Error: capability "userns_create" not found

<!-- gh-comment-id:2144890645 --> @luckylinux commented on GitHub (Jun 3, 2024): > > Relevant /etc/sysctl.d/99-userns.conf that might be responsible for the Issue > > Is this a file installed by your OS? Or did you add it yourself? Also, please add your OS and firejail version to the report. Thank you for your quick Answer. I added the File `/etc/sysctl.d/99-userns.conf` myself. According to https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces Ubuntu should enforce AppArmor Profiles by default now, but lots of back and forths while trying to have a Hardened GNU/Linux System, especially with Electron Apps refusing to work (particularly Bitwarden AppImage). Hence I prefer to show the File that reflects the current Configuration. > * test 1 [use the dedicated AppArmor profile created by user] (More or less) same Result as before ``` firejail /usr/bin/chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /home/<username>/.config/firejail/chromium-common.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 411801, child pid 411802 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 197.58 ms [6:6:0603/124730.469542:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13) [0603/124730.469786:WARNING:exception_handler_server.cc(204)] no ptrace Parent is shutting down, bye... ``` > * test 2 [disable apparmor] Chromium starts, but Keyboard disabled (`GTK_IM_MODULE=xim` **might** solve this, untested). ``` firejail /usr/bin/chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /home/<username>/.config/firejail/chromium-common.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 414964, child pid 414965 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 198.60 ms [6:38:0603/124832.094464:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:46:0603/124832.174249:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:46:0603/124832.174293:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:91:0603/124832.356952:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:91:0603/124832.357001:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:91:0603/124832.357066:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:91:0603/124832.357091:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [6:91:0603/124832.357110:ERROR:bus.cc(407)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied (chromium:6): dbind-WARNING **: 12:48:32.361: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory [6:37:0603/124832.791458:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018 (chromium:6): IBUS-WARNING **: 12:48:33.936: Unable to connect to ibus: Could not connect: Connection refused [59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202 (chromium:6): IBUS-WARNING **: 12:49:03.005: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.005: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.010: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.098: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.428: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.428: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.474: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.478: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.585: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.585: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.621: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.624: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.625: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.658: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.690: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.712: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.750: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.756: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.789: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:03.807: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.072: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.091: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.232: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.313: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.484: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.565: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.878: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:04.966: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.286: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.296: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.347: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.358: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.369: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.383: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.710: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.714: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.718: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.765: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.795: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.796: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.820: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.821: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.858: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.863: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.903: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.905: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:05.982: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:06.046: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:06.050: Events queue growing too big, will start to drop. (chromium:6): IBUS-WARNING **: 12:49:06.082: Events queue growing too big, will start to drop. Parent is shutting down, bye... ``` > * test 3 [allow userns_create capability] Possible Typo in your File ? `userns_create` is not recognized ``` firejail /usr/bin/chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /home/<username>/.config/firejail/chromium-common.local Error: capability "userns_create" not found ```

gitea-mirror commented 2026-05-05 09:51:32 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 3, 2024):

Thanks for testing.

test 1 [use the dedicated AppArmor profile created by user]

No change, so we can focus on the alternatives.

test 2 [disable apparmor]

For the moment this seems to be the most promising candidate to fix this. Obviously we need to adress the keyboard issue. Also, the (new?) SSL-related error is a bit unexpected:

[59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202

test 3 [allow userns_create capability]
Error: capability "userns_create" not found

My bad. I took userns_create straight from your posted dmesg output above. I'll do some more digging, but it would be nice to try dropping the caps option alltogether:

$ ~/.config/firejail/chromium-common.profile
ignore caps.keep

To confirm that Firejail can actually sandbox chromium properly in combination with your AppArmor profile we also need to test if it works with our noprofile.profile. This offers the weakest possible sandbox Firejail can apply to a program, and a such is considered useful for debugging purposes only.

$ firejail --profile=noprofile /usr/bin/chromium

Hope we can fix this properly and securely :)

<!-- gh-comment-id:2145034135 --> @ghost commented on GitHub (Jun 3, 2024): Thanks for testing. > test 1 [use the dedicated AppArmor profile created by user] No change, so we can focus on the alternatives. > test 2 [disable apparmor] For the moment this seems to be the `most promising` candidate to fix this. Obviously we need to adress the keyboard issue. Also, the (new?) SSL-related error is a bit unexpected: > [59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202 > test 3 [allow userns_create capability] Error: capability "userns_create" not found My bad. I took `userns_create` straight from your posted dmesg output above. I'll do some more digging, but it would be nice to try dropping the caps option alltogether: ```sh $ ~/.config/firejail/chromium-common.profile ignore caps.keep ``` To confirm that Firejail can actually sandbox chromium properly in combination with your AppArmor profile we also need to test if it works with our `noprofile.profile`. This offers the weakest possible sandbox Firejail can apply to a program, and a such is considered useful for debugging purposes only. ```sh $ firejail --profile=noprofile /usr/bin/chromium ``` Hope we can fix this properly and securely :)

gitea-mirror commented 2026-05-05 09:51:32 -06:00

Author

Owner

Copy link

@luckylinux commented on GitHub (Jun 3, 2024):

Thanks for testing.
Thanks for helping me 👍.

test 2 [disable apparmor]

For the moment this seems to be the most promising candidate to fix this. Obviously we need to adress the keyboard issue. Also, the (new?) SSL-related error is a bit unexpected:

[59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202

Nah ... I omitted some part of the Logs, because it concerns a self-signed SSL Certificate (default OPNSense self-signed SSL Certificate). I assume this is also related to that.

test 3 [allow userns_create capability]
Error: capability "userns_create" not found

My bad. I took userns_create straight from your posted dmesg output above. I'll do some more digging, but it would be nice to try dropping the caps option alltogether:

$ ~/.config/firejail/chromium-common.profile
ignore caps.keep

Now you are suggesting a different File (~/.config/firejail/chromium-common.profile vs the previous ~/.config/firejail/chromium-common.local). Is this intentional ?

If I do with ~/.config/firejail/chromium-common.local (same filename as before) with just ignore caps.keep I get:

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 767989, child pid 767990
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 203.60 ms
[6:6:0603/144024.125859:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/144024.126059:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

With your new proposed Filename (~/.config/firejail/chromium-common.profile) I get instead (with the same Contents):

firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /home/<username>/.config/firejail/chromium-common.profile
Parent pid 769740, child pid 769741
Child process initialized in 17.33 ms

(chromium:6): GLib-GIO-ERROR **: 12:40:56.561: No GSettings schemas are installed on the system
[0603/124056.561860:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

To confirm that Firejail can actually sandbox chromium properly in combination with your AppArmor profile we also need to test if it works with our noprofile.profile. This offers the weakest possible sandbox Firejail can apply to a program, and a such is considered useful for debugging purposes only.

$ firejail --profile=noprofile /usr/bin/chromium

firejail --profile=noprofile /usr/bin/chromium
Reading profile /etc/firejail/noprofile.profile
Parent pid 783142, child pid 783143
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Child process initialized in 7.89 ms

(chromium:2): IBUS-WARNING **: 14:45:12.658: Unable to connect to ibus: Could not connect: Connection refused
[2:30:0603/144512.828720:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

Parent is shutting down, bye...

Chromium starts, but Keyboard isn't working.

The following makes the Keyboard also work, although not sure about this being a long-term Solution:

GTK_IM_MODULE=xim firejail --profile=noprofile /usr/bin/chromium
Reading profile /etc/firejail/noprofile.profile
Parent pid 791417, child pid 791418
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Child process initialized in 6.74 ms
[2:31:0603/144748.043764:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018

(chromium:2): Gdk-WARNING **: 14:47:49.009: gdk_window_set_user_time called on non-toplevel


(chromium:2): Gdk-WARNING **: 14:47:49.141: gdk_window_set_user_time called on non-toplevel


(chromium:2): Gdk-WARNING **: 14:47:49.380: gdk_window_set_user_time called on non-toplevel


(chromium:2): Gdk-WARNING **: 14:47:49.545: gdk_window_set_user_time called on non-toplevel


Parent is shutting down, bye...

For Reference File /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32 does NOT exist.
Contents of Folder ls -la /usr/lib/x86_64-linux-gnu/firejail

drwxr-xr-x   2 root root     30 Jun  2 17:21 .
drwxr-xr-x 202 root root   4392 Jun  2 18:21 ..
-rwxr-xr-x   1 root root  35200 Apr 16 05:09 fbuilder
-rwx--x--x   1 root root  22848 Apr 16 05:09 fcopy
-rwxr-xr-x   1 root root  22840 Apr 16 05:09 fids
-rwxr-xr-x   1 root root   6826 Apr 16 05:09 firejail-welcome.sh
-rwx--x--x   1 root root  18816 Apr 16 05:09 fldd
-rwx--x--x   1 root root  35208 Apr 16 05:09 fnet
-rwx--x--x   1 root root  14640 Apr 16 05:09 fnetfilter
-rwx--x--x   1 root root  31408 Apr 16 05:09 fnettrace
-rwx--x--x   1 root root  14648 Apr 16 05:09 fnettrace-dns
-rwx--x--x   1 root root  14720 Apr 16 05:09 fnettrace-icmp
-rwx--x--x   1 root root  14648 Apr 16 05:09 fnettrace-sni
-rwx--x--x   1 root root  80368 Apr 16 05:09 fseccomp
-rwx--x--x   1 root root  22912 Apr 16 05:09 fsec-optimize
-rwx--x--x   1 root root  31104 Apr 16 05:09 fsec-print
-rwx--x--x   1 root root   1811 Apr 16 05:09 fshaper.sh
-rwxr-xr-x   1 root root  14640 Apr 16 05:09 ftee
-rwxr-xr-x   1 root root  14640 Apr 16 05:09 fzenity
-rw-r--r--   1 root root  14480 Apr 16 05:09 libpostexecseccomp.so
-rw-r--r--   1 root root  18576 Apr 16 05:09 libtracelog.so
-rw-r--r--   1 root root  27448 Apr 16 05:09 libtrace.so
-rwxr-xr-x   1 root root  22832 Apr 16 05:09 profstats
-rw-r--r--   1 root root    640 Apr 16 05:09 seccomp
-rw-r--r--   1 root root    432 Apr 16 05:09 seccomp.32
-rw-r--r--   1 root root    120 Apr 16 05:09 seccomp.block_secondary
-rw-r--r--   1 root root    616 Apr 16 05:09 seccomp.debug
-rw-r--r--   1 root root    280 Apr 16 05:09 seccomp.mdwx
-rw-r--r--   1 root root    272 Apr 16 05:09 seccomp.mdwx.32
-rw-r--r--   1 root root 132290 Apr 16 05:09 static-ip-map

Hope we can fix this properly and securely :)

I also hope that. I was NOT using ANY sandboxing until now 👎, but given how many exploits and vulnerabilities, "hoping" is NOT a Plan.

I also read that firejail is probably insecure on its own (due to the setuid bit etc), and Bubblewrap / bwrap might be better and so on ... Yet Bubblewrap isn't really User-friendly IMHO 😞, so at least firejail should be a good additional Layer of Protection ... at least for the foreseable Future.

This isn't yet taking care of X11 Sandboxing of course. Launching firejail with --x11=xpra doesn't work (it just crashes), while I could play a bit around yesterday and got it to worth with Thunderbird (firejail --x11=xephyr thunderbird).

<!-- gh-comment-id:2145117470 --> @luckylinux commented on GitHub (Jun 3, 2024): > Thanks for testing. Thanks for helping me :+1:. > > test 2 [disable apparmor] > > For the moment this seems to be the `most promising` candidate to fix this. Obviously we need to adress the keyboard issue. Also, the (new?) SSL-related error is a bit unexpected: > > > [59:63:0603/124838.791095:ERROR:ssl_client_socket_impl.cc(879)] handshake failed; returned -1, SSL error code 1, net_error -202 Nah ... I omitted some part of the Logs, because it concerns a self-signed SSL Certificate (default OPNSense self-signed SSL Certificate). I assume this is also related to that. > > test 3 [allow userns_create capability] > > Error: capability "userns_create" not found > > My bad. I took `userns_create` straight from your posted dmesg output above. I'll do some more digging, but it would be nice to try dropping the caps option alltogether: > ```shell > $ ~/.config/firejail/chromium-common.profile > ignore caps.keep > ``` Now you are suggesting a different File (`~/.config/firejail/chromium-common.profile` vs the previous `~/.config/firejail/chromium-common.local`). Is this intentional ? If I do with `~/.config/firejail/chromium-common.local` (same filename as before) with just `ignore caps.keep` I get: ``` firejail /usr/bin/chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /home/<username>/.config/firejail/chromium-common.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 767989, child pid 767990 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 203.60 ms [6:6:0603/144024.125859:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13) [0603/144024.126059:WARNING:exception_handler_server.cc(204)] no ptrace Parent is shutting down, bye... ``` With your new proposed Filename (`~/.config/firejail/chromium-common.profile`) I get instead (with the same Contents): ``` firejail /usr/bin/chromium Reading profile /etc/firejail/chromium.profile Reading profile /home/<username>/.config/firejail/chromium-common.profile Parent pid 769740, child pid 769741 Child process initialized in 17.33 ms (chromium:6): GLib-GIO-ERROR **: 12:40:56.561: No GSettings schemas are installed on the system [0603/124056.561860:WARNING:exception_handler_server.cc(204)] no ptrace Parent is shutting down, bye... ``` > To confirm that Firejail can actually sandbox chromium properly in combination with your AppArmor profile we also need to test if it works with our `noprofile.profile`. This offers the weakest possible sandbox Firejail can apply to a program, and a such is considered useful for debugging purposes only. > > ```shell > $ firejail --profile=noprofile /usr/bin/chromium > ``` > ``` firejail --profile=noprofile /usr/bin/chromium Reading profile /etc/firejail/noprofile.profile Parent pid 783142, child pid 783143 Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied Child process initialized in 7.89 ms (chromium:2): IBUS-WARNING **: 14:45:12.658: Unable to connect to ibus: Could not connect: Connection refused [2:30:0603/144512.828720:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018 Parent is shutting down, bye... ``` Chromium starts, but Keyboard isn't working. The following makes the Keyboard also work, although not sure about this being a long-term Solution: ``` GTK_IM_MODULE=xim firejail --profile=noprofile /usr/bin/chromium Reading profile /etc/firejail/noprofile.profile Parent pid 791417, child pid 791418 Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied Child process initialized in 6.74 ms [2:31:0603/144748.043764:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018 (chromium:2): Gdk-WARNING **: 14:47:49.009: gdk_window_set_user_time called on non-toplevel (chromium:2): Gdk-WARNING **: 14:47:49.141: gdk_window_set_user_time called on non-toplevel (chromium:2): Gdk-WARNING **: 14:47:49.380: gdk_window_set_user_time called on non-toplevel (chromium:2): Gdk-WARNING **: 14:47:49.545: gdk_window_set_user_time called on non-toplevel Parent is shutting down, bye... ``` For Reference File `/usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32` does NOT exist. Contents of Folder `ls -la /usr/lib/x86_64-linux-gnu/firejail` ``` drwxr-xr-x 2 root root 30 Jun 2 17:21 . drwxr-xr-x 202 root root 4392 Jun 2 18:21 .. -rwxr-xr-x 1 root root 35200 Apr 16 05:09 fbuilder -rwx--x--x 1 root root 22848 Apr 16 05:09 fcopy -rwxr-xr-x 1 root root 22840 Apr 16 05:09 fids -rwxr-xr-x 1 root root 6826 Apr 16 05:09 firejail-welcome.sh -rwx--x--x 1 root root 18816 Apr 16 05:09 fldd -rwx--x--x 1 root root 35208 Apr 16 05:09 fnet -rwx--x--x 1 root root 14640 Apr 16 05:09 fnetfilter -rwx--x--x 1 root root 31408 Apr 16 05:09 fnettrace -rwx--x--x 1 root root 14648 Apr 16 05:09 fnettrace-dns -rwx--x--x 1 root root 14720 Apr 16 05:09 fnettrace-icmp -rwx--x--x 1 root root 14648 Apr 16 05:09 fnettrace-sni -rwx--x--x 1 root root 80368 Apr 16 05:09 fseccomp -rwx--x--x 1 root root 22912 Apr 16 05:09 fsec-optimize -rwx--x--x 1 root root 31104 Apr 16 05:09 fsec-print -rwx--x--x 1 root root 1811 Apr 16 05:09 fshaper.sh -rwxr-xr-x 1 root root 14640 Apr 16 05:09 ftee -rwxr-xr-x 1 root root 14640 Apr 16 05:09 fzenity -rw-r--r-- 1 root root 14480 Apr 16 05:09 libpostexecseccomp.so -rw-r--r-- 1 root root 18576 Apr 16 05:09 libtracelog.so -rw-r--r-- 1 root root 27448 Apr 16 05:09 libtrace.so -rwxr-xr-x 1 root root 22832 Apr 16 05:09 profstats -rw-r--r-- 1 root root 640 Apr 16 05:09 seccomp -rw-r--r-- 1 root root 432 Apr 16 05:09 seccomp.32 -rw-r--r-- 1 root root 120 Apr 16 05:09 seccomp.block_secondary -rw-r--r-- 1 root root 616 Apr 16 05:09 seccomp.debug -rw-r--r-- 1 root root 280 Apr 16 05:09 seccomp.mdwx -rw-r--r-- 1 root root 272 Apr 16 05:09 seccomp.mdwx.32 -rw-r--r-- 1 root root 132290 Apr 16 05:09 static-ip-map ``` > Hope we can fix this properly and securely :) I also hope that. I was NOT using ANY sandboxing until now :-1:, but given how many exploits and vulnerabilities, "hoping" is NOT a Plan. I also read that firejail is probably insecure on its own (due to the `setuid` bit etc), and Bubblewrap / `bwrap` might be better and so on ... Yet Bubblewrap isn't really User-friendly IMHO :disappointed:, so at least firejail should be a good additional Layer of Protection ... at least for the foreseable Future. This isn't yet taking care of X11 Sandboxing of course. Launching `firejail` with `--x11=xpra` doesn't work (it just crashes), while I could play a bit around yesterday and got it to worth with Thunderbird (`firejail --x11=xephyr thunderbird`).

gitea-mirror commented 2026-05-05 09:51:33 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 3, 2024):

Observations on your latest round of testing:

test 2 [disable apparmor]

Glad to read that the SSL-related output isn't a breakage factor.

test 3 [allow userns_create capability]

Good that you caught my mistake, it was indeed the intention to test with ~/.config/firejail/chromium-common.local. Now we've confirmed tha it's not a fix, we can skip this option.

noprofile.profile

Good news! Happy that this is working, regardless of the keyboard side-issue. Now it's a matter of tracking down the culprit option(s) and implement a proper, secure chromium sandbox.
Regarding that keyboard aspect, having to use GTK_IM_MODULE=xim isn't that uncommon or insecure. You will need this, now as well as in a future Firejail release. Because we don't know if, nor which IM module users prefer to use, it would be pointless to put this environment variable in the profile. But you as user definitely can. The supported syntax for doing so is documented in the man page, but rather straightforward: env GTK_IM_MODULE=xim.

For Reference File /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32 does NOT exist.

Due to Firejail's support for both 32bit and 64bit OSes this is a common and ignorable output on a 64bit system. I realize that it's hard to distinguish at first between what's okay and what's not in (some of) the more verbose (debug) output Firejail can throw. Your keen eye for details (e.g. like catching on to my mistakes), context-awareness during this troubleshooting session, etcetera, that indicates you're going to do just fine with sandboxing. Whether using Firejail or alternative tech, that's not for me to decide or try to influence by glossing over some 'facts' about the limitations of such endeavours.

Which brings us to the setuid topic. Users should be very much aware of the implications of running a SUID binary, be it firejail, pkexec, sudo, su or others. Yes, all of these well-known other layers we use without giving it much thought, are also setuid/setgid. Reading up is always something to be stimulated. And it's not getting any less complex/complicated 'out there' is it? :)
What Firejail is concerned, there are documented mitigations. Here are some links on that topic:

• SUID and mitigations
• https://github.com/netblue30/firejail/issues/4601
• https://github.com/netblue30/firejail/issues/5288
• https://github.com/netblue30/firejail/issues/5290

X11 Sandboxing

Definately a powerful set of options. And there's also Wayland getting more and more polished for daily use. Sadly, Firejail's --x11=xorg option doesn't work for chromium (and xterm). There's some more context provided in man firejail on this topic.

That's it for now. Enjoy!

<!-- gh-comment-id:2145304259 --> @ghost commented on GitHub (Jun 3, 2024): Observations on your latest round of testing: > test 2 [disable apparmor] Glad to read that the SSL-related output isn't a breakage factor. > test 3 [allow userns_create capability] Good that you caught my mistake, it was indeed the intention to test with ~/.config/firejail/chromium-common.local. Now we've confirmed tha it's not a fix, we can skip this option. > noprofile.profile Good news! Happy that this is working, regardless of the keyboard side-issue. Now it's a matter of tracking down the culprit option(s) and implement a proper, secure chromium sandbox. Regarding that keyboard aspect, having to use `GTK_IM_MODULE=xim` isn't that uncommon or insecure. You will need this, now as well as in a future Firejail release. Because we don't know if, nor which IM module users prefer to use, it would be pointless to put this environment variable in the profile. But you as user definitely can. The supported syntax for doing so is documented in the man page, but rather straightforward: `env GTK_IM_MODULE=xim`. > For Reference File /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32 does NOT exist. Due to Firejail's support for both 32bit and 64bit OSes this is a `common and ignorable` output on a 64bit system. I realize that it's hard to distinguish at first between what's okay and what's not in (some of) the more verbose (debug) output Firejail can throw. Your keen eye for details (e.g. like catching on to my mistakes), context-awareness during this troubleshooting session, etcetera, that indicates you're going to do just fine with sandboxing. Whether using Firejail or alternative tech, that's not for me to decide or try to influence by glossing over some 'facts' about the limitations of such endeavours. Which brings us to the `setuid` topic. Users _should_ be very much aware of the implications of running a SUID binary, be it firejail, pkexec, sudo, su or others. Yes, all of these well-known other layers we use without giving it much thought, are also setuid/setgid. Reading up is always something to be stimulated. And it's not getting any less complex/complicated 'out there' is it? :) What Firejail is concerned, there are documented `mitigations`. Here are some links on that topic: - [SUID and mitigations](https://firejail.wordpress.com/documentation-2/basic-usage/#suid) - https://github.com/netblue30/firejail/issues/4601 - https://github.com/netblue30/firejail/issues/5288 - https://github.com/netblue30/firejail/issues/5290 > X11 Sandboxing Definately a powerful set of options. And there's also Wayland getting more and more polished for daily use. Sadly, Firejail's `--x11=xorg` option doesn't work for chromium (and xterm). There's some more context provided in `man firejail` on this topic. That's it for now. Enjoy!

gitea-mirror commented 2026-05-05 09:51:34 -06:00

Author

Owner

Copy link

@luckylinux commented on GitHub (Jun 3, 2024):

noprofile.profile

Good news! Happy that this is working, regardless of the keyboard side-issue. Now it's a matter of tracking down the culprit option(s) and implement a proper, secure chromium sandbox. Regarding that keyboard aspect, having to use GTK_IM_MODULE=xim isn't that uncommon or insecure. You will need this, now as well as in a future Firejail release. Because we don't know if, nor which IM module users prefer to use, it would be pointless to put this environment variable in the profile. But you as user definitely can. The supported syntax for doing so is documented in the man page, but rather straightforward: env GTK_IM_MODULE=xim.

Isn't this something that can be set on a "global" level ? I'm tempted to say ~/.bashrc and/or ~/.bash_profile, but since this is firejail-specific, maybe there is a way for a "common" include (like for instance /etc/firejail/disable-common.inc, but NOT for disabling stuff and in my User Folder) ?

I think both geany, chromium, thunderbird and probably several other are affected by the same Issue.

Which brings us to the setuid topic. Users should be very much aware of the implications of running a SUID binary, be it firejail, pkexec, sudo, su or others. Yes, all of these well-known other layers we use without giving it much thought, are also setuid/setgid. Reading up is always something to be stimulated. And it's not getting any less complex/complicated 'out there' is it? :) What Firejail is concerned, there are documented mitigations. Here are some links on that topic:

* [SUID and mitigations](https://firejail.wordpress.com/documentation-2/basic-usage/#suid)

* [Does firejail improve the security of my system? thoughts by @rusty-snake #4601](https://github.com/netblue30/firejail/discussions/4601)

* [Delimitate execution permissions for firejail #5288](https://github.com/netblue30/firejail/issues/5288)

* [docs: mention risk of SUID binaries and also firejail-users(5) #5290](https://github.com/netblue30/firejail/pull/5290)

Actually I set force-nonewprivs yes in /etc/firejail/firejail.config.
Maybe the Chromium Issue is related to this actually (although kernel.unprivileged_userns_clone=1 and NOT 0) ?

Although I find it a bit weird that this isn't something "standardized" in the "normal" (shipped) Chromium profile, isn't it ?

X11 Sandboxing

Definately a powerful set of options. And there's also Wayland getting more and more polished for daily use. Sadly, Firejail's --x11=xorg option doesn't work for chromium (and xterm). There's some more context provided in man firejail on this topic.
Wayland isn't very well supported by NVIDIA Drivers and I have (mostly) NVIDIA GPUs.
They seem to be getting better lately, so I might give it a try.

I just sense that it's going to maybe fix 1 Issue while creating 10 new ones 😞.

That's it for now. Enjoy!

Thanks for your help 👍.

I guess, as usual, it's like opening a Pandora Box. You know where you start, you do NOT know where you end up 😆.

<!-- gh-comment-id:2145370738 --> @luckylinux commented on GitHub (Jun 3, 2024): > > noprofile.profile > > Good news! Happy that this is working, regardless of the keyboard side-issue. Now it's a matter of tracking down the culprit option(s) and implement a proper, secure chromium sandbox. Regarding that keyboard aspect, having to use `GTK_IM_MODULE=xim` isn't that uncommon or insecure. You will need this, now as well as in a future Firejail release. Because we don't know if, nor which IM module users prefer to use, it would be pointless to put this environment variable in the profile. But you as user definitely can. The supported syntax for doing so is documented in the man page, but rather straightforward: `env GTK_IM_MODULE=xim`. Isn't this something that can be set on a "global" level ? I'm tempted to say `~/.bashrc` and/or `~/.bash_profile`, but since this is firejail-specific, maybe there is a way for a "common" include (like for instance `/etc/firejail/disable-common.inc`, but NOT for disabling stuff and in my User Folder) ? I think both `geany`, `chromium`, `thunderbird` and probably several other are affected by the same Issue. > Which brings us to the `setuid` topic. Users _should_ be very much aware of the implications of running a SUID binary, be it firejail, pkexec, sudo, su or others. Yes, all of these well-known other layers we use without giving it much thought, are also setuid/setgid. Reading up is always something to be stimulated. And it's not getting any less complex/complicated 'out there' is it? :) What Firejail is concerned, there are documented `mitigations`. Here are some links on that topic: > > * [SUID and mitigations](https://firejail.wordpress.com/documentation-2/basic-usage/#suid) > > * [Does firejail improve the security of my system? thoughts by @rusty-snake #4601](https://github.com/netblue30/firejail/discussions/4601) > > * [Delimitate execution permissions for firejail #5288](https://github.com/netblue30/firejail/issues/5288) > > * [docs: mention risk of SUID binaries and also firejail-users(5) #5290](https://github.com/netblue30/firejail/pull/5290) Actually I set `force-nonewprivs yes` in `/etc/firejail/firejail.config`. Maybe the Chromium Issue is related to this actually (although `kernel.unprivileged_userns_clone=1` and NOT 0) ? Although I find it a bit weird that this isn't something "standardized" in the "normal" (shipped) Chromium profile, isn't it ? > > > X11 Sandboxing > > Definately a powerful set of options. And there's also Wayland getting more and more polished for daily use. Sadly, Firejail's `--x11=xorg` option doesn't work for chromium (and xterm). There's some more context provided in `man firejail` on this topic. Wayland isn't very well supported by NVIDIA Drivers and I have (mostly) NVIDIA GPUs. They seem to be getting better lately, so I might give it a try. I just sense that it's going to maybe fix 1 Issue while creating 10 new ones :disappointed:. > That's it for now. Enjoy! Thanks for your help :+1:. I guess, as usual, it's like opening a Pandora Box. You know where you start, you do NOT know where you end up :laughing:.

gitea-mirror commented 2026-05-05 09:51:34 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 3, 2024):

Follow-up

Not my best day apparently. There's something I have overlooked.

I also tried to add a Custom AppArmor Profile in /etc/apparmor.d/chromium and Issueing systemctl restart apparmor but this does NOT solve the Issue

To actually test this in combination with Firejail's apparmor option there's two conditions that need to be fulfilled:

• the custom AA profile referenced in chromium-common.local needs to be loaded into the kernel prior to starting the sandbox;
• the proper option to instruct Firejail to use that custom AA profile instead of its default version.

So, if you're up for it (doesn't have to be right now of course), it might try this again. After all, if it's possible, that would provide the 'ideal' fix.

(1) the Firejail part (we've done similarly above)

$ cat ~/.config/firejail/chromium-common.local
apparmor /usr/bin/chromium

(2) the AppArmor part

# use proper AA naming scheme
$ sudo mv /etc/apparmor.d/chromium /etc/apparmor.d/usr.bin.chromium

# purge AA cache
$ sudo apparmor_parser --purge-cache

Additionally, to absolutely make sure this AA profile makes it into kernelspace, a reboot is advised instead of restarting the apparmor.service.

Fingers crossed!

<!-- gh-comment-id:2145423228 --> @ghost commented on GitHub (Jun 3, 2024): Follow-up Not my best day apparently. There's something I have overlooked. > I also tried to add a Custom AppArmor Profile in /etc/apparmor.d/chromium and Issueing systemctl restart apparmor but this does NOT solve the Issue To actually test this in combination with Firejail's apparmor option there's two conditions that need to be fulfilled: - the custom AA profile referenced in chromium-common.local needs to be loaded into the kernel prior to starting the sandbox; - the proper option to instruct Firejail to use that custom AA profile instead of its default version. So, if you're up for it (doesn't have to be right now of course), it might try this again. After all, if it's possible, that would provide the 'ideal' fix. (1) the Firejail part (we've done similarly above) ```sh $ cat ~/.config/firejail/chromium-common.local apparmor /usr/bin/chromium ``` (2) the AppArmor part ```sh # use proper AA naming scheme $ sudo mv /etc/apparmor.d/chromium /etc/apparmor.d/usr.bin.chromium # purge AA cache $ sudo apparmor_parser --purge-cache ``` Additionally, to absolutely make sure this AA profile makes it into kernelspace, a reboot is advised instead of restarting the apparmor.service. Fingers crossed!

gitea-mirror commented 2026-05-05 09:51:35 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jun 3, 2024):

GTK_IM_MODULE=xim

Isn't this something that can be set on a "global" level ? I'm tempted to say ~/.bashrc and/or ~/.bash_profile, but since this is firejail-specific, maybe there is a way for a "common" include (like for instance /etc/firejail/disable-common.inc, but NOT for disabling stuff and in my User Folder) ?

Absolutely. Like two sides of a coin. Do it in your desktop environment via shell configuration like you mentioned (per-user) or (system-wide) via /etc/bash.bashrc. Additionally try setting it in Firejail's sandbox. Easiest is using ~/.config/firejail/globals.local. That way it'll get included in (almost) all profiles and - as far as I can see - doing so won't break sandboxed CLI programs that don't need it. That globals.local is a very powerful built-in override. If you don't have one yet, my guess is you'll soon see its advantages and create one :)

force-nonewprivs

Actually I set force-nonewprivs yes in /etc/firejail/firejail.config.

That's a wise decision. But be/stay aware of the implications. Wireshark for example will break under these conditions. Likely others, but very few. And the settings in firejail.config aren't run-time ones, hence a bit awkward to override. Alternatively you can keep the default in firejail.config and set it in the aforementioned globals.local. Less hassle, same effect. Just my $ 0.02 :)

Believe it or not, but I don't use Chromium and don't even have it installed. Just a personal thing, unrelated to security and/or sandboxing. TL;DR can't be sure if enforcing nonewprivs is the cause of all this. But I'd definitely try that!

Ciao

<!-- gh-comment-id:2145529194 --> @ghost commented on GitHub (Jun 3, 2024): `GTK_IM_MODULE=xim` > Isn't this something that can be set on a "global" level ? I'm tempted to say ~/.bashrc and/or ~/.bash_profile, but since this is firejail-specific, maybe there is a way for a "common" include (like for instance /etc/firejail/disable-common.inc, but NOT for disabling stuff and in my User Folder) ? Absolutely. Like two sides of a coin. Do it in your desktop environment via shell configuration like you mentioned (per-user) or (system-wide) via `/etc/bash.bashrc`. Additionally try setting it in Firejail's sandbox. Easiest is using `~/.config/firejail/globals.local`. That way it'll get included in (almost) _all_ profiles and - as far as I can see - doing so won't break sandboxed CLI programs that don't need it. That `globals.local` is a very powerful built-in override. If you don't have one yet, my guess is you'll soon see its advantages and create one :) `force-nonewprivs` > Actually I set force-nonewprivs yes in /etc/firejail/firejail.config. That's a wise decision. But be/stay aware of the implications. Wireshark for example will `break` under these conditions. Likely others, but very few. And the settings in firejail.config aren't run-time ones, hence a bit awkward to override. Alternatively you can keep the default in firejail.config and set it in the aforementioned `globals.local`. Less hassle, same effect. Just my $ 0.02 :) Believe it or not, but I don't use Chromium and don't even have it installed. Just a personal thing, unrelated to security and/or sandboxing. TL;DR can't be sure if enforcing nonewprivs is the cause of all this. But I'd definitely try that! Ciao

gitea-mirror commented 2026-05-05 09:51:36 -06:00

Author

Owner

Copy link

@luckylinux commented on GitHub (Jun 3, 2024):

Additionally, to absolutely make sure this AA profile makes it into kernelspace, a reboot is advised instead of restarting the apparmor.service.

Fingers crossed!
I tried all of this (minus the reboot part) and this is the Result (NOT working - yet):

GTK_IM_MODULE=xim firejail /usr/bin/chromium
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /home/<username>/.config/firejail/chromium-common.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 1322122, child pid 1322150
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 200.21 ms
[6:6:0603/173442.316373:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13)
[0603/173442.316594:WARNING:exception_handler_server.cc(204)] no ptrace

Parent is shutting down, bye...

Will try to Reboot at some Point ...

<!-- gh-comment-id:2145532416 --> @luckylinux commented on GitHub (Jun 3, 2024): > Additionally, to absolutely make sure this AA profile makes it into kernelspace, a reboot is advised instead of restarting the apparmor.service. > > Fingers crossed! I tried all of this (**minus** the reboot part) and this is the Result (NOT working - yet): ``` GTK_IM_MODULE=xim firejail /usr/bin/chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /home/<username>/.config/firejail/chromium-common.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 1322122, child pid 1322150 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 200.21 ms [6:6:0603/173442.316373:FATAL:credentials.cc(134)] Check failed: . : Permission denied (13) [0603/173442.316594:WARNING:exception_handler_server.cc(204)] no ptrace Parent is shutting down, bye... ``` Will try to Reboot at some Point ...

gitea-mirror commented 2026-05-05 09:51:36 -06:00

Author

Owner

Copy link

@luckylinux commented on GitHub (Jun 3, 2024):

Believe it or not, but I don't use Chromium and don't even have it installed. Just a personal thing, unrelated to security and/or sandboxing. TL;DR can't be sure if enforcing nonewprivs is the cause of all this. But I'd definitely try that!

Thanks again 👍.

To be honest I use Firefox as my Daily Driver, but I sometimes need a "Backup" to cross-check some of the weird Issues I sometimes encounter with Firefox (SSL Certificates, Authentication, Cache of Credentials, etc).

<!-- gh-comment-id:2145543140 --> @luckylinux commented on GitHub (Jun 3, 2024): > Believe it or not, but I don't use Chromium and don't even have it installed. Just a personal thing, unrelated to security and/or sandboxing. TL;DR can't be sure if enforcing nonewprivs is the cause of all this. But I'd definitely try that! Thanks again :+1:. To be honest I use Firefox as my Daily Driver, but I sometimes need a "Backup" to cross-check some of the weird Issues I sometimes encounter with Firefox (SSL Certificates, Authentication, Cache of Credentials, etc).

gitea-mirror commented 2026-05-05 09:51:36 -06:00

Author

Owner

Copy link

@gcqmkm02 commented on GitHub (Aug 29, 2024):

Tengo lo mismo problema con el flatpak.
Despues de hacer
sd sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
los flatpaks funcionan.

<!-- gh-comment-id:2317171961 --> @gcqmkm02 commented on GitHub (Aug 29, 2024): Tengo lo mismo problema con el flatpak. Despues de hacer sd sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 los flatpaks funcionan.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3252

No description provided.