[GH-ISSUE #6696] landlock: cannot rename file or directory inside landlocked path

gitea-mirror commented

2026-05-05 09:55:30 -06:00

Owner

Originally created by @osevan on GitHub (Mar 31, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6696

im sandboxing already with landlock option some daemons especially chrooted daemons,

server daemon starts well but child process like qmgr process exiting.
ofc these folders have write access by landlock itself

when i disable landlock no child process exiting with 1 and everything still now is well.
but, i can run with landlock too, but postfix starting in time period qmgr child processes, than failing:

Mar 31 16:29:09  postfix/master[55623]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling
Mar 31 16:29:09  postfix/master[55623]: warning: process /usr/lib/postfix/sbin/qmgr pid 176 exit status 1
Mar 31 16:29:08  postfix/qmgr[55628]: fatal: qmgr_active_feed: B1C485D9: rename from incoming to active: Invalid cross-device link
Mar 31 16:28:08  postfix/master[55623]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling
Mar 31 16:28:08  postfix/master[55623]: warning: process /usr/lib/postfix/sbin/qmgr pid 175 exit status 1
Mar 31 16:28:07  postfix/qmgr[55627]: fatal: qmgr_active_feed: B1C485D9: rename from incoming to active: Invalid cross-device link
Mar 31 16:27:46  postfix/master[55623]: warning: unix_trigger_event: read timeout for service public/qmgr
Mar 31 16:27:07  postfix/master[55623]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling
Mar 31 16:27:07  postfix/master[55623]: warning: process /usr/lib/postfix/sbin/qmgr pid 174 exit status 1
Mar 31 16:27:06  postfix/qmgr[55626]: fatal: qmgr_active_feed: B1C485D9: rename from incoming to active: Invalid cross-device lin

maybe connected with this patch:

https://lwn.net/Articles/889577/

Originally created by @osevan on GitHub (Mar 31, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6696 im sandboxing already with landlock option some daemons especially chrooted daemons, server daemon starts well but child process like qmgr process exiting. ofc these folders have write access by landlock itself when i disable landlock no child process exiting with 1 and everything still now is well. but, i can run with landlock too, but postfix starting in time period qmgr child processes, than failing: ``` Mar 31 16:29:09 postfix/master[55623]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling Mar 31 16:29:09 postfix/master[55623]: warning: process /usr/lib/postfix/sbin/qmgr pid 176 exit status 1 Mar 31 16:29:08 postfix/qmgr[55628]: fatal: qmgr_active_feed: B1C485D9: rename from incoming to active: Invalid cross-device link Mar 31 16:28:08 postfix/master[55623]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling Mar 31 16:28:08 postfix/master[55623]: warning: process /usr/lib/postfix/sbin/qmgr pid 175 exit status 1 Mar 31 16:28:07 postfix/qmgr[55627]: fatal: qmgr_active_feed: B1C485D9: rename from incoming to active: Invalid cross-device link Mar 31 16:27:46 postfix/master[55623]: warning: unix_trigger_event: read timeout for service public/qmgr Mar 31 16:27:07 postfix/master[55623]: warning: /usr/lib/postfix/sbin/qmgr: bad command startup -- throttling Mar 31 16:27:07 postfix/master[55623]: warning: process /usr/lib/postfix/sbin/qmgr pid 174 exit status 1 Mar 31 16:27:06 postfix/qmgr[55626]: fatal: qmgr_active_feed: B1C485D9: rename from incoming to active: Invalid cross-device lin ``` maybe connected with this patch: https://lwn.net/Articles/889577/

gitea-mirror added the

enhancement

label 2026-05-05 09:55:30 -06:00

gitea-mirror commented

2026-05-05 09:55:32 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 31, 2025):

Basic debugging information is missing; please follow the bug report template:

https://github.com/netblue30/firejail/issues/new?template=bug_report.md

@kmk3 commented on GitHub (Mar 31, 2025): Basic debugging information is missing; please follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>

gitea-mirror commented

2026-05-05 09:55:33 -06:00

Author

Owner

@kmk3 commented on GitHub (Mar 31, 2025):

(Offtopic)

Please see the following links for how to format code blocks in markdown:

@kmk3 commented on GitHub (Mar 31, 2025): (Offtopic) Please see the following links for how to format code blocks in markdown: * <https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/creating-and-highlighting-code-blocks> * <https://github.github.com/gfm/#fenced-code-blocks>

gitea-mirror commented

2026-05-05 09:55:34 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 31, 2025):

Yeah, no reparenting is a documented ~~feature~~ limitation of Landlock ABIv1 that greatly limits application compatibility.

@rusty-snake commented on GitHub (Mar 31, 2025): Yeah, no reparenting is a documented ~feature~ limitation of Landlock ABIv1 that greatly limits application compatibility.

gitea-mirror commented

2026-05-05 09:55:35 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 31, 2025):

I even told so in Nov 2023 (shortly after the initial implementation in firejail was merged/pushed): https://github.com/netblue30/firejail/discussions/6065#discussioncomment-7460581 (at the end).

@rusty-snake commented on GitHub (Mar 31, 2025): I even told so in Nov 2023 (shortly after the initial implementation in firejail was merged/pushed): https://github.com/netblue30/firejail/discussions/6065#discussioncomment-7460581 (at the end).

gitea-mirror commented

2026-05-05 09:55:35 -06:00

Author

Owner

@osevan commented on GitHub (Mar 31, 2025):

Tomorrow I will give more details @kmk3

@osevan commented on GitHub (Mar 31, 2025): Tomorrow I will give more details @kmk3

gitea-mirror commented

2026-05-05 09:55:35 -06:00

Author

Owner

@osevan commented on GitHub (Apr 1, 2025):

for my landlock postfix daemon tests im using vps root server debian sid. on my 4 notebooks running arch linux

apt install postfix-mysql

and nano /etc/postfix/master.cf settings for chroot y
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
smtp      inet  n       -        y       -       -       smtpd

replacing postfisc-script with my modified postfix script here, else postfix-script makes trouble and not starting inside firejail sandbox. its a workaround by me.

replace postfix-script here
/usr/lib/postfix/sbin/postfix-script

here is full adjusted script https://gist.github.com/osevan/a0e1f8e1b32897f3cd403acafdfa7bb6

further i setupped virtual mail users this is basic smtp setup with dovecot

here is my magic postfix.profile
https://gist.github.com/osevan/521bb3e4b96ce9e1d5cc05b1ea5b45db
im starting postfix with firejail --debug --profile=/etc/firejail/postfix.profile postfix start

dont forget to mention postfix trying in some time period qmgr rename actions. so error not happen on every startup, only after time period like cronjob, but not figured out where i can adjust.

thanks and

best regards

@osevan commented on GitHub (Apr 1, 2025): for my landlock postfix daemon tests im using vps root server debian sid. on my 4 notebooks running arch linux apt install postfix-mysql ``` and nano /etc/postfix/master.cf settings for chroot y # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd ``` replacing postfisc-script with my modified postfix script here, else postfix-script makes trouble and not starting inside firejail sandbox. its a workaround by me. replace postfix-script here /usr/lib/postfix/sbin/postfix-script here is full adjusted script https://gist.github.com/osevan/a0e1f8e1b32897f3cd403acafdfa7bb6 further i setupped virtual mail users this is basic smtp setup with dovecot here is my magic postfix.profile https://gist.github.com/osevan/521bb3e4b96ce9e1d5cc05b1ea5b45db im starting postfix with firejail --debug --profile=/etc/firejail/postfix.profile postfix start dont forget to mention postfix trying in some time period qmgr rename actions. so error not happen on every startup, only after time period like cronjob, but not figured out where i can adjust. thanks and best regards

gitea-mirror commented

2026-05-05 09:55:36 -06:00

Author

Owner

@kmk3 commented on GitHub (Apr 1, 2025):

@osevan

Landlock support in firejail is currently experimental and targets ABI v1.
Also, currently no upstream profile enforces landlock.

As @rusty-snake mentioned, not being able to rename things inside landlocked
paths is a known limitation of ABI v1.

If that is an issue, then it's recommended to avoid enabling landlock support
in firejail.

To disable landlock, simply remove landlock.enforce from the profile (or use
ignore landlock.enforce before it).

@kmk3 commented on GitHub (Apr 1, 2025): @osevan Landlock support in firejail is currently experimental and targets ABI v1. Also, currently no upstream profile enforces landlock. As @rusty-snake mentioned, not being able to rename things inside landlocked paths is a known limitation of ABI v1. If that is an issue, then it's recommended to avoid enabling landlock support in firejail. To disable landlock, simply remove `landlock.enforce` from the profile (or use `ignore landlock.enforce` before it).

gitea-mirror commented

2026-05-05 09:55:36 -06:00

Author

Owner

@osevan commented on GitHub (Apr 1, 2025):

ok , i can use it ofc, but i thought, maybe someone make a update to latest abi 6

@osevan commented on GitHub (Apr 1, 2025): ok , i can use it ofc, but i thought, maybe someone make a update to latest abi 6

gitea-mirror referenced this issue

2026-05-05 10:25:31 -06:00

[PR #3339] [MERGED] early decision in bug report if using git version #4730

Rows
Columns

[GH-ISSUE #6696] landlock: cannot rename file or directory inside landlocked path #3339