[GH-ISSUE #6637] Hardcoded iptables path causes issues on non-FHS systems like NixOS #3318

New issue

Open

opened 2026-05-05 09:54:28 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented 2026-05-05 09:54:28 -06:00

Owner

Copy link

Originally created by @nakibrayane on GitHub (Feb 3, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6637

Description

Firejail has hardcoded paths to the iptables binary, which causes issues on non-FHS systems like NixOS. When running firejail with the --netfilter option, it fails to find the iptables binary and returns an error.

Steps to Reproduce

1. Install firejail in NixOS (e.g. nix shell nixpkgs#firejail)
2. Run in bash firejail --net=eth0 --netfilter curl --output /dev/null https://nixos.org
3. Observe the error message indicating that the iptables command is not found.

Expected behavior

Firejail should be able to locate the iptables binary and successfully configure the netfilter rules.

Actual behavior

Firejail fails to find the iptables binary and returns an error message:

Error: iptables command not found, netfilter not configured

This causes the netfilter rules to not be configured, and the curl command fails to resolve the host.

Behavior without a profile

Running firejail --noprofile --net=wlo1 --netfilter curl --output /dev/null https://nixos.org produces the same error message.

Additional context

The issue is caused by the hardcoded path to the iptables binary in the firejail code. On NixOS, the iptables binary is located at a different path. A more flexible way to locate the iptables binary, such as using the PATH environment variable or a configuration option, would allow firejail to work correctly on non-FHS systems like NixOS.

Environment

• Name/version/arch of the Linux kernel: Linux 6.12.11 #1-NixOS SMP PREEMPT_DYNAMIC Thu Jan 23 16:23:05 UTC 2025 x86_64 GNU/Linux
• Name/version of the Linux distribution: NixOS 25.05.20250201.3a22805 (Warbler)
• Name/version of the relevant program(s)/package(s): iptables v1.8.11 (nf_tables)
• Version of Firejail: firejail version 0.9.72

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of firejail --net=eth0 --netfilter curl --output /dev/null https://nixos.org

Error: iptables command not found, netfilter not configured
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0curl: (6) Could not resolve host: nixos.org

Output of firejail --debug --net=eth0 --netfilter curl --output /dev/null https://nixos.org

Building quoted command line: 'curl' '--output' '/dev/null' 'https://nixos.org' 
Command name #curl#
Found curl.profile profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found curl.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found globals.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found disable-common.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found disable-common.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found disable-exec.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found disable-exec.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found disable-programs.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found disable-programs.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found whitelist-usr-share-common.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found whitelist-usr-share-common.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found whitelist-var-common.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
Found whitelist-var-common.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory
get interface wlo1 configuration
MTU of wlo1 is 1500.
macvlan parent device wlo1 at 192.168.1.8/24
Enabling IPC namespace
get interface wlo1 configuration
MTU of wlo1 is 1500.
macvlan parent device wlo1 at 192.168.1.8/24
Enabling IPC namespace
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces file
Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces.32 file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
sbox run: /run/firejail/lib/fnet ifup lo 
sbox run: /run/firejail/lib/fnet ifup eth0-696327 
ARP-scan eth0-696327, 192.168.1.8/24
IP address range from 192.168.1.1 to 192.168.1.255
Trying 192.168.1.227 ...
Configuring 192.168.1.227 address on interface eth0-696327
sbox run: /run/firejail/lib/fnet config interface eth0-696327 3232236003 4294967040 1500 
Announce 192.168.1.227 ...
Network namespace enabled
sbox run: /run/firejail/lib/fnet printif 
Build protocol filter: inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
898 895 0:35 /nix/persist/etc/NetworkManager/system-connections /etc/NetworkManager/system-connections rw,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix
mountid=898 fsname=/nix/persist/etc/NetworkManager/system-connections dir=/etc/NetworkManager/system-connections fstype=btrfs
Mounting read-only /etc/nixos
901 897 0:35 /nix/persist/etc/nixos /etc/nixos ro,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix
mountid=901 fsname=/nix/persist/etc/nixos dir=/etc/nixos fstype=btrfs
Mounting read-only /etc/NetworkManager/system-connections
953 898 0:35 /nix/persist/etc/NetworkManager/system-connections /etc/NetworkManager/system-connections ro,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix
mountid=953 fsname=/nix/persist/etc/NetworkManager/system-connections dir=/etc/NetworkManager/system-connections fstype=btrfs
Mounting read-only /var
994 992 0:35 /nix/persist/var/lib/tailscale /var/lib/tailscale rw,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix
mountid=994 fsname=/nix/persist/var/lib/tailscale dir=/var/lib/tailscale fstype=btrfs
Mounting read-only /var/lib/nixos
997 993 0:35 /nix/persist/var/lib/nixos /var/lib/nixos ro,noatime master:6 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix
mountid=997 fsname=/nix/persist/var/lib/nixos dir=/var/lib/nixos fstype=btrfs
Mounting read-only /var/lib/tailscale
998 994 0:35 /nix/persist/var/lib/tailscale /var/lib/tailscale ro,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix
mountid=998 fsname=/nix/persist/var/lib/tailscale dir=/var/lib/tailscale fstype=btrfs
Mounting read-only /usr
999 777 0:35 /root/usr /usr ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root
mountid=999 fsname=/root/usr dir=/usr fstype=btrfs
Mounting read-only /bin
1000 777 0:35 /root/bin /bin ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root
mountid=1000 fsname=/root/bin dir=/bin fstype=btrfs
Mounting read-only /lib
1001 777 0:35 /root/lib /lib ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root
mountid=1001 fsname=/root/lib dir=/lib fstype=btrfs
Mounting read-only /lib64
1002 777 0:35 /root/lib64 /lib64 ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root
mountid=1002 fsname=/root/lib64 dir=/lib64 fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Generating a new machine-id
installing a new /etc/machine-id
Mounting tmpfs on /dev
Process /dev/shm directory
Generate private-tmp whitelist commands
Creating empty /run/firejail/mnt/dbus directory
Creating empty /run/firejail/mnt/dbus/user file
Creating empty /run/firejail/mnt/dbus/system file
blacklist /run/dbus/system_bus_socket
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /boot
Debug 588: whitelist /usr/share/alsa
Debug 609: expanded: /usr/share/alsa
Debug 620: new_name: /usr/share/alsa
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/applications
Debug 609: expanded: /usr/share/applications
Debug 620: new_name: /usr/share/applications
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/ca-certificates
Debug 609: expanded: /usr/share/ca-certificates
Debug 620: new_name: /usr/share/ca-certificates
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/crypto-policies
Debug 609: expanded: /usr/share/crypto-policies
Debug 620: new_name: /usr/share/crypto-policies
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/cursors
Debug 609: expanded: /usr/share/cursors
Debug 620: new_name: /usr/share/cursors
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/dconf
Debug 609: expanded: /usr/share/dconf
Debug 620: new_name: /usr/share/dconf
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/distro-info
Debug 609: expanded: /usr/share/distro-info
Debug 620: new_name: /usr/share/distro-info
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/drirc.d
Debug 609: expanded: /usr/share/drirc.d
Debug 620: new_name: /usr/share/drirc.d
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/egl
Debug 609: expanded: /usr/share/egl
Debug 620: new_name: /usr/share/egl
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/enchant
Debug 609: expanded: /usr/share/enchant
Debug 620: new_name: /usr/share/enchant
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/enchant-2
Debug 609: expanded: /usr/share/enchant-2
Debug 620: new_name: /usr/share/enchant-2
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/file
Debug 609: expanded: /usr/share/file
Debug 620: new_name: /usr/share/file
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/fontconfig
Debug 609: expanded: /usr/share/fontconfig
Debug 620: new_name: /usr/share/fontconfig
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/fonts
Debug 609: expanded: /usr/share/fonts
Debug 620: new_name: /usr/share/fonts
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/fonts-config
Debug 609: expanded: /usr/share/fonts-config
Debug 620: new_name: /usr/share/fonts-config
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gir-1.0
Debug 609: expanded: /usr/share/gir-1.0
Debug 620: new_name: /usr/share/gir-1.0
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gjs-1.0
Debug 609: expanded: /usr/share/gjs-1.0
Debug 620: new_name: /usr/share/gjs-1.0
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/glib-2.0
Debug 609: expanded: /usr/share/glib-2.0
Debug 620: new_name: /usr/share/glib-2.0
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/glvnd
Debug 609: expanded: /usr/share/glvnd
Debug 620: new_name: /usr/share/glvnd
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gtk-2.0
Debug 609: expanded: /usr/share/gtk-2.0
Debug 620: new_name: /usr/share/gtk-2.0
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gtk-3.0
Debug 609: expanded: /usr/share/gtk-3.0
Debug 620: new_name: /usr/share/gtk-3.0
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gtk-engines
Debug 609: expanded: /usr/share/gtk-engines
Debug 620: new_name: /usr/share/gtk-engines
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gtksourceview-3.0
Debug 609: expanded: /usr/share/gtksourceview-3.0
Debug 620: new_name: /usr/share/gtksourceview-3.0
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/gtksourceview-4
Debug 609: expanded: /usr/share/gtksourceview-4
Debug 620: new_name: /usr/share/gtksourceview-4
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/hunspell
Debug 609: expanded: /usr/share/hunspell
Debug 620: new_name: /usr/share/hunspell
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/hwdata
Debug 609: expanded: /usr/share/hwdata
Debug 620: new_name: /usr/share/hwdata
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/icons
Debug 609: expanded: /usr/share/icons
Debug 620: new_name: /usr/share/icons
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/icu
Debug 609: expanded: /usr/share/icu
Debug 620: new_name: /usr/share/icu
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/knotifications5
Debug 609: expanded: /usr/share/knotifications5
Debug 620: new_name: /usr/share/knotifications5
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/kservices5
Debug 609: expanded: /usr/share/kservices5
Debug 620: new_name: /usr/share/kservices5
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/Kvantum
Debug 609: expanded: /usr/share/Kvantum
Debug 620: new_name: /usr/share/Kvantum
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/kxmlgui5
Debug 609: expanded: /usr/share/kxmlgui5
Debug 620: new_name: /usr/share/kxmlgui5
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/libdrm
Debug 609: expanded: /usr/share/libdrm
Debug 620: new_name: /usr/share/libdrm
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/libthai
Debug 609: expanded: /usr/share/libthai
Debug 620: new_name: /usr/share/libthai
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/locale
Debug 609: expanded: /usr/share/locale
Debug 620: new_name: /usr/share/locale
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/mime
Debug 609: expanded: /usr/share/mime
Debug 620: new_name: /usr/share/mime
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/misc
Debug 609: expanded: /usr/share/misc
Debug 620: new_name: /usr/share/misc
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/Modules
Debug 609: expanded: /usr/share/Modules
Debug 620: new_name: /usr/share/Modules
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/myspell
Debug 609: expanded: /usr/share/myspell
Debug 620: new_name: /usr/share/myspell
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/p11-kit
Debug 609: expanded: /usr/share/p11-kit
Debug 620: new_name: /usr/share/p11-kit
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/perl
Debug 609: expanded: /usr/share/perl
Debug 620: new_name: /usr/share/perl
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/perl5
Debug 609: expanded: /usr/share/perl5
Debug 620: new_name: /usr/share/perl5
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/pipewire
Debug 609: expanded: /usr/share/pipewire
Debug 620: new_name: /usr/share/pipewire
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/pixmaps
Debug 609: expanded: /usr/share/pixmaps
Debug 620: new_name: /usr/share/pixmaps
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/pki
Debug 609: expanded: /usr/share/pki
Debug 620: new_name: /usr/share/pki
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/plasma
Debug 609: expanded: /usr/share/plasma
Debug 620: new_name: /usr/share/plasma
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/publicsuffix
Debug 609: expanded: /usr/share/publicsuffix
Debug 620: new_name: /usr/share/publicsuffix
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/qt
Debug 609: expanded: /usr/share/qt
Debug 620: new_name: /usr/share/qt
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/qt4
Debug 609: expanded: /usr/share/qt4
Debug 620: new_name: /usr/share/qt4
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/qt5
Debug 609: expanded: /usr/share/qt5
Debug 620: new_name: /usr/share/qt5
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/qt5ct
Debug 609: expanded: /usr/share/qt5ct
Debug 620: new_name: /usr/share/qt5ct
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/qt6
Debug 609: expanded: /usr/share/qt6
Debug 620: new_name: /usr/share/qt6
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/qt6ct
Debug 609: expanded: /usr/share/qt6ct
Debug 620: new_name: /usr/share/qt6ct
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/sounds
Debug 609: expanded: /usr/share/sounds
Debug 620: new_name: /usr/share/sounds
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/tcl8.6
Debug 609: expanded: /usr/share/tcl8.6
Debug 620: new_name: /usr/share/tcl8.6
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/tcltk
Debug 609: expanded: /usr/share/tcltk
Debug 620: new_name: /usr/share/tcltk
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/terminfo
Debug 609: expanded: /usr/share/terminfo
Debug 620: new_name: /usr/share/terminfo
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/texlive
Debug 609: expanded: /usr/share/texlive
Debug 620: new_name: /usr/share/texlive
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/texmf
Debug 609: expanded: /usr/share/texmf
Debug 620: new_name: /usr/share/texmf
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/themes
Debug 609: expanded: /usr/share/themes
Debug 620: new_name: /usr/share/themes
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/thumbnail.so
Debug 609: expanded: /usr/share/thumbnail.so
Debug 620: new_name: /usr/share/thumbnail.so
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/uim
Debug 609: expanded: /usr/share/uim
Debug 620: new_name: /usr/share/uim
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/vulkan
Debug 609: expanded: /usr/share/vulkan
Debug 620: new_name: /usr/share/vulkan
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/X11
Debug 609: expanded: /usr/share/X11
Debug 620: new_name: /usr/share/X11
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/xml
Debug 609: expanded: /usr/share/xml
Debug 620: new_name: /usr/share/xml
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/zenity
Debug 609: expanded: /usr/share/zenity
Debug 620: new_name: /usr/share/zenity
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /usr/share/zoneinfo
Debug 609: expanded: /usr/share/zoneinfo
Debug 620: new_name: /usr/share/zoneinfo
Debug 630: dir: /usr/share
Cannot access whitelist top level directory /usr/share: No such file or directory
Debug 588: whitelist /var/lib/aspell
Debug 609: expanded: /var/lib/aspell
Debug 620: new_name: /var/lib/aspell
Debug 630: dir: /var
Adding whitelist top level directory /var
Removed path: whitelist /var/lib/aspell
	new_name: /var/lib/aspell
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/ca-certificates
Debug 609: expanded: /var/lib/ca-certificates
Debug 620: new_name: /var/lib/ca-certificates
Debug 630: dir: /var
Removed path: whitelist /var/lib/ca-certificates
	new_name: /var/lib/ca-certificates
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/dbus
Debug 609: expanded: /var/lib/dbus
Debug 620: new_name: /var/lib/dbus
Debug 630: dir: /var
Removed path: whitelist /var/lib/dbus
	new_name: /var/lib/dbus
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/menu-xdg
Debug 609: expanded: /var/lib/menu-xdg
Debug 620: new_name: /var/lib/menu-xdg
Debug 630: dir: /var
Removed path: whitelist /var/lib/menu-xdg
	new_name: /var/lib/menu-xdg
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/uim
Debug 609: expanded: /var/lib/uim
Debug 620: new_name: /var/lib/uim
Debug 630: dir: /var
Removed path: whitelist /var/lib/uim
	new_name: /var/lib/uim
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/cache/fontconfig
Debug 609: expanded: /var/cache/fontconfig
Debug 620: new_name: /var/cache/fontconfig
Debug 630: dir: /var
Removed path: whitelist /var/cache/fontconfig
	new_name: /var/cache/fontconfig
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/tmp
Debug 609: expanded: /var/tmp
Debug 620: new_name: /var/tmp
Debug 630: dir: /var
Debug 588: whitelist /var/run
Debug 609: expanded: /var/run
Debug 620: new_name: /var/run
Debug 630: dir: /var
Debug 588: whitelist /var/lock
Debug 609: expanded: /var/lock
Debug 620: new_name: /var/lock
Debug 630: dir: /var
Debug 588: whitelist /tmp/.X11-unix
Debug 609: expanded: /tmp/.X11-unix
Debug 620: new_name: /tmp/.X11-unix
Debug 630: dir: /tmp
Adding whitelist top level directory /tmp
Debug 588: whitelist /tmp/sndio
Debug 609: expanded: /tmp/sndio
Debug 620: new_name: /tmp/sndio
Debug 630: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Mounting tmpfs on /var, check owner: no
1042 992 0:95 / /var rw,nosuid,nodev,noatime - tmpfs tmpfs rw,mode=755
mountid=1042 fsname=/ dir=/var fstype=tmpfs
Mounting tmpfs on /tmp, check owner: no
1043 777 0:96 / /tmp rw,nosuid,nodev,noatime - tmpfs tmpfs rw
mountid=1043 fsname=/ dir=/tmp fstype=tmpfs
Whitelisting /var/tmp
1044 1042 0:90 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw
mountid=1044 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1045 1043 0:35 /root/tmp/.X11-unix /tmp/.X11-unix rw,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root
mountid=1045 fsname=/root/tmp/.X11-unix dir=/tmp/.X11-unix fstype=btrfs
Disable /tmp/.X11-unix
Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/systemctl (requested /run/current-system/sw/bin/systemctl)
Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/systemd-run (requested /run/current-system/sw/bin/systemd-run)
Disable /nix/store/mqdh52s3payy2rwklr93phybwr14fyg2-system-units (requested /etc/systemd/system)
Disable /etc/apparmor
Disable /nix/store/qcp3n3x5q3yql5misyqlaqivbqnm2d8q-apparmor.d (requested /etc/apparmor.d)
Disable /etc/default
Disable /etc/modules-load.d
Disable /etc/shadow
Disable /etc/ssh
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/chage (requested /run/current-system/sw/bin/chage)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/chfn (requested /run/current-system/sw/bin/chfn)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/chsh (requested /run/current-system/sw/bin/chsh)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/expiry (requested /run/current-system/sw/bin/expiry)
Disable /run/wrappers/wrappers.cMliUjMHgE/fusermount (requested /run/wrappers/bin/fusermount)
Disable /nix/store/nn2m9jfz2lqy288ajadzkgyh4ljnwk5l-fuse-2.9.9-bin/bin/fusermount (requested /run/current-system/sw/bin/fusermount)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/gpasswd (requested /run/current-system/sw/bin/gpasswd)
Disable /run/wrappers/wrappers.cMliUjMHgE/mount (requested /run/wrappers/bin/mount)
Disable /nix/store/zahlcyi7p2qgjwrz2qwzdr7miyigdhfq-util-linux-2.39.4-mount/bin/mount (requested /run/current-system/sw/bin/mount)
Disable /nix/store/af9njh727f90dsdfjqv6c1pq7qcjvrhm-libressl-4.0.0-nc/bin/nc (requested /run/current-system/sw/bin/nc)
Disable /run/wrappers/wrappers.cMliUjMHgE/newgidmap (requested /run/wrappers/bin/newgidmap)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newgidmap (requested /run/current-system/sw/bin/newgidmap)
Disable /run/wrappers/wrappers.cMliUjMHgE/newgrp (requested /run/wrappers/bin/newgrp)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newgrp (requested /run/current-system/sw/bin/newgrp)
Disable /run/wrappers/wrappers.cMliUjMHgE/newuidmap (requested /run/wrappers/bin/newuidmap)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newuidmap (requested /run/current-system/sw/bin/newuidmap)
Disable /run/wrappers/wrappers.cMliUjMHgE/pkexec (requested /run/wrappers/bin/pkexec)
Disable /nix/store/1y33x5pbxy2zy85br1fwx28q73n8s22g-polkit-124-bin/bin/pkexec (requested /run/current-system/sw/bin/pkexec)
Disable /run/wrappers/wrappers.cMliUjMHgE/sg (requested /run/wrappers/bin/sg)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newgrp (requested /run/current-system/sw/bin/sg)
Disable /run/wrappers/wrappers.cMliUjMHgE/su (requested /run/wrappers/bin/su)
Disable /nix/store/305isy81fd0gqpji81bwj5dnbq71dmd4-sudo-rs-0.2.3/bin/su (requested /run/current-system/sw/bin/su)
Disable /run/wrappers/wrappers.cMliUjMHgE/sudo (requested /run/wrappers/bin/sudo)
Disable /nix/store/305isy81fd0gqpji81bwj5dnbq71dmd4-sudo-rs-0.2.3/bin/sudo (requested /run/current-system/sw/bin/sudo)
Disable /run/wrappers/wrappers.cMliUjMHgE/umount (requested /run/wrappers/bin/umount)
Disable /nix/store/zahlcyi7p2qgjwrz2qwzdr7miyigdhfq-util-linux-2.39.4-mount/bin/umount (requested /run/current-system/sw/bin/umount)
Disable /run/wrappers/wrappers.cMliUjMHgE/unix_chkpwd (requested /run/wrappers/bin/unix_chkpwd)
Disable /nix/store/mhrs2z02f605vm22xkwkqci14myz5ahc-linux-pam-1.6.1/bin/unix_chkpwd (requested /run/current-system/sw/bin/unix_chkpwd)
Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/passwd (requested /run/current-system/sw/bin/passwd)
Disable /nix/store/ka3g9zj7pgzx68m8sybsa909nirx4vl2-net-tools-2.10/bin/hostname (requested /run/current-system/sw/bin/hostname)
Disable /nix/store/ka3g9zj7pgzx68m8sybsa909nirx4vl2-net-tools-2.10/bin/netstat (requested /run/current-system/sw/bin/netstat)
Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nm-online (requested /run/current-system/sw/bin/nm-online)
Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmcli (requested /run/current-system/sw/bin/nmcli)
Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui)
Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui-connect)
Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui-edit)
Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui-hostname)
Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/networkctl (requested /run/current-system/sw/bin/networkctl)
Disable /nix/store/hy5x4rd1s59lf3zdizw1iayan2525b3n-iproute2-6.12.0/bin/ss (requested /run/current-system/sw/bin/ss)
Disable /proc/config.gz
Disable /nix/store/lxfyifxn30yqry5g46cmxfy7aib0kah8-bind-9.18.33-host/bin/host (requested /run/current-system/sw/bin/host)
Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/resolvectl (requested /run/current-system/sw/bin/resolvectl)
Disable /nix/store/d47m463xavp70bgzm8qk90fb2a7w79b4-openssh-9.9p1/bin/ssh (requested /run/current-system/sw/bin/ssh)
Mounting noexec /root
1133 777 0:35 /root/root /root rw,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root
mountid=1133 fsname=/root/root dir=/root fstype=btrfs
Mounting noexec /dev/shm
1134 1015 0:92 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
mountid=1134 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1137 1136 0:26 /firejail/firejail.ro.dir /tmp/.X11-unix ro,nosuid,nodev master:2 - tmpfs tmpfs rw,size=1942760k,nr_inodes=819200,mode=755
mountid=1137 fsname=/firejail/firejail.ro.dir dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1138 1137 0:26 /firejail/firejail.ro.dir /tmp/.X11-unix ro,nosuid,nodev,noexec master:2 - tmpfs tmpfs rw,size=1942760k,nr_inodes=819200,mode=755
mountid=1138 fsname=/firej line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000009   jmp 000f
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 35 01 00 40000000   jge X32_ABI 000c (false 000b)
 000b: 35 01 00 00000000   jge read 000d (false 000c)
 000c: 06 00 00 00050001   ret ERRNO(1)
 000d: 15 01 00 00000029   jeq socket 000f (false 000e)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 20 00 00 00000010   ld  data.args[0]
 0010: 15 00 01 00000002   jeq 2 0011 (false 0012)
 0011: 06 00 00 7fff0000   ret ALLOW
 0012: 15 00 01 0000000a   jeq a 0013 (false 0014)
 0013: 06 00 00 7fff0000   ret ALLOW
 0014: 06 00 00 0005005f   ret ERRNO(95)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00050001   ret ERRNO(1)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 47 00 0000009f   jeq adjtimex 004f (false 0008)
 0008: 15 46 00 00000131   jeq clock_adjtime 004f (false 0009)
 0009: 15 45 00 000000e3   jeq clock_settime 004f (false 000a)
 000a: 15 44 00 000000a4   jeq settimeofday 004f (false 000b)
 000b: 15 43 00 0000009a   jeq modify_ldt 004f (false 000c)
 000c: 15 42 00 000000d4   jeq lookup_dcookie 004f (false 000d)
 000d: 15 41 00 0000012a   jeq perf_event_open 004f (false 000e)
 000e: 15 40 00 000001b6   jeq pidfd_getfd 004f (false 000f)
 000f: 15 3f 00 00000137   jeq process_vm_writev 004f (false 0010)
 0010: 15 3e 00 000000b0   jeq delete_module 004f (false 0011)
 0011: 15 3d 00 00000139   jeq finit_module 004f (false 0012)
 0012: 15 3c 00 000000af   jeq init_module 004f (false 0013)
 0013: 15 3b 00 000000a1   jeq chroot 004f (false 0014)
 0014: 15 3a 00 000001af   jeq fsconfig 004f (false 0015)
 0015: 15 39 00 000001b0   jeq fsmount 004f (false 0016)
 0016: 15 38 00 000001ae   jeq fsopen 004f (false 0017)
 0017: 15 37 00 000001b1   jeq fspick 004f (false 0018)
 0018: 15 36 00 000000a5   jeq mount 004f (false 0019)
 0019: 15 35 00 000001ad   jeq move_mount 004f (false 001a)
 001a: 15 34 00 000001ac   jeq open_tree 004f (false 001b)
 001b: 15 33 00 0000009b   jeq pivot_root 004f (false 001c)
 001c: 15 32 00 000000a6   jeq umount2 004f (false 001d)
 001d: 15 31 00 0000009c   jeq _sysctl 004f (false 001e)
 001e: 15 30 00 000000b7   jeq afs_syscall 004f (false 001f)
 001f: 15 2f 00 000000ae   jeq create_module 004f (false 0020)
 0020: 15 2e 00 000000b1   jeq get_kernel_syms 004f (false 0021)
 0021: 15 2d 00 000000b5   jeq getpmsg 004f (false 0022)
 0022: 15 2c 00 000000b6   jeq putpmsg 004f (false 0023)
 0023: 15 2b 00 000000b2   jeq query_module 004f (false 0024)
 0024: 15 2a 00 000000b9   jeq security 004f (false 0025)
 0025: 15 29 00 0000008b   jeq sysfs 004f (false 0026)
 0026: 15 28 00 000000b8   jeq tuxcall 004f (false 0027)
 0027: 15 27 00 00000086   jeq uselib 004f (false 0028)
 0028: 15 26 00 00000088   jeq ustat 004f (false 0029)
 0029: 15 25 00 000000ec   jeq vserver 004f (false 002a)
 002a: 15 24 00 000000ad   jeq ioperm 004f (false 002b)
 002b: 15 23 00 000000ac   jeq iopl 004f (false 002c)
 002c: 15 22 00 000000f6   jeq kexec_load 004f (false 002d)
 002d: 15 21 00 00000140   jeq kexec_file_load 004f (false 002e)
 002e: 15 20 00 000000a9   jeq reboot 004f (false 002f)
 002f: 15 1f 00 000000a7   jeq swapon 004f (false 0030)
 0030: 15 1e 00 000000a8   jeq swapoff 004f (false 0031)
 0031: 15 1d 00 00000130   jeq open_by_handle_at 004f (false 0032)
 0032: 15 1c 00 0000012f   jeq name_to_handle_at 004f (false 0033)
 0033: 15 1b 00 000000fb   jeq ioprio_set 004f (false 0034)
 0034: 15 1a 00 00000067   jeq syslog 004f (false 0035)
 0035: 15 19 00 0000012c   jeq fanotify_init 004f (false 0036)
 0036: 15 18 00 000000f8   jeq add_key 004f (false 0037)
 0037: 15 17 00 000000f9   jeq request_key 004f (false 0038)
 0038: 15 16 00 000000ed   jeq mbind 004f (false 0039)
 0039: 15 15 00 00000100   jeq migrate_pages 004f (false 003a)
 003a: 15 14 00 00000117   jeq move_pages 004f (false 003b)
 003b: 15 13 00 000000fa   jeq keyctl 004f (false 003c)
 003c: 15 12 00 000000ce   jeq io_setup 004f (false 003d)
 003d: 15 11 00 000000cf   jeq io_destroy 004f (false 003e)
 003e: 15 10 00 000000d0   jeq io_getevents 004f (false 003f)
 003f: 15 0f 00 000000d1   jeq io_submit 004f (false 0040)
 0040: 15 0e 00 000000d2   jeq io_cancel 004f (false 0041)
 0041: 15 0d 00 000000d8   jeq remap_file_pages 004f (false 0042)
 0042: 15 0c 00 000000ee   jeq set_mempolicy 004f (false 0043)
 0043: 15 0b 00 00000116   jeq vmsplice 004f (false 0044)
 0044: 15 0a 00 00000143   jeq userfaultfd 004f (false 0045)
 0045: 15 09 00 000000a3   jeq acct 004f (false 0046)
 0046: 15 08 00 00000141   jeq bpf 004f (false 0047)
 0047: 15 07 00 000000b4   jeq nfsservctl 004f (false 0048)
 0048: 15 06 00 000000ab   jeq setdomainname 004f (false 0049)
 0049: 15 05 00 000000aa   jeq sethostname 004f (false 004a)
 004a: 15 04 00 00000099   jeq vhangup 004f (false 004b)
 004b: 15 03 00 00000065   jeq ptrace 004f (false 004c)
 004c: 15 02 00 00000087   jeq personality 004f (false 004d)
 004d: 15 01 00 00000136   jeq process_vm_readv 004f (false 004e)
 004e: 06 00 00 7fff0000   ret ALLOW
 004f: 06 00 01 00050001   ret ERRNO(1)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 04 00000038   jeq clone 0008 (false 000c)
 0008: 20 00 00 00000010   ld  data.args[0]
 0009: 45 00 01 7e020000   jset 7e020000 000a (false 000b)
 000a: 06 00 00 00050001   ret ERRNO(1)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 15 00 01 000001b3   jeq 1b3 000d (false 000e)
 000d: 06 00 00 00050026   ret ERRNO(38)
 000e: 15 00 04 00000110   jeq 110 000f (false 0013)
 000f: 20 00 00 00000010   ld  data.args[0]
 0010: 45 00 01 7e020080   jset 7e020080 0011 (false 0012)
 0011: 06 00 00 00050001   ret ERRNO(1)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 04 00000134   jeq 134 0014 (false 0018)
 0014: 20 00 00 00000018   ld  data.args[8]
 0015: 15 01 00 00000000   jeq 0 0017 (false 0016)
 0016: 45 00 01 7e020080   jset 7e020080 0017 (false 0018)
 0017: 06 00 00 00050001   ret ERRNO(1)
 0018: 06 00 00 7fff0000   ret ALLOW
 0019: 06 00 00 7fff0000   ret ALLOW
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 04 00000078   jeq 78 0005 (false 0009)
 0005: 20 00 00 00000010   ld  data.args[0]
 0006: 45 00 01 7e020000   jset 7e020000 0007 (false 0008)
 0007: 06 00 00 00050001   ret ERRNO(1)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 000001b3   jeq 1b3 000a (false 000b)
 000a: 06 00 00 00050026   ret ERRNO(38)
 000b: 15 00 04 00000136   jeq 136 000c (false 0010)
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 45 00 01 7e020080   jset 7e020080 000e (false 000f)
 000e: 06 00 00 00050001   ret ERRNO(1)
 000f: 06 00 00 7fff0000   ret ALLOW
 0010: 15 00 04 0000015a   jeq 15a 0011 (false 0015)
 0011: 20 00 00 00000018   ld  data.args[8]
 0012: 15 01 00 00000000   jeq 0 0014 (false 0013)
 0013: 45 00 01 7e020080   jset 7e020080 0014 (false 0015)
 0014: 06 00 00 00050001   ret ERRNO(1)
 0015: 06 00 00 7fff0000   ret ALLOW
 0016: 06 00 00 7fff0000   ret ALLOW
ail/firejail.ro.dir dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /var
1140 1139 0:90 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw
mountid=1140 fsname=/ dir=/var/tmp fstype=tmpfs
Not blacklist /root/.curl-hsts
Not blacklist /root/.curlrc
Mounting tmpfs on /root/.cache, check owner: no
1141 1133 0:97 / /root/.cache rw,nosuid,nodev,noexec,noatime - tmpfs tmpfs rw,mode=755
mountid=1141 fsname=/ dir=/root/.cache fstype=tmpfs
Disable /sys/fs
Disable /sys/module
disable pulseaudio
disable pipewire
Current directory: /home/rayane
Install protocol filter: inet,inet6
configuring 21 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dual 32/64 bit seccomp filter configured
configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp 
seccomp filter configured
Build restrict-namespaces filter
sbox run: /run/firejail/lib/fseccomp restrict-namespaces /run/firejail/mnt/seccomp/seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts 
restrict-namespaces filter configured
Build restrict-namespaces filter
sbox run: /run/firejail/lib/fseccomp restrict-namespaces.32 /run/firejail/mnt/seccomp/seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts 
restrict-namespaces filter configured
Install namespaces filter
configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces 
configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 
Mounting read-only /run/firejail/mnt/seccomp
1144 883 0:87 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=1144 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             200 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- root     root             640 seccomp
-rw-r--r-- root     root             432 seccomp.32
-rw-r--r-- root     root             207 seccomp.list
-rw-r--r-- root     root             208 seccomp.namespaces
-rw-r--r-- root     root             184 seccomp.namespaces.32
-rw-r--r-- root     root               0 seccomp.postexec
-rw-r--r-- root     root               0 seccomp.postexec32
-rw-r--r-- root     root             168 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
/run/firejail/mnt/seccomp/seccomp.namespaces
/run/firejail/mnt/seccomp/seccomp.namespaces.32
Dropping all capabilities
Drop CAP_DAC_OVERRIDE
Drop CAP_DAC_READ_SEARCH
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 0, gid 0, force_nogroups 0
No supplementary groups
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: curl
execvp argument 1: --output
execvp argument 2: /dev/null
execvp argument 3: https://nixos.org
The new log directory is /proc/696328/root/var/log

Originally created by @nakibrayane on GitHub (Feb 3, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6637 ### Description Firejail has hardcoded paths to the iptables binary, which causes issues on non-FHS systems like NixOS. When running firejail with the `--netfilter` option, it fails to find the iptables binary and returns an error. ### Steps to Reproduce 1. Install firejail in NixOS (e.g. `nix shell nixpkgs#firejail`) 2. Run in bash `firejail --net=eth0 --netfilter curl --output /dev/null https://nixos.org` 3. Observe the error message indicating that the iptables command is not found. ### Expected behavior Firejail should be able to locate the iptables binary and successfully configure the netfilter rules. ### Actual behavior Firejail fails to find the iptables binary and returns an error message: ``` Error: iptables command not found, netfilter not configured ``` This causes the netfilter rules to not be configured, and the curl command fails to resolve the host. ### Behavior without a profile Running `firejail --noprofile --net=wlo1 --netfilter curl --output /dev/null https://nixos.org` produces the same error message. ### Additional context The issue is caused by the hardcoded path to the iptables binary in the firejail code. On NixOS, the iptables binary is located at a different path. A more flexible way to locate the iptables binary, such as using the `PATH` environment variable or a configuration option, would allow firejail to work correctly on non-FHS systems like NixOS. ### Environment - Name/version/arch of the Linux kernel: `Linux 6.12.11 #1-NixOS SMP PREEMPT_DYNAMIC Thu Jan 23 16:23:05 UTC 2025 x86_64 GNU/Linux` - Name/version of the Linux distribution: `NixOS 25.05.20250201.3a22805 (Warbler)` - Name/version of the relevant program(s)/package(s): `iptables v1.8.11 (nf_tables)` - Version of Firejail: `firejail version 0.9.72` ### Checklist - [ ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>firejail --net=eth0 --netfilter curl --output /dev/null https://nixos.org</code></summary> <p> ``` Error: iptables command not found, netfilter not configured % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: nixos.org ``` </p> </details> <details> <summary>Output of <code>firejail --debug --net=eth0 --netfilter curl --output /dev/null https://nixos.org</code></summary> <p> ``` Building quoted command line: 'curl' '--output' '/dev/null' 'https://nixos.org' Command name #curl# Found curl.profile profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found curl.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found globals.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found disable-common.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found disable-common.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found disable-exec.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found disable-exec.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found disable-programs.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found disable-programs.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found whitelist-usr-share-common.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found whitelist-usr-share-common.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found whitelist-var-common.inc profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory Found whitelist-var-common.local profile in /nix/store/pqjmyma4q3kd14bw2azidgcswrqrmhms-firejail-0.9.72/etc/firejail directory get interface wlo1 configuration MTU of wlo1 is 1500. macvlan parent device wlo1 at 192.168.1.8/24 Enabling IPC namespace get interface wlo1 configuration MTU of wlo1 is 1500. macvlan parent device wlo1 at 192.168.1.8/24 Enabling IPC namespace Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces file Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces.32 file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file sbox run: /run/firejail/lib/fnet ifup lo sbox run: /run/firejail/lib/fnet ifup eth0-696327 ARP-scan eth0-696327, 192.168.1.8/24 IP address range from 192.168.1.1 to 192.168.1.255 Trying 192.168.1.227 ... Configuring 192.168.1.227 address on interface eth0-696327 sbox run: /run/firejail/lib/fnet config interface eth0-696327 3232236003 4294967040 1500 Announce 192.168.1.227 ... Network namespace enabled sbox run: /run/firejail/lib/fnet printif Build protocol filter: inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 898 895 0:35 /nix/persist/etc/NetworkManager/system-connections /etc/NetworkManager/system-connections rw,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix mountid=898 fsname=/nix/persist/etc/NetworkManager/system-connections dir=/etc/NetworkManager/system-connections fstype=btrfs Mounting read-only /etc/nixos 901 897 0:35 /nix/persist/etc/nixos /etc/nixos ro,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix mountid=901 fsname=/nix/persist/etc/nixos dir=/etc/nixos fstype=btrfs Mounting read-only /etc/NetworkManager/system-connections 953 898 0:35 /nix/persist/etc/NetworkManager/system-connections /etc/NetworkManager/system-connections ro,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix mountid=953 fsname=/nix/persist/etc/NetworkManager/system-connections dir=/etc/NetworkManager/system-connections fstype=btrfs Mounting read-only /var 994 992 0:35 /nix/persist/var/lib/tailscale /var/lib/tailscale rw,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix mountid=994 fsname=/nix/persist/var/lib/tailscale dir=/var/lib/tailscale fstype=btrfs Mounting read-only /var/lib/nixos 997 993 0:35 /nix/persist/var/lib/nixos /var/lib/nixos ro,noatime master:6 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix mountid=997 fsname=/nix/persist/var/lib/nixos dir=/var/lib/nixos fstype=btrfs Mounting read-only /var/lib/tailscale 998 994 0:35 /nix/persist/var/lib/tailscale /var/lib/tailscale ro,noatime master:4 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/nix mountid=998 fsname=/nix/persist/var/lib/tailscale dir=/var/lib/tailscale fstype=btrfs Mounting read-only /usr 999 777 0:35 /root/usr /usr ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root mountid=999 fsname=/root/usr dir=/usr fstype=btrfs Mounting read-only /bin 1000 777 0:35 /root/bin /bin ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root mountid=1000 fsname=/root/bin dir=/bin fstype=btrfs Mounting read-only /lib 1001 777 0:35 /root/lib /lib ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root mountid=1001 fsname=/root/lib dir=/lib fstype=btrfs Mounting read-only /lib64 1002 777 0:35 /root/lib64 /lib64 ro,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root mountid=1002 fsname=/root/lib64 dir=/lib64 fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Generating a new machine-id installing a new /etc/machine-id Mounting tmpfs on /dev Process /dev/shm directory Generate private-tmp whitelist commands Creating empty /run/firejail/mnt/dbus directory Creating empty /run/firejail/mnt/dbus/user file Creating empty /run/firejail/mnt/dbus/system file blacklist /run/dbus/system_bus_socket blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /boot Debug 588: whitelist /usr/share/alsa Debug 609: expanded: /usr/share/alsa Debug 620: new_name: /usr/share/alsa Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/applications Debug 609: expanded: /usr/share/applications Debug 620: new_name: /usr/share/applications Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/ca-certificates Debug 609: expanded: /usr/share/ca-certificates Debug 620: new_name: /usr/share/ca-certificates Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/crypto-policies Debug 609: expanded: /usr/share/crypto-policies Debug 620: new_name: /usr/share/crypto-policies Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/cursors Debug 609: expanded: /usr/share/cursors Debug 620: new_name: /usr/share/cursors Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/dconf Debug 609: expanded: /usr/share/dconf Debug 620: new_name: /usr/share/dconf Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/distro-info Debug 609: expanded: /usr/share/distro-info Debug 620: new_name: /usr/share/distro-info Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/drirc.d Debug 609: expanded: /usr/share/drirc.d Debug 620: new_name: /usr/share/drirc.d Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/egl Debug 609: expanded: /usr/share/egl Debug 620: new_name: /usr/share/egl Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/enchant Debug 609: expanded: /usr/share/enchant Debug 620: new_name: /usr/share/enchant Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/enchant-2 Debug 609: expanded: /usr/share/enchant-2 Debug 620: new_name: /usr/share/enchant-2 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/file Debug 609: expanded: /usr/share/file Debug 620: new_name: /usr/share/file Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/fontconfig Debug 609: expanded: /usr/share/fontconfig Debug 620: new_name: /usr/share/fontconfig Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/fonts Debug 609: expanded: /usr/share/fonts Debug 620: new_name: /usr/share/fonts Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/fonts-config Debug 609: expanded: /usr/share/fonts-config Debug 620: new_name: /usr/share/fonts-config Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gir-1.0 Debug 609: expanded: /usr/share/gir-1.0 Debug 620: new_name: /usr/share/gir-1.0 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gjs-1.0 Debug 609: expanded: /usr/share/gjs-1.0 Debug 620: new_name: /usr/share/gjs-1.0 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/glib-2.0 Debug 609: expanded: /usr/share/glib-2.0 Debug 620: new_name: /usr/share/glib-2.0 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/glvnd Debug 609: expanded: /usr/share/glvnd Debug 620: new_name: /usr/share/glvnd Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gtk-2.0 Debug 609: expanded: /usr/share/gtk-2.0 Debug 620: new_name: /usr/share/gtk-2.0 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gtk-3.0 Debug 609: expanded: /usr/share/gtk-3.0 Debug 620: new_name: /usr/share/gtk-3.0 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gtk-engines Debug 609: expanded: /usr/share/gtk-engines Debug 620: new_name: /usr/share/gtk-engines Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gtksourceview-3.0 Debug 609: expanded: /usr/share/gtksourceview-3.0 Debug 620: new_name: /usr/share/gtksourceview-3.0 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/gtksourceview-4 Debug 609: expanded: /usr/share/gtksourceview-4 Debug 620: new_name: /usr/share/gtksourceview-4 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/hunspell Debug 609: expanded: /usr/share/hunspell Debug 620: new_name: /usr/share/hunspell Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/hwdata Debug 609: expanded: /usr/share/hwdata Debug 620: new_name: /usr/share/hwdata Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/icons Debug 609: expanded: /usr/share/icons Debug 620: new_name: /usr/share/icons Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/icu Debug 609: expanded: /usr/share/icu Debug 620: new_name: /usr/share/icu Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/knotifications5 Debug 609: expanded: /usr/share/knotifications5 Debug 620: new_name: /usr/share/knotifications5 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/kservices5 Debug 609: expanded: /usr/share/kservices5 Debug 620: new_name: /usr/share/kservices5 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/Kvantum Debug 609: expanded: /usr/share/Kvantum Debug 620: new_name: /usr/share/Kvantum Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/kxmlgui5 Debug 609: expanded: /usr/share/kxmlgui5 Debug 620: new_name: /usr/share/kxmlgui5 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/libdrm Debug 609: expanded: /usr/share/libdrm Debug 620: new_name: /usr/share/libdrm Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/libthai Debug 609: expanded: /usr/share/libthai Debug 620: new_name: /usr/share/libthai Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/locale Debug 609: expanded: /usr/share/locale Debug 620: new_name: /usr/share/locale Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/mime Debug 609: expanded: /usr/share/mime Debug 620: new_name: /usr/share/mime Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/misc Debug 609: expanded: /usr/share/misc Debug 620: new_name: /usr/share/misc Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/Modules Debug 609: expanded: /usr/share/Modules Debug 620: new_name: /usr/share/Modules Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/myspell Debug 609: expanded: /usr/share/myspell Debug 620: new_name: /usr/share/myspell Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/p11-kit Debug 609: expanded: /usr/share/p11-kit Debug 620: new_name: /usr/share/p11-kit Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/perl Debug 609: expanded: /usr/share/perl Debug 620: new_name: /usr/share/perl Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/perl5 Debug 609: expanded: /usr/share/perl5 Debug 620: new_name: /usr/share/perl5 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/pipewire Debug 609: expanded: /usr/share/pipewire Debug 620: new_name: /usr/share/pipewire Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/pixmaps Debug 609: expanded: /usr/share/pixmaps Debug 620: new_name: /usr/share/pixmaps Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/pki Debug 609: expanded: /usr/share/pki Debug 620: new_name: /usr/share/pki Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/plasma Debug 609: expanded: /usr/share/plasma Debug 620: new_name: /usr/share/plasma Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/publicsuffix Debug 609: expanded: /usr/share/publicsuffix Debug 620: new_name: /usr/share/publicsuffix Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/qt Debug 609: expanded: /usr/share/qt Debug 620: new_name: /usr/share/qt Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/qt4 Debug 609: expanded: /usr/share/qt4 Debug 620: new_name: /usr/share/qt4 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/qt5 Debug 609: expanded: /usr/share/qt5 Debug 620: new_name: /usr/share/qt5 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/qt5ct Debug 609: expanded: /usr/share/qt5ct Debug 620: new_name: /usr/share/qt5ct Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/qt6 Debug 609: expanded: /usr/share/qt6 Debug 620: new_name: /usr/share/qt6 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/qt6ct Debug 609: expanded: /usr/share/qt6ct Debug 620: new_name: /usr/share/qt6ct Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/sounds Debug 609: expanded: /usr/share/sounds Debug 620: new_name: /usr/share/sounds Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/tcl8.6 Debug 609: expanded: /usr/share/tcl8.6 Debug 620: new_name: /usr/share/tcl8.6 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/tcltk Debug 609: expanded: /usr/share/tcltk Debug 620: new_name: /usr/share/tcltk Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/terminfo Debug 609: expanded: /usr/share/terminfo Debug 620: new_name: /usr/share/terminfo Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/texlive Debug 609: expanded: /usr/share/texlive Debug 620: new_name: /usr/share/texlive Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/texmf Debug 609: expanded: /usr/share/texmf Debug 620: new_name: /usr/share/texmf Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/themes Debug 609: expanded: /usr/share/themes Debug 620: new_name: /usr/share/themes Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/thumbnail.so Debug 609: expanded: /usr/share/thumbnail.so Debug 620: new_name: /usr/share/thumbnail.so Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/uim Debug 609: expanded: /usr/share/uim Debug 620: new_name: /usr/share/uim Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/vulkan Debug 609: expanded: /usr/share/vulkan Debug 620: new_name: /usr/share/vulkan Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/X11 Debug 609: expanded: /usr/share/X11 Debug 620: new_name: /usr/share/X11 Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/xml Debug 609: expanded: /usr/share/xml Debug 620: new_name: /usr/share/xml Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/zenity Debug 609: expanded: /usr/share/zenity Debug 620: new_name: /usr/share/zenity Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /usr/share/zoneinfo Debug 609: expanded: /usr/share/zoneinfo Debug 620: new_name: /usr/share/zoneinfo Debug 630: dir: /usr/share Cannot access whitelist top level directory /usr/share: No such file or directory Debug 588: whitelist /var/lib/aspell Debug 609: expanded: /var/lib/aspell Debug 620: new_name: /var/lib/aspell Debug 630: dir: /var Adding whitelist top level directory /var Removed path: whitelist /var/lib/aspell new_name: /var/lib/aspell realpath: (null) No such file or directory Debug 588: whitelist /var/lib/ca-certificates Debug 609: expanded: /var/lib/ca-certificates Debug 620: new_name: /var/lib/ca-certificates Debug 630: dir: /var Removed path: whitelist /var/lib/ca-certificates new_name: /var/lib/ca-certificates realpath: (null) No such file or directory Debug 588: whitelist /var/lib/dbus Debug 609: expanded: /var/lib/dbus Debug 620: new_name: /var/lib/dbus Debug 630: dir: /var Removed path: whitelist /var/lib/dbus new_name: /var/lib/dbus realpath: (null) No such file or directory Debug 588: whitelist /var/lib/menu-xdg Debug 609: expanded: /var/lib/menu-xdg Debug 620: new_name: /var/lib/menu-xdg Debug 630: dir: /var Removed path: whitelist /var/lib/menu-xdg new_name: /var/lib/menu-xdg realpath: (null) No such file or directory Debug 588: whitelist /var/lib/uim Debug 609: expanded: /var/lib/uim Debug 620: new_name: /var/lib/uim Debug 630: dir: /var Removed path: whitelist /var/lib/uim new_name: /var/lib/uim realpath: (null) No such file or directory Debug 588: whitelist /var/cache/fontconfig Debug 609: expanded: /var/cache/fontconfig Debug 620: new_name: /var/cache/fontconfig Debug 630: dir: /var Removed path: whitelist /var/cache/fontconfig new_name: /var/cache/fontconfig realpath: (null) No such file or directory Debug 588: whitelist /var/tmp Debug 609: expanded: /var/tmp Debug 620: new_name: /var/tmp Debug 630: dir: /var Debug 588: whitelist /var/run Debug 609: expanded: /var/run Debug 620: new_name: /var/run Debug 630: dir: /var Debug 588: whitelist /var/lock Debug 609: expanded: /var/lock Debug 620: new_name: /var/lock Debug 630: dir: /var Debug 588: whitelist /tmp/.X11-unix Debug 609: expanded: /tmp/.X11-unix Debug 620: new_name: /tmp/.X11-unix Debug 630: dir: /tmp Adding whitelist top level directory /tmp Debug 588: whitelist /tmp/sndio Debug 609: expanded: /tmp/sndio Debug 620: new_name: /tmp/sndio Debug 630: dir: /tmp Removed path: whitelist /tmp/sndio new_name: /tmp/sndio realpath: (null) No such file or directory Mounting tmpfs on /var, check owner: no 1042 992 0:95 / /var rw,nosuid,nodev,noatime - tmpfs tmpfs rw,mode=755 mountid=1042 fsname=/ dir=/var fstype=tmpfs Mounting tmpfs on /tmp, check owner: no 1043 777 0:96 / /tmp rw,nosuid,nodev,noatime - tmpfs tmpfs rw mountid=1043 fsname=/ dir=/tmp fstype=tmpfs Whitelisting /var/tmp 1044 1042 0:90 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw mountid=1044 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 1045 1043 0:35 /root/tmp/.X11-unix /tmp/.X11-unix rw,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root mountid=1045 fsname=/root/tmp/.X11-unix dir=/tmp/.X11-unix fstype=btrfs Disable /tmp/.X11-unix Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/systemctl (requested /run/current-system/sw/bin/systemctl) Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/systemd-run (requested /run/current-system/sw/bin/systemd-run) Disable /nix/store/mqdh52s3payy2rwklr93phybwr14fyg2-system-units (requested /etc/systemd/system) Disable /etc/apparmor Disable /nix/store/qcp3n3x5q3yql5misyqlaqivbqnm2d8q-apparmor.d (requested /etc/apparmor.d) Disable /etc/default Disable /etc/modules-load.d Disable /etc/shadow Disable /etc/ssh Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/chage (requested /run/current-system/sw/bin/chage) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/chfn (requested /run/current-system/sw/bin/chfn) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/chsh (requested /run/current-system/sw/bin/chsh) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/expiry (requested /run/current-system/sw/bin/expiry) Disable /run/wrappers/wrappers.cMliUjMHgE/fusermount (requested /run/wrappers/bin/fusermount) Disable /nix/store/nn2m9jfz2lqy288ajadzkgyh4ljnwk5l-fuse-2.9.9-bin/bin/fusermount (requested /run/current-system/sw/bin/fusermount) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/gpasswd (requested /run/current-system/sw/bin/gpasswd) Disable /run/wrappers/wrappers.cMliUjMHgE/mount (requested /run/wrappers/bin/mount) Disable /nix/store/zahlcyi7p2qgjwrz2qwzdr7miyigdhfq-util-linux-2.39.4-mount/bin/mount (requested /run/current-system/sw/bin/mount) Disable /nix/store/af9njh727f90dsdfjqv6c1pq7qcjvrhm-libressl-4.0.0-nc/bin/nc (requested /run/current-system/sw/bin/nc) Disable /run/wrappers/wrappers.cMliUjMHgE/newgidmap (requested /run/wrappers/bin/newgidmap) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newgidmap (requested /run/current-system/sw/bin/newgidmap) Disable /run/wrappers/wrappers.cMliUjMHgE/newgrp (requested /run/wrappers/bin/newgrp) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newgrp (requested /run/current-system/sw/bin/newgrp) Disable /run/wrappers/wrappers.cMliUjMHgE/newuidmap (requested /run/wrappers/bin/newuidmap) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newuidmap (requested /run/current-system/sw/bin/newuidmap) Disable /run/wrappers/wrappers.cMliUjMHgE/pkexec (requested /run/wrappers/bin/pkexec) Disable /nix/store/1y33x5pbxy2zy85br1fwx28q73n8s22g-polkit-124-bin/bin/pkexec (requested /run/current-system/sw/bin/pkexec) Disable /run/wrappers/wrappers.cMliUjMHgE/sg (requested /run/wrappers/bin/sg) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/newgrp (requested /run/current-system/sw/bin/sg) Disable /run/wrappers/wrappers.cMliUjMHgE/su (requested /run/wrappers/bin/su) Disable /nix/store/305isy81fd0gqpji81bwj5dnbq71dmd4-sudo-rs-0.2.3/bin/su (requested /run/current-system/sw/bin/su) Disable /run/wrappers/wrappers.cMliUjMHgE/sudo (requested /run/wrappers/bin/sudo) Disable /nix/store/305isy81fd0gqpji81bwj5dnbq71dmd4-sudo-rs-0.2.3/bin/sudo (requested /run/current-system/sw/bin/sudo) Disable /run/wrappers/wrappers.cMliUjMHgE/umount (requested /run/wrappers/bin/umount) Disable /nix/store/zahlcyi7p2qgjwrz2qwzdr7miyigdhfq-util-linux-2.39.4-mount/bin/umount (requested /run/current-system/sw/bin/umount) Disable /run/wrappers/wrappers.cMliUjMHgE/unix_chkpwd (requested /run/wrappers/bin/unix_chkpwd) Disable /nix/store/mhrs2z02f605vm22xkwkqci14myz5ahc-linux-pam-1.6.1/bin/unix_chkpwd (requested /run/current-system/sw/bin/unix_chkpwd) Disable /nix/store/18479flfrd496hvg1znx6qpnlrp5v454-shadow-4.17.2/bin/passwd (requested /run/current-system/sw/bin/passwd) Disable /nix/store/ka3g9zj7pgzx68m8sybsa909nirx4vl2-net-tools-2.10/bin/hostname (requested /run/current-system/sw/bin/hostname) Disable /nix/store/ka3g9zj7pgzx68m8sybsa909nirx4vl2-net-tools-2.10/bin/netstat (requested /run/current-system/sw/bin/netstat) Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nm-online (requested /run/current-system/sw/bin/nm-online) Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmcli (requested /run/current-system/sw/bin/nmcli) Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui) Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui-connect) Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui-edit) Disable /nix/store/9hilz8ngmh6i8i1xzrvd6yifdkvw1n4x-networkmanager-1.48.10/bin/nmtui (requested /run/current-system/sw/bin/nmtui-hostname) Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/networkctl (requested /run/current-system/sw/bin/networkctl) Disable /nix/store/hy5x4rd1s59lf3zdizw1iayan2525b3n-iproute2-6.12.0/bin/ss (requested /run/current-system/sw/bin/ss) Disable /proc/config.gz Disable /nix/store/lxfyifxn30yqry5g46cmxfy7aib0kah8-bind-9.18.33-host/bin/host (requested /run/current-system/sw/bin/host) Disable /nix/store/b5nslvx24h0b1m4iml7cykg4dwwf8b7k-systemd-257.2/bin/resolvectl (requested /run/current-system/sw/bin/resolvectl) Disable /nix/store/d47m463xavp70bgzm8qk90fb2a7w79b4-openssh-9.9p1/bin/ssh (requested /run/current-system/sw/bin/ssh) Mounting noexec /root 1133 777 0:35 /root/root /root rw,nosuid,nodev,noexec,noatime master:1 - btrfs /dev/mapper/crypted rw,compress=zstd:3,ssd,space_cache=v2,subvolid=365,subvol=/root mountid=1133 fsname=/root/root dir=/root fstype=btrfs Mounting noexec /dev/shm 1134 1015 0:92 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1134 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1137 1136 0:26 /firejail/firejail.ro.dir /tmp/.X11-unix ro,nosuid,nodev master:2 - tmpfs tmpfs rw,size=1942760k,nr_inodes=819200,mode=755 mountid=1137 fsname=/firejail/firejail.ro.dir dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 1138 1137 0:26 /firejail/firejail.ro.dir /tmp/.X11-unix ro,nosuid,nodev,noexec master:2 - tmpfs tmpfs rw,size=1942760k,nr_inodes=819200,mode=755 mountid=1138 fsname=/firej line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000009 jmp 000f 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 35 01 00 40000000 jge X32_ABI 000c (false 000b) 000b: 35 01 00 00000000 jge read 000d (false 000c) 000c: 06 00 00 00050001 ret ERRNO(1) 000d: 15 01 00 00000029 jeq socket 000f (false 000e) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 20 00 00 00000010 ld data.args[0] 0010: 15 00 01 00000002 jeq 2 0011 (false 0012) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 15 00 01 0000000a jeq a 0013 (false 0014) 0013: 06 00 00 7fff0000 ret ALLOW 0014: 06 00 00 0005005f ret ERRNO(95) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00050001 ret ERRNO(1) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 47 00 0000009f jeq adjtimex 004f (false 0008) 0008: 15 46 00 00000131 jeq clock_adjtime 004f (false 0009) 0009: 15 45 00 000000e3 jeq clock_settime 004f (false 000a) 000a: 15 44 00 000000a4 jeq settimeofday 004f (false 000b) 000b: 15 43 00 0000009a jeq modify_ldt 004f (false 000c) 000c: 15 42 00 000000d4 jeq lookup_dcookie 004f (false 000d) 000d: 15 41 00 0000012a jeq perf_event_open 004f (false 000e) 000e: 15 40 00 000001b6 jeq pidfd_getfd 004f (false 000f) 000f: 15 3f 00 00000137 jeq process_vm_writev 004f (false 0010) 0010: 15 3e 00 000000b0 jeq delete_module 004f (false 0011) 0011: 15 3d 00 00000139 jeq finit_module 004f (false 0012) 0012: 15 3c 00 000000af jeq init_module 004f (false 0013) 0013: 15 3b 00 000000a1 jeq chroot 004f (false 0014) 0014: 15 3a 00 000001af jeq fsconfig 004f (false 0015) 0015: 15 39 00 000001b0 jeq fsmount 004f (false 0016) 0016: 15 38 00 000001ae jeq fsopen 004f (false 0017) 0017: 15 37 00 000001b1 jeq fspick 004f (false 0018) 0018: 15 36 00 000000a5 jeq mount 004f (false 0019) 0019: 15 35 00 000001ad jeq move_mount 004f (false 001a) 001a: 15 34 00 000001ac jeq open_tree 004f (false 001b) 001b: 15 33 00 0000009b jeq pivot_root 004f (false 001c) 001c: 15 32 00 000000a6 jeq umount2 004f (false 001d) 001d: 15 31 00 0000009c jeq _sysctl 004f (false 001e) 001e: 15 30 00 000000b7 jeq afs_syscall 004f (false 001f) 001f: 15 2f 00 000000ae jeq create_module 004f (false 0020) 0020: 15 2e 00 000000b1 jeq get_kernel_syms 004f (false 0021) 0021: 15 2d 00 000000b5 jeq getpmsg 004f (false 0022) 0022: 15 2c 00 000000b6 jeq putpmsg 004f (false 0023) 0023: 15 2b 00 000000b2 jeq query_module 004f (false 0024) 0024: 15 2a 00 000000b9 jeq security 004f (false 0025) 0025: 15 29 00 0000008b jeq sysfs 004f (false 0026) 0026: 15 28 00 000000b8 jeq tuxcall 004f (false 0027) 0027: 15 27 00 00000086 jeq uselib 004f (false 0028) 0028: 15 26 00 00000088 jeq ustat 004f (false 0029) 0029: 15 25 00 000000ec jeq vserver 004f (false 002a) 002a: 15 24 00 000000ad jeq ioperm 004f (false 002b) 002b: 15 23 00 000000ac jeq iopl 004f (false 002c) 002c: 15 22 00 000000f6 jeq kexec_load 004f (false 002d) 002d: 15 21 00 00000140 jeq kexec_file_load 004f (false 002e) 002e: 15 20 00 000000a9 jeq reboot 004f (false 002f) 002f: 15 1f 00 000000a7 jeq swapon 004f (false 0030) 0030: 15 1e 00 000000a8 jeq swapoff 004f (false 0031) 0031: 15 1d 00 00000130 jeq open_by_handle_at 004f (false 0032) 0032: 15 1c 00 0000012f jeq name_to_handle_at 004f (false 0033) 0033: 15 1b 00 000000fb jeq ioprio_set 004f (false 0034) 0034: 15 1a 00 00000067 jeq syslog 004f (false 0035) 0035: 15 19 00 0000012c jeq fanotify_init 004f (false 0036) 0036: 15 18 00 000000f8 jeq add_key 004f (false 0037) 0037: 15 17 00 000000f9 jeq request_key 004f (false 0038) 0038: 15 16 00 000000ed jeq mbind 004f (false 0039) 0039: 15 15 00 00000100 jeq migrate_pages 004f (false 003a) 003a: 15 14 00 00000117 jeq move_pages 004f (false 003b) 003b: 15 13 00 000000fa jeq keyctl 004f (false 003c) 003c: 15 12 00 000000ce jeq io_setup 004f (false 003d) 003d: 15 11 00 000000cf jeq io_destroy 004f (false 003e) 003e: 15 10 00 000000d0 jeq io_getevents 004f (false 003f) 003f: 15 0f 00 000000d1 jeq io_submit 004f (false 0040) 0040: 15 0e 00 000000d2 jeq io_cancel 004f (false 0041) 0041: 15 0d 00 000000d8 jeq remap_file_pages 004f (false 0042) 0042: 15 0c 00 000000ee jeq set_mempolicy 004f (false 0043) 0043: 15 0b 00 00000116 jeq vmsplice 004f (false 0044) 0044: 15 0a 00 00000143 jeq userfaultfd 004f (false 0045) 0045: 15 09 00 000000a3 jeq acct 004f (false 0046) 0046: 15 08 00 00000141 jeq bpf 004f (false 0047) 0047: 15 07 00 000000b4 jeq nfsservctl 004f (false 0048) 0048: 15 06 00 000000ab jeq setdomainname 004f (false 0049) 0049: 15 05 00 000000aa jeq sethostname 004f (false 004a) 004a: 15 04 00 00000099 jeq vhangup 004f (false 004b) 004b: 15 03 00 00000065 jeq ptrace 004f (false 004c) 004c: 15 02 00 00000087 jeq personality 004f (false 004d) 004d: 15 01 00 00000136 jeq process_vm_readv 004f (false 004e) 004e: 06 00 00 7fff0000 ret ALLOW 004f: 06 00 01 00050001 ret ERRNO(1) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 04 00000038 jeq clone 0008 (false 000c) 0008: 20 00 00 00000010 ld data.args[0] 0009: 45 00 01 7e020000 jset 7e020000 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 01 000001b3 jeq 1b3 000d (false 000e) 000d: 06 00 00 00050026 ret ERRNO(38) 000e: 15 00 04 00000110 jeq 110 000f (false 0013) 000f: 20 00 00 00000010 ld data.args[0] 0010: 45 00 01 7e020080 jset 7e020080 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 04 00000134 jeq 134 0014 (false 0018) 0014: 20 00 00 00000018 ld data.args[8] 0015: 15 01 00 00000000 jeq 0 0017 (false 0016) 0016: 45 00 01 7e020080 jset 7e020080 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 06 00 00 7fff0000 ret ALLOW line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 04 00000078 jeq 78 0005 (false 0009) 0005: 20 00 00 00000010 ld data.args[0] 0006: 45 00 01 7e020000 jset 7e020000 0007 (false 0008) 0007: 06 00 00 00050001 ret ERRNO(1) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 000001b3 jeq 1b3 000a (false 000b) 000a: 06 00 00 00050026 ret ERRNO(38) 000b: 15 00 04 00000136 jeq 136 000c (false 0010) 000c: 20 00 00 00000010 ld data.args[0] 000d: 45 00 01 7e020080 jset 7e020080 000e (false 000f) 000e: 06 00 00 00050001 ret ERRNO(1) 000f: 06 00 00 7fff0000 ret ALLOW 0010: 15 00 04 0000015a jeq 15a 0011 (false 0015) 0011: 20 00 00 00000018 ld data.args[8] 0012: 15 01 00 00000000 jeq 0 0014 (false 0013) 0013: 45 00 01 7e020080 jset 7e020080 0014 (false 0015) 0014: 06 00 00 00050001 ret ERRNO(1) 0015: 06 00 00 7fff0000 ret ALLOW 0016: 06 00 00 7fff0000 ret ALLOW ail/firejail.ro.dir dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /var 1140 1139 0:90 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw mountid=1140 fsname=/ dir=/var/tmp fstype=tmpfs Not blacklist /root/.curl-hsts Not blacklist /root/.curlrc Mounting tmpfs on /root/.cache, check owner: no 1141 1133 0:97 / /root/.cache rw,nosuid,nodev,noexec,noatime - tmpfs tmpfs rw,mode=755 mountid=1141 fsname=/ dir=/root/.cache fstype=tmpfs Disable /sys/fs Disable /sys/module disable pulseaudio disable pipewire Current directory: /home/rayane Install protocol filter: inet,inet6 configuring 21 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dual 32/64 bit seccomp filter configured configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp seccomp filter configured Build restrict-namespaces filter sbox run: /run/firejail/lib/fseccomp restrict-namespaces /run/firejail/mnt/seccomp/seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts restrict-namespaces filter configured Build restrict-namespaces filter sbox run: /run/firejail/lib/fseccomp restrict-namespaces.32 /run/firejail/mnt/seccomp/seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts restrict-namespaces filter configured Install namespaces filter configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 Mounting read-only /run/firejail/mnt/seccomp 1144 883 0:87 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=1144 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 200 . drwxr-xr-x root root 240 .. -rw-r--r-- root root 640 seccomp -rw-r--r-- root root 432 seccomp.32 -rw-r--r-- root root 207 seccomp.list -rw-r--r-- root root 208 seccomp.namespaces -rw-r--r-- root root 184 seccomp.namespaces.32 -rw-r--r-- root root 0 seccomp.postexec -rw-r--r-- root root 0 seccomp.postexec32 -rw-r--r-- root root 168 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.namespaces /run/firejail/mnt/seccomp/seccomp.namespaces.32 Dropping all capabilities Drop CAP_DAC_OVERRIDE Drop CAP_DAC_READ_SEARCH NO_NEW_PRIVS set Drop privileges: pid 1, uid 0, gid 0, force_nogroups 0 No supplementary groups Closing non-standard file descriptors Starting application LD_PRELOAD=(null) execvp argument 0: curl execvp argument 1: --output execvp argument 2: /dev/null execvp argument 3: https://nixos.org The new log directory is /proc/696328/root/var/log ``` </p> </details>

gitea-mirror commented 2026-05-05 09:54:30 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Feb 4, 2025):

Firejail has hardcoded paths to the iptables binary,

There are more hardcoded paths that do not work well on nix.

A more flexible way to locate the iptables binary, such as using the PATH environment variable

Picking the first executable in $PATH and executing it as root is a security vulnerability unless we set $PATH to something trusted like /usr/bin:/usr/sbin (i.e. hardcoding again).

or a configuration option, would allow firejail to work correctly on non-FHS systems like NixOS.

A ./configure option is the way to go IMHO.
OT: Sad that we decided against meson.

<!-- gh-comment-id:2633156586 --> @rusty-snake commented on GitHub (Feb 4, 2025): > Firejail has hardcoded paths to the iptables binary, There are more hardcoded paths that do not work well on nix. > A more flexible way to locate the iptables binary, such as using the PATH environment variable Picking the first executable in `$PATH` and executing it as root is a security vulnerability unless we set `$PATH` to something trusted like `/usr/bin:/usr/sbin` (i.e. hardcoding again). > or a configuration option, would allow firejail to work correctly on non-FHS systems like NixOS. A `./configure` option is the way to go IMHO. OT: Sad that we decided against meson.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3318

No description provided.