github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6700] librewolf: failed to detect pkcs11 opensc smartcard #3342

New issue
Open
opened 2026-05-05 09:55:37 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 09:55:37 -06:00
Owner
Copy link

Originally created by @marek22k on GitHub (Apr 4, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6700

Description

I would like to use my Nitrokey as a smartcard in Firefox. To do this, I added it to https://github.com/OpenSC/OpenSC/wiki/Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step. It is displayed without Firejail, but not with it.

Steps to Reproduce

  1. Run in bash LC_ALL=C firejail /usr/bin/librewolf
  2. Goto 'about:preferences'
  3. Search for 'security devices'
  4. Click on 'Security Devices...'

Expected behavior

Image

Actual behavior

Image

Behavior without a profile

The Nitrokey is displayed.

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.13.7-hardened1-1-hardened x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): librewolf 136.0.4-1
  • Version of Firejail (firejail --version): firejail version 0.9.74

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.

Log

Output of LC_ALL=C firejail /path/to/program 

$ firejail --profile=librewolf /usr/bin/librewolf
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 71409, child pid 71413
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 73.14 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 148.15 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 312.08 ms
ATTENTION: default value of option mesa_glthread overridden by environment.

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/marek22k/0266574e8874bfe47762e790ec7abdd7

Originally created by @marek22k on GitHub (Apr 4, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6700 ### Description I would like to use my Nitrokey as a smartcard in Firefox. To do this, I added it to https://github.com/OpenSC/OpenSC/wiki/Installing-OpenSC-PKCS11-Module-in-Firefox,-Step-by-Step. It is displayed without Firejail, but not with it. ### Steps to Reproduce 1. Run in bash `LC_ALL=C firejail /usr/bin/librewolf` 2. Goto 'about:preferences' 3. Search for 'security devices' 4. Click on 'Security Devices...' ### Expected behavior ![Image](https://github.com/user-attachments/assets/6f2db739-f1fc-4650-bc09-9562f3523262) ### Actual behavior ![Image](https://github.com/user-attachments/assets/a3021b04-46f6-4aed-adf1-b7b7cc4a4d50) ### Behavior without a profile The Nitrokey is displayed. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): `Linux 6.13.7-hardened1-1-hardened x86_64` - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): librewolf 136.0.4-1 - Version of Firejail (`firejail --version`): `firejail version 0.9.74` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` $ firejail --profile=librewolf /usr/bin/librewolf Reading profile /etc/firejail/librewolf.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 71409, child pid 71413 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 73.14 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 148.15 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 312.08 ms ATTENTION: default value of option mesa_glthread overridden by environment. Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> https://gist.github.com/marek22k/0266574e8874bfe47762e790ec7abdd7 </p> </details>
gitea-mirror added the
needinfo
 label 2026-05-05 09:55:37 -06:00
gitea-mirror commented 2026-05-05 09:55:39 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (Apr 4, 2025):

Same for my internal tpm device:

Image

<!-- gh-comment-id:2779331203 --> @marek22k commented on GitHub (Apr 4, 2025): Same for my internal tpm device: ![Image](https://github.com/user-attachments/assets/7ea698c0-38d7-426b-a89c-42c43445f411)
gitea-mirror commented 2026-05-05 09:55:40 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Apr 18, 2025):

Does it work with ignore nou2f or ignore private-dev?

Where does the device appear in /dev?

What is the output of the following:

ls -l /dev/path/to/device

Considering #6704, does it work with
firejail-git?

<!-- gh-comment-id:2814670522 --> @kmk3 commented on GitHub (Apr 18, 2025): Does it work with `ignore nou2f` or `ignore private-dev`? Where does the device appear in /dev? What is the output of the following: ```sh ls -l /dev/path/to/device ``` Considering #6704, does it work with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building)?
gitea-mirror commented 2026-05-05 09:55:41 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (Apr 18, 2025):

Does it work with ignore nou2f or ignore private-dev?

$ cat /etc/firejail/librewolf.local
ignore private-dev
ignore nou2f

does not work.

$ /usr/local/bin/librewolf 
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/librewolf.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.74

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 19909, child pid 19913
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 72.32 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 148.02 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 307.11 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
ERROR:fapi:src/tss2-fapi/ifapi_io.c:57:ifapi_io_read_async() Open file "/etc/tpm2-tss/fapi-config.json": No such file or directory 
ERROR:fapi:src/tss2-fapi/ifapi_config.c:169:ifapi_config_initialize_async() Could not read config file  ErrorCode (0x0006000a) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:133:Fapi_Initialize_Async() Could not initialize FAPI context ErrorCode (0x0006000a) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:71:Fapi_Initialize() FAPI Async call initialize ErrorCode (0x0006000a) 
WARNING: Listing FAPI token objects failed: "fapi:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.
WARNING: Cannot prepare version query: no such table: schema

ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR:fapi:src/tss2-fapi/ifapi_io.c:57:ifapi_io_read_async() Open file "/etc/tpm2-tss/fapi-config.json": No such file or directory 
ERROR:fapi:src/tss2-fapi/ifapi_config.c:169:ifapi_config_initialize_async() Could not read config file  ErrorCode (0x0006000a) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:133:Fapi_Initialize_Async() Could not initialize FAPI context ErrorCode (0x0006000a) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:71:Fapi_Initialize() FAPI Async call initialize ErrorCode (0x0006000a) 
WARNING: Listing FAPI token objects failed: "fapi:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5

Parent is shutting down, bye...

Where does the device appear in /dev?

I think /dev/hidraw2.

What is the output of the following:

ls -l /dev/path/to/device

$ ls -l /dev/hidraw2
crw-rw----+ 1 root root 245, 2 18. Apr 07:21 /dev/hidraw2

Considering #6704, does it work with firejail-git?

No, it doesn't work.

<!-- gh-comment-id:2814797432 --> @marek22k commented on GitHub (Apr 18, 2025): > Does it work with `ignore nou2f` or `ignore private-dev`? ``` $ cat /etc/firejail/librewolf.local ignore private-dev ignore nou2f ``` does not work. ``` $ /usr/local/bin/librewolf Reading profile /etc/firejail/librewolf.profile Reading profile /etc/firejail/librewolf.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.74 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 19909, child pid 19913 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 72.32 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 148.02 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 307.11 ms ATTENTION: default value of option mesa_glthread overridden by environment. ERROR:fapi:src/tss2-fapi/ifapi_io.c:57:ifapi_io_read_async() Open file "/etc/tpm2-tss/fapi-config.json": No such file or directory ERROR:fapi:src/tss2-fapi/ifapi_config.c:169:ifapi_config_initialize_async() Could not read config file ErrorCode (0x0006000a) ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:133:Fapi_Initialize_Async() Could not initialize FAPI context ErrorCode (0x0006000a) ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:71:Fapi_Initialize() FAPI Async call initialize ErrorCode (0x0006000a) WARNING: Listing FAPI token objects failed: "fapi:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. WARNING: Cannot prepare version query: no such table: schema ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR:fapi:src/tss2-fapi/ifapi_io.c:57:ifapi_io_read_async() Open file "/etc/tpm2-tss/fapi-config.json": No such file or directory ERROR:fapi:src/tss2-fapi/ifapi_config.c:169:ifapi_config_initialize_async() Could not read config file ErrorCode (0x0006000a) ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:133:Fapi_Initialize_Async() Could not initialize FAPI context ErrorCode (0x0006000a) ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:71:Fapi_Initialize() FAPI Async call initialize ErrorCode (0x0006000a) WARNING: Listing FAPI token objects failed: "fapi:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 Parent is shutting down, bye... ``` > Where does the device appear in /dev? I think `/dev/hidraw2`. > What is the output of the following: > > ls -l /dev/path/to/device ``` $ ls -l /dev/hidraw2 crw-rw----+ 1 root root 245, 2 18. Apr 07:21 /dev/hidraw2 ``` > Considering [#6704](https://github.com/netblue30/firejail/pull/6704), does it work with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building)? No, it doesn't work.
gitea-mirror commented 2026-05-05 09:55:43 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Apr 18, 2025):

Where does the device appear in /dev?

I think /dev/hidraw2.

Can you try to verify this for sure?

ERROR:fapi:src/tss2-fapi/ifapi_io.c:57:ifapi_io_read_async() Open file "/etc/tpm2-tss/fapi-config.json": No such file or directory 
ERROR:fapi:src/tss2-fapi/ifapi_config.c:169:ifapi_config_initialize_async() Could not read config file  ErrorCode (0x0006000a) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:133:Fapi_Initialize_Async() Could not initialize FAPI context ErrorCode (0x0006000a) 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:71:Fapi_Initialize() FAPI Async call initialize ErrorCode (0x0006000a) 
WARNING: Listing FAPI token objects failed: "fapi:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.
WARNING: Cannot prepare version query: no such table: schema

ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5

What is the output with firejail-git and the following?

ignore private-bin
ignore private-dev
ignore nou2f

keep-dev-tpm
private-etc tpm2-tss

What is the output of each of the following commands?

ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit

firejail --profile=librewolf ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit
<!-- gh-comment-id:2815269742 --> @kmk3 commented on GitHub (Apr 18, 2025): > > Where does the device appear in /dev? > > I think `/dev/hidraw2`. Can you try to verify this for sure? > ``` > ERROR:fapi:src/tss2-fapi/ifapi_io.c:57:ifapi_io_read_async() Open file "/etc/tpm2-tss/fapi-config.json": No such file or directory > ERROR:fapi:src/tss2-fapi/ifapi_config.c:169:ifapi_config_initialize_async() Could not read config file ErrorCode (0x0006000a) > ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:133:Fapi_Initialize_Async() Could not initialize FAPI context ErrorCode (0x0006000a) > ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:71:Fapi_Initialize() FAPI Async call initialize ErrorCode (0x0006000a) > WARNING: Listing FAPI token objects failed: "fapi:IO failure" > Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details > WARNING: FAPI backend was not initialized. > WARNING: Cannot prepare version query: no such table: schema > > ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 > WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused > ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 > WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 > ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded > ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI > ERROR: Could not initialize tpm ctx: 0x5 > ``` What is the output with firejail-git and the following? ``` ignore private-bin ignore private-dev ignore nou2f keep-dev-tpm private-etc tpm2-tss ``` What is the output of each of the following commands? ```sh ls -l \ /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit firejail --profile=librewolf ls -l \ /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit ```
gitea-mirror commented 2026-05-05 09:55:44 -06:00
Author
Owner
Copy link

@marek22k commented on GitHub (Apr 18, 2025):

Where does the device appear in /dev?

I think /dev/hidraw2.

Can you try to verify this for sure?

It is at least the device that appears when I insert the Nitrokey.

$ diff with_nitrokey.txt without_nitrokey.txt 
29d28
< hidraw0
191d189
< usb

[marek22]: LibreWolf with TPM access error

What is the output with firejail-git and the following?

ignore private-bin
ignore private-dev
ignore nou2f

keep-dev-tpm
private-etc tpm2-tss

Also doesn't work.

$ /usr/local/bin/librewolf 
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/librewolf.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.75

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 13613, child pid 13617
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 89.69 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 147.93 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 317.81 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating 
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1055:create_dirs() mkdir not possible: -1 /run/tpm2-tss/ 
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1082:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /run/tpm2-tss/eventlog/ 
ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /run/tpm2-tss/eventlog/ can't be created. 
ERROR:fapi:src/tss2-fapi/ifapi_eventlog.c:54:ifapi_eventlog_initialize() ErrorCode (0x0006000b) Directory check/creation failed for /run/tpm2-tss/eventlog/ 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:205:Fapi_Initialize_Finish() Initializing eventlog module ErrorCode (0x0006000b) 
WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.
WARNING: Cannot prepare version query: no such table: schema

ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating 
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1055:create_dirs() mkdir not possible: -1 /run/tpm2-tss/ 
ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1082:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /run/tpm2-tss/eventlog/ 
ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /run/tpm2-tss/eventlog/ can't be created. 
ERROR:fapi:src/tss2-fapi/ifapi_eventlog.c:54:ifapi_eventlog_initialize() ErrorCode (0x0006000b) Directory check/creation failed for /run/tpm2-tss/eventlog/ 
ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:205:Fapi_Initialize_Finish() Initializing eventlog module ErrorCode (0x0006000b) 
WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5

Parent is shutting down, bye...

$ cat /etc/firejail/librewolf.local 
ignore private-bin
ignore private-dev
ignore nou2f

keep-dev-tpm
private-etc tpm2-tss

The changes to the .local are automatically applied the next time LibreWolf is started, right?

What is the output of each of the following commands?

ls -l
/dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss
/usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit

$ ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit
ls: cannot access '/dev/tcm*': No such file or directory
crw------- 1 root root 245,     2 18. Apr 20:41  /dev/hidraw2
crw-rw---- 1 tss  root  10,   224 18. Apr 18:50  /dev/tpm0
crw-rw---- 1 root tss  253, 65536 18. Apr 18:50  /dev/tpmrm0
crw-rw---- 1 root tss  253, 65536 18. Apr 18:50  /dev/tpmrm0
lrwxrwxrwx 1 root root         21 13. Sep 2024   /usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1
lrwxrwxrwx 1 root root         21 13. Sep 2024   /usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1
-rwxr-xr-x 1 root root     559760 13. Sep 2024   /usr/lib/libtss2-esys.so.0.0.1
lrwxrwxrwx 1 root root         21 13. Sep 2024   /usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0
lrwxrwxrwx 1 root root         21 13. Sep 2024   /usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0
-rwxr-xr-x 1 root root     941368 13. Sep 2024   /usr/lib/libtss2-fapi.so.1.0.0
lrwxrwxrwx 1 root root         19 13. Sep 2024   /usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1
lrwxrwxrwx 1 root root         19 13. Sep 2024   /usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1
-rwxr-xr-x 1 root root     280552 13. Sep 2024   /usr/lib/libtss2-mu.so.0.0.1
lrwxrwxrwx 1 root root         23 13. Sep 2024   /usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0
lrwxrwxrwx 1 root root         23 13. Sep 2024   /usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0
-rwxr-xr-x 1 root root     535608 13. Sep 2024   /usr/lib/libtss2-policy.so.0.0.0
lrwxrwxrwx 1 root root         19 13. Sep 2024   /usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0
lrwxrwxrwx 1 root root         19 13. Sep 2024   /usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0
-rwxr-xr-x 1 root root      31752 13. Sep 2024   /usr/lib/libtss2-rc.so.0.0.0
lrwxrwxrwx 1 root root         20 13. Sep 2024   /usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1
lrwxrwxrwx 1 root root         20 13. Sep 2024   /usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1
-rwxr-xr-x 1 root root     128976 13. Sep 2024   /usr/lib/libtss2-sys.so.1.0.1
lrwxrwxrwx 1 root root         25 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0
lrwxrwxrwx 1 root root         25 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0
-rwxr-xr-x 1 root root      30680 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so.0.0.0
lrwxrwxrwx 1 root root         28 13. Sep 2024   /usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0
lrwxrwxrwx 1 root root         28 13. Sep 2024   /usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0
-rwxr-xr-x 1 root root      30688 13. Sep 2024   /usr/lib/libtss2-tcti-device.so.0.0.0
lrwxrwxrwx 1 root root         32 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so -> libtss2-tcti-i2c-helper.so.0.0.0
lrwxrwxrwx 1 root root         32 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so.0 -> libtss2-tcti-i2c-helper.so.0.0.0
-rwxr-xr-x 1 root root      30688 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so.0.0.0
lrwxrwxrwx 1 root root         24 13. Sep 2024   /usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0
lrwxrwxrwx 1 root root         24 13. Sep 2024   /usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0
-rwxr-xr-x 1 root root      26768 13. Sep 2024   /usr/lib/libtss2-tctildr.so.0.0.0
lrwxrwxrwx 1 root root         27 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0
lrwxrwxrwx 1 root root         27 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0
-rwxr-xr-x 1 root root      30688 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so.0.0.0
lrwxrwxrwx 1 root root         26 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0
lrwxrwxrwx 1 root root         26 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0
-rwxr-xr-x 1 root root      30696 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so.0.0.0
lrwxrwxrwx 1 root root         28 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so -> libtss2-tcti-spidev.so.0.0.0
lrwxrwxrwx 1 root root         28 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so.0 -> libtss2-tcti-spidev.so.0.0.0
-rwxr-xr-x 1 root root      18400 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so.0.0.0
lrwxrwxrwx 1 root root         32 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0
lrwxrwxrwx 1 root root         32 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0
-rwxr-xr-x 1 root root      30688 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so.0.0.0
lrwxrwxrwx 1 root root         27 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0
lrwxrwxrwx 1 root root         27 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0
-rwxr-xr-x 1 root root      30688 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so.0.0.0

/etc/tpm2-tss:
total 4
-rw-r--r-- 1 root root 368 13. Sep 2024  fapi-config.json
drwxr-xr-x 1 root root 160 21. Okt 06:14 fapi-profiles

/usr/lib/pkcs11:
total 1684
-rwxr-xr-x 1 root root   68208 18. Mär 18:43 gnome-keyring-pkcs11.so
lrwxrwxrwx 1 root root      23  7. Dez 12:22 libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0
lrwxrwxrwx 1 root root      23  7. Dez 12:22 libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0
-rwxr-xr-x 1 root root  249992  7. Dez 12:22 libtpm2_pkcs11.so.0.0.0
lrwxrwxrwx 1 root root      26 14. Jan 17:15 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so
lrwxrwxrwx 1 root root      19 14. Jan 17:15 opensc-pkcs11.so -> ../opensc-pkcs11.so
-rwxr-xr-x 1 root root 1174112  4. Jul 2024  p11-kit-client.so
-rwxr-xr-x 1 root root  203544  4. Jul 2024  p11-kit-trust.so
lrwxrwxrwx 1 root root      16 14. Jan 17:15 pkcs11-spy.so -> ../pkcs11-spy.so

/usr/share/p11-kit:
total 0
drwxr-xr-x 1 root root 116 30. Mär 18:16 modules

firejail --profile=librewolf ls -l
/dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss
/usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit

$ firejail --profile=librewolf ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit

Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/librewolf.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.75

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 15041, child pid 15045
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 74.97 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 149.18 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 300.03 ms
ls: cannot access '/dev/tcm*': No such file or directory
crw------- 1 nobody nobody 245,     2 18. Apr 20:41  /dev/hidraw2
crw-rw---- 1 nobody nobody  10,   224 18. Apr 18:50  /dev/tpm0
crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50  /dev/tpmrm0
crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50  /dev/tpmrm0
lrwxrwxrwx 1 nobody nobody         21 13. Sep 2024   /usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1
lrwxrwxrwx 1 nobody nobody         21 13. Sep 2024   /usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1
-rwxr-xr-x 1 nobody nobody     559760 13. Sep 2024   /usr/lib/libtss2-esys.so.0.0.1
lrwxrwxrwx 1 nobody nobody         21 13. Sep 2024   /usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0
lrwxrwxrwx 1 nobody nobody         21 13. Sep 2024   /usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0
-rwxr-xr-x 1 nobody nobody     941368 13. Sep 2024   /usr/lib/libtss2-fapi.so.1.0.0
lrwxrwxrwx 1 nobody nobody         19 13. Sep 2024   /usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1
lrwxrwxrwx 1 nobody nobody         19 13. Sep 2024   /usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1
-rwxr-xr-x 1 nobody nobody     280552 13. Sep 2024   /usr/lib/libtss2-mu.so.0.0.1
lrwxrwxrwx 1 nobody nobody         23 13. Sep 2024   /usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0
lrwxrwxrwx 1 nobody nobody         23 13. Sep 2024   /usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0
-rwxr-xr-x 1 nobody nobody     535608 13. Sep 2024   /usr/lib/libtss2-policy.so.0.0.0
lrwxrwxrwx 1 nobody nobody         19 13. Sep 2024   /usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0
lrwxrwxrwx 1 nobody nobody         19 13. Sep 2024   /usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0
-rwxr-xr-x 1 nobody nobody      31752 13. Sep 2024   /usr/lib/libtss2-rc.so.0.0.0
lrwxrwxrwx 1 nobody nobody         20 13. Sep 2024   /usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1
lrwxrwxrwx 1 nobody nobody         20 13. Sep 2024   /usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1
-rwxr-xr-x 1 nobody nobody     128976 13. Sep 2024   /usr/lib/libtss2-sys.so.1.0.1
lrwxrwxrwx 1 nobody nobody         25 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0
lrwxrwxrwx 1 nobody nobody         25 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30680 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so.0.0.0
lrwxrwxrwx 1 nobody nobody         28 13. Sep 2024   /usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0
lrwxrwxrwx 1 nobody nobody         28 13. Sep 2024   /usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30688 13. Sep 2024   /usr/lib/libtss2-tcti-device.so.0.0.0
lrwxrwxrwx 1 nobody nobody         32 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so -> libtss2-tcti-i2c-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody         32 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so.0 -> libtss2-tcti-i2c-helper.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30688 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody         24 13. Sep 2024   /usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0
lrwxrwxrwx 1 nobody nobody         24 13. Sep 2024   /usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0
-rwxr-xr-x 1 nobody nobody      26768 13. Sep 2024   /usr/lib/libtss2-tctildr.so.0.0.0
lrwxrwxrwx 1 nobody nobody         27 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0
lrwxrwxrwx 1 nobody nobody         27 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30688 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so.0.0.0
lrwxrwxrwx 1 nobody nobody         26 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0
lrwxrwxrwx 1 nobody nobody         26 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30696 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so.0.0.0
lrwxrwxrwx 1 nobody nobody         28 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so -> libtss2-tcti-spidev.so.0.0.0
lrwxrwxrwx 1 nobody nobody         28 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so.0 -> libtss2-tcti-spidev.so.0.0.0
-rwxr-xr-x 1 nobody nobody      18400 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so.0.0.0
lrwxrwxrwx 1 nobody nobody         32 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody         32 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30688 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody         27 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0
lrwxrwxrwx 1 nobody nobody         27 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0
-rwxr-xr-x 1 nobody nobody      30688 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so.0.0.0

/etc/tpm2-tss:
total 4
-rw-r--r-- 1 nobody nobody 368 18. Apr 21:02 fapi-config.json
drwxr-xr-x 2 nobody nobody 120 18. Apr 21:02 fapi-profiles

/usr/lib/pkcs11:
total 1684
-rwxr-xr-x 1 nobody nobody   68208 18. Mär 18:43 gnome-keyring-pkcs11.so
lrwxrwxrwx 1 nobody nobody      23  7. Dez 12:22 libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0
lrwxrwxrwx 1 nobody nobody      23  7. Dez 12:22 libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0
-rwxr-xr-x 1 nobody nobody  249992  7. Dez 12:22 libtpm2_pkcs11.so.0.0.0
lrwxrwxrwx 1 nobody nobody      26 14. Jan 17:15 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so
lrwxrwxrwx 1 nobody nobody      19 14. Jan 17:15 opensc-pkcs11.so -> ../opensc-pkcs11.so
-rwxr-xr-x 1 nobody nobody 1174112  4. Jul 2024  p11-kit-client.so
-rwxr-xr-x 1 nobody nobody  203544  4. Jul 2024  p11-kit-trust.so
lrwxrwxrwx 1 nobody nobody      16 14. Jan 17:15 pkcs11-spy.so -> ../pkcs11-spy.so

/usr/share/p11-kit:
total 0
drwxr-xr-x 1 nobody nobody 116 30. Mär 18:16 modules

Parent is shutting down, bye...

And without .local modifications:

$ firejail --profile=librewolf ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.75

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 15317, child pid 15321
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 80.03 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 148.17 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 310.43 ms
ls: cannot access '/dev/hidraw2': No such file or directory
ls: cannot access '/dev/tcm*': No such file or directory
ls: cannot access '/dev/tpm0': No such file or directory
ls: cannot access '/dev/tpmrm0': No such file or directory
ls: cannot access '/dev/tpmrm0': No such file or directory
ls: cannot access '/etc/tpm2-tss': No such file or directory
lrwxrwxrwx 1 nobody nobody     21 13. Sep 2024   /usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1
lrwxrwxrwx 1 nobody nobody     21 13. Sep 2024   /usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1
-rwxr-xr-x 1 nobody nobody 559760 13. Sep 2024   /usr/lib/libtss2-esys.so.0.0.1
lrwxrwxrwx 1 nobody nobody     21 13. Sep 2024   /usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0
lrwxrwxrwx 1 nobody nobody     21 13. Sep 2024   /usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0
-rwxr-xr-x 1 nobody nobody 941368 13. Sep 2024   /usr/lib/libtss2-fapi.so.1.0.0
lrwxrwxrwx 1 nobody nobody     19 13. Sep 2024   /usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1
lrwxrwxrwx 1 nobody nobody     19 13. Sep 2024   /usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1
-rwxr-xr-x 1 nobody nobody 280552 13. Sep 2024   /usr/lib/libtss2-mu.so.0.0.1
lrwxrwxrwx 1 nobody nobody     23 13. Sep 2024   /usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0
lrwxrwxrwx 1 nobody nobody     23 13. Sep 2024   /usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0
-rwxr-xr-x 1 nobody nobody 535608 13. Sep 2024   /usr/lib/libtss2-policy.so.0.0.0
lrwxrwxrwx 1 nobody nobody     19 13. Sep 2024   /usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0
lrwxrwxrwx 1 nobody nobody     19 13. Sep 2024   /usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0
-rwxr-xr-x 1 nobody nobody  31752 13. Sep 2024   /usr/lib/libtss2-rc.so.0.0.0
lrwxrwxrwx 1 nobody nobody     20 13. Sep 2024   /usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1
lrwxrwxrwx 1 nobody nobody     20 13. Sep 2024   /usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1
-rwxr-xr-x 1 nobody nobody 128976 13. Sep 2024   /usr/lib/libtss2-sys.so.1.0.1
lrwxrwxrwx 1 nobody nobody     25 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0
lrwxrwxrwx 1 nobody nobody     25 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30680 13. Sep 2024   /usr/lib/libtss2-tcti-cmd.so.0.0.0
lrwxrwxrwx 1 nobody nobody     28 13. Sep 2024   /usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0
lrwxrwxrwx 1 nobody nobody     28 13. Sep 2024   /usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30688 13. Sep 2024   /usr/lib/libtss2-tcti-device.so.0.0.0
lrwxrwxrwx 1 nobody nobody     32 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so -> libtss2-tcti-i2c-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody     32 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so.0 -> libtss2-tcti-i2c-helper.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30688 13. Sep 2024   /usr/lib/libtss2-tcti-i2c-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody     24 13. Sep 2024   /usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0
lrwxrwxrwx 1 nobody nobody     24 13. Sep 2024   /usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0
-rwxr-xr-x 1 nobody nobody  26768 13. Sep 2024   /usr/lib/libtss2-tctildr.so.0.0.0
lrwxrwxrwx 1 nobody nobody     27 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0
lrwxrwxrwx 1 nobody nobody     27 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30688 13. Sep 2024   /usr/lib/libtss2-tcti-mssim.so.0.0.0
lrwxrwxrwx 1 nobody nobody     26 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0
lrwxrwxrwx 1 nobody nobody     26 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30696 13. Sep 2024   /usr/lib/libtss2-tcti-pcap.so.0.0.0
lrwxrwxrwx 1 nobody nobody     28 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so -> libtss2-tcti-spidev.so.0.0.0
lrwxrwxrwx 1 nobody nobody     28 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so.0 -> libtss2-tcti-spidev.so.0.0.0
-rwxr-xr-x 1 nobody nobody  18400 13. Sep 2024   /usr/lib/libtss2-tcti-spidev.so.0.0.0
lrwxrwxrwx 1 nobody nobody     32 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody     32 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30688 13. Sep 2024   /usr/lib/libtss2-tcti-spi-helper.so.0.0.0
lrwxrwxrwx 1 nobody nobody     27 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0
lrwxrwxrwx 1 nobody nobody     27 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0
-rwxr-xr-x 1 nobody nobody  30688 13. Sep 2024   /usr/lib/libtss2-tcti-swtpm.so.0.0.0

/usr/lib/pkcs11:
total 1684
-rwxr-xr-x 1 nobody nobody   68208 18. Mär 18:43 gnome-keyring-pkcs11.so
lrwxrwxrwx 1 nobody nobody      23  7. Dez 12:22 libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0
lrwxrwxrwx 1 nobody nobody      23  7. Dez 12:22 libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0
-rwxr-xr-x 1 nobody nobody  249992  7. Dez 12:22 libtpm2_pkcs11.so.0.0.0
lrwxrwxrwx 1 nobody nobody      26 14. Jan 17:15 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so
lrwxrwxrwx 1 nobody nobody      19 14. Jan 17:15 opensc-pkcs11.so -> ../opensc-pkcs11.so
-rwxr-xr-x 1 nobody nobody 1174112  4. Jul 2024  p11-kit-client.so
-rwxr-xr-x 1 nobody nobody  203544  4. Jul 2024  p11-kit-trust.so
lrwxrwxrwx 1 nobody nobody      16 14. Jan 17:15 pkcs11-spy.so -> ../pkcs11-spy.so

/usr/share/p11-kit:
total 0
drwxr-xr-x 1 nobody nobody 116 30. Mär 18:16 modules

Parent is shutting down, bye...
<!-- gh-comment-id:2816194249 --> @marek22k commented on GitHub (Apr 18, 2025): > > > Where does the device appear in /dev? > > > > > > I think `/dev/hidraw2`. > > Can you try to verify this for sure? It is at least the device that appears when I insert the Nitrokey. ``` $ diff with_nitrokey.txt without_nitrokey.txt 29d28 < hidraw0 191d189 < usb ``` > [marek22]: LibreWolf with TPM access error > > What is the output with firejail-git and the following? > > ``` > ignore private-bin > ignore private-dev > ignore nou2f > > keep-dev-tpm > private-etc tpm2-tss > ``` Also doesn't work. ``` $ /usr/local/bin/librewolf Reading profile /etc/firejail/librewolf.profile Reading profile /etc/firejail/librewolf.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.75 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 13613, child pid 13617 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 89.69 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 147.93 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 317.81 ms ATTENTION: default value of option mesa_glthread overridden by environment. WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1055:create_dirs() mkdir not possible: -1 /run/tpm2-tss/ ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1082:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /run/tpm2-tss/eventlog/ ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /run/tpm2-tss/eventlog/ can't be created. ERROR:fapi:src/tss2-fapi/ifapi_eventlog.c:54:ifapi_eventlog_initialize() ErrorCode (0x0006000b) Directory check/creation failed for /run/tpm2-tss/eventlog/ ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:205:Fapi_Initialize_Finish() Initializing eventlog module ErrorCode (0x0006000b) WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. WARNING: Cannot prepare version query: no such table: schema ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 WARNING:fapi:src/tss2-fapi/ifapi_io.c:339:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1055:create_dirs() mkdir not possible: -1 /run/tpm2-tss/ ERROR:fapi:src/tss2-fapi/ifapi_helpers.c:1082:ifapi_create_dirs() ErrorCode (0x0006000b) Create directories for /run/tpm2-tss/eventlog/ ERROR:fapi:src/tss2-fapi/ifapi_io.c:342:ifapi_io_check_create_dir() ErrorCode (0x0006000b) Directory /run/tpm2-tss/eventlog/ can't be created. ERROR:fapi:src/tss2-fapi/ifapi_eventlog.c:54:ifapi_eventlog_initialize() ErrorCode (0x0006000b) Directory check/creation failed for /run/tpm2-tss/eventlog/ ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:205:Fapi_Initialize_Finish() Initializing eventlog module ErrorCode (0x0006000b) WARNING: Listing FAPI token objects failed: "fapi:A parameter has a bad value" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host ::1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 Parent is shutting down, bye... ``` ``` $ cat /etc/firejail/librewolf.local ignore private-bin ignore private-dev ignore nou2f keep-dev-tpm private-etc tpm2-tss ``` The changes to the `.local` are automatically applied the next time LibreWolf is started, right? > What is the output of each of the following commands? > > ls -l \ > /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ > /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit ``` $ ls -l \ /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit ls: cannot access '/dev/tcm*': No such file or directory crw------- 1 root root 245, 2 18. Apr 20:41 /dev/hidraw2 crw-rw---- 1 tss root 10, 224 18. Apr 18:50 /dev/tpm0 crw-rw---- 1 root tss 253, 65536 18. Apr 18:50 /dev/tpmrm0 crw-rw---- 1 root tss 253, 65536 18. Apr 18:50 /dev/tpmrm0 lrwxrwxrwx 1 root root 21 13. Sep 2024 /usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1 lrwxrwxrwx 1 root root 21 13. Sep 2024 /usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1 -rwxr-xr-x 1 root root 559760 13. Sep 2024 /usr/lib/libtss2-esys.so.0.0.1 lrwxrwxrwx 1 root root 21 13. Sep 2024 /usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0 lrwxrwxrwx 1 root root 21 13. Sep 2024 /usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0 -rwxr-xr-x 1 root root 941368 13. Sep 2024 /usr/lib/libtss2-fapi.so.1.0.0 lrwxrwxrwx 1 root root 19 13. Sep 2024 /usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1 lrwxrwxrwx 1 root root 19 13. Sep 2024 /usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1 -rwxr-xr-x 1 root root 280552 13. Sep 2024 /usr/lib/libtss2-mu.so.0.0.1 lrwxrwxrwx 1 root root 23 13. Sep 2024 /usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0 lrwxrwxrwx 1 root root 23 13. Sep 2024 /usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0 -rwxr-xr-x 1 root root 535608 13. Sep 2024 /usr/lib/libtss2-policy.so.0.0.0 lrwxrwxrwx 1 root root 19 13. Sep 2024 /usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0 lrwxrwxrwx 1 root root 19 13. Sep 2024 /usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0 -rwxr-xr-x 1 root root 31752 13. Sep 2024 /usr/lib/libtss2-rc.so.0.0.0 lrwxrwxrwx 1 root root 20 13. Sep 2024 /usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1 lrwxrwxrwx 1 root root 20 13. Sep 2024 /usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1 -rwxr-xr-x 1 root root 128976 13. Sep 2024 /usr/lib/libtss2-sys.so.1.0.1 lrwxrwxrwx 1 root root 25 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0 lrwxrwxrwx 1 root root 25 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0 -rwxr-xr-x 1 root root 30680 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so.0.0.0 lrwxrwxrwx 1 root root 28 13. Sep 2024 /usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0 lrwxrwxrwx 1 root root 28 13. Sep 2024 /usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0 -rwxr-xr-x 1 root root 30688 13. Sep 2024 /usr/lib/libtss2-tcti-device.so.0.0.0 lrwxrwxrwx 1 root root 32 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so -> libtss2-tcti-i2c-helper.so.0.0.0 lrwxrwxrwx 1 root root 32 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so.0 -> libtss2-tcti-i2c-helper.so.0.0.0 -rwxr-xr-x 1 root root 30688 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so.0.0.0 lrwxrwxrwx 1 root root 24 13. Sep 2024 /usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0 lrwxrwxrwx 1 root root 24 13. Sep 2024 /usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0 -rwxr-xr-x 1 root root 26768 13. Sep 2024 /usr/lib/libtss2-tctildr.so.0.0.0 lrwxrwxrwx 1 root root 27 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0 lrwxrwxrwx 1 root root 27 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0 -rwxr-xr-x 1 root root 30688 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so.0.0.0 lrwxrwxrwx 1 root root 26 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0 lrwxrwxrwx 1 root root 26 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0 -rwxr-xr-x 1 root root 30696 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so.0.0.0 lrwxrwxrwx 1 root root 28 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so -> libtss2-tcti-spidev.so.0.0.0 lrwxrwxrwx 1 root root 28 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so.0 -> libtss2-tcti-spidev.so.0.0.0 -rwxr-xr-x 1 root root 18400 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so.0.0.0 lrwxrwxrwx 1 root root 32 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0 lrwxrwxrwx 1 root root 32 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0 -rwxr-xr-x 1 root root 30688 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so.0.0.0 lrwxrwxrwx 1 root root 27 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0 lrwxrwxrwx 1 root root 27 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0 -rwxr-xr-x 1 root root 30688 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so.0.0.0 /etc/tpm2-tss: total 4 -rw-r--r-- 1 root root 368 13. Sep 2024 fapi-config.json drwxr-xr-x 1 root root 160 21. Okt 06:14 fapi-profiles /usr/lib/pkcs11: total 1684 -rwxr-xr-x 1 root root 68208 18. Mär 18:43 gnome-keyring-pkcs11.so lrwxrwxrwx 1 root root 23 7. Dez 12:22 libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0 lrwxrwxrwx 1 root root 23 7. Dez 12:22 libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0 -rwxr-xr-x 1 root root 249992 7. Dez 12:22 libtpm2_pkcs11.so.0.0.0 lrwxrwxrwx 1 root root 26 14. Jan 17:15 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so lrwxrwxrwx 1 root root 19 14. Jan 17:15 opensc-pkcs11.so -> ../opensc-pkcs11.so -rwxr-xr-x 1 root root 1174112 4. Jul 2024 p11-kit-client.so -rwxr-xr-x 1 root root 203544 4. Jul 2024 p11-kit-trust.so lrwxrwxrwx 1 root root 16 14. Jan 17:15 pkcs11-spy.so -> ../pkcs11-spy.so /usr/share/p11-kit: total 0 drwxr-xr-x 1 root root 116 30. Mär 18:16 modules ``` > firejail --profile=librewolf ls -l \ > /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ > /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit ``` $ firejail --profile=librewolf ls -l \ /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit Reading profile /etc/firejail/librewolf.profile Reading profile /etc/firejail/librewolf.local Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.75 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 15041, child pid 15045 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 74.97 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 149.18 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 300.03 ms ls: cannot access '/dev/tcm*': No such file or directory crw------- 1 nobody nobody 245, 2 18. Apr 20:41 /dev/hidraw2 crw-rw---- 1 nobody nobody 10, 224 18. Apr 18:50 /dev/tpm0 crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50 /dev/tpmrm0 crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50 /dev/tpmrm0 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1 -rwxr-xr-x 1 nobody nobody 559760 13. Sep 2024 /usr/lib/libtss2-esys.so.0.0.1 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0 -rwxr-xr-x 1 nobody nobody 941368 13. Sep 2024 /usr/lib/libtss2-fapi.so.1.0.0 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1 -rwxr-xr-x 1 nobody nobody 280552 13. Sep 2024 /usr/lib/libtss2-mu.so.0.0.1 lrwxrwxrwx 1 nobody nobody 23 13. Sep 2024 /usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0 lrwxrwxrwx 1 nobody nobody 23 13. Sep 2024 /usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0 -rwxr-xr-x 1 nobody nobody 535608 13. Sep 2024 /usr/lib/libtss2-policy.so.0.0.0 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0 -rwxr-xr-x 1 nobody nobody 31752 13. Sep 2024 /usr/lib/libtss2-rc.so.0.0.0 lrwxrwxrwx 1 nobody nobody 20 13. Sep 2024 /usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1 lrwxrwxrwx 1 nobody nobody 20 13. Sep 2024 /usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1 -rwxr-xr-x 1 nobody nobody 128976 13. Sep 2024 /usr/lib/libtss2-sys.so.1.0.1 lrwxrwxrwx 1 nobody nobody 25 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0 lrwxrwxrwx 1 nobody nobody 25 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30680 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-device.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so -> libtss2-tcti-i2c-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so.0 -> libtss2-tcti-i2c-helper.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 24 13. Sep 2024 /usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0 lrwxrwxrwx 1 nobody nobody 24 13. Sep 2024 /usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0 -rwxr-xr-x 1 nobody nobody 26768 13. Sep 2024 /usr/lib/libtss2-tctildr.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so.0.0.0 lrwxrwxrwx 1 nobody nobody 26 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0 lrwxrwxrwx 1 nobody nobody 26 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30696 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so -> libtss2-tcti-spidev.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so.0 -> libtss2-tcti-spidev.so.0.0.0 -rwxr-xr-x 1 nobody nobody 18400 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so.0.0.0 /etc/tpm2-tss: total 4 -rw-r--r-- 1 nobody nobody 368 18. Apr 21:02 fapi-config.json drwxr-xr-x 2 nobody nobody 120 18. Apr 21:02 fapi-profiles /usr/lib/pkcs11: total 1684 -rwxr-xr-x 1 nobody nobody 68208 18. Mär 18:43 gnome-keyring-pkcs11.so lrwxrwxrwx 1 nobody nobody 23 7. Dez 12:22 libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0 lrwxrwxrwx 1 nobody nobody 23 7. Dez 12:22 libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0 -rwxr-xr-x 1 nobody nobody 249992 7. Dez 12:22 libtpm2_pkcs11.so.0.0.0 lrwxrwxrwx 1 nobody nobody 26 14. Jan 17:15 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so lrwxrwxrwx 1 nobody nobody 19 14. Jan 17:15 opensc-pkcs11.so -> ../opensc-pkcs11.so -rwxr-xr-x 1 nobody nobody 1174112 4. Jul 2024 p11-kit-client.so -rwxr-xr-x 1 nobody nobody 203544 4. Jul 2024 p11-kit-trust.so lrwxrwxrwx 1 nobody nobody 16 14. Jan 17:15 pkcs11-spy.so -> ../pkcs11-spy.so /usr/share/p11-kit: total 0 drwxr-xr-x 1 nobody nobody 116 30. Mär 18:16 modules Parent is shutting down, bye... ``` And without `.local` modifications: ``` $ firejail --profile=librewolf ls -l \ /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit Reading profile /etc/firejail/librewolf.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.75 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 15317, child pid 15321 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 80.03 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 148.17 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 310.43 ms ls: cannot access '/dev/hidraw2': No such file or directory ls: cannot access '/dev/tcm*': No such file or directory ls: cannot access '/dev/tpm0': No such file or directory ls: cannot access '/dev/tpmrm0': No such file or directory ls: cannot access '/dev/tpmrm0': No such file or directory ls: cannot access '/etc/tpm2-tss': No such file or directory lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-esys.so -> libtss2-esys.so.0.0.1 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-esys.so.0 -> libtss2-esys.so.0.0.1 -rwxr-xr-x 1 nobody nobody 559760 13. Sep 2024 /usr/lib/libtss2-esys.so.0.0.1 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-fapi.so -> libtss2-fapi.so.1.0.0 lrwxrwxrwx 1 nobody nobody 21 13. Sep 2024 /usr/lib/libtss2-fapi.so.1 -> libtss2-fapi.so.1.0.0 -rwxr-xr-x 1 nobody nobody 941368 13. Sep 2024 /usr/lib/libtss2-fapi.so.1.0.0 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-mu.so -> libtss2-mu.so.0.0.1 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-mu.so.0 -> libtss2-mu.so.0.0.1 -rwxr-xr-x 1 nobody nobody 280552 13. Sep 2024 /usr/lib/libtss2-mu.so.0.0.1 lrwxrwxrwx 1 nobody nobody 23 13. Sep 2024 /usr/lib/libtss2-policy.so -> libtss2-policy.so.0.0.0 lrwxrwxrwx 1 nobody nobody 23 13. Sep 2024 /usr/lib/libtss2-policy.so.0 -> libtss2-policy.so.0.0.0 -rwxr-xr-x 1 nobody nobody 535608 13. Sep 2024 /usr/lib/libtss2-policy.so.0.0.0 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-rc.so -> libtss2-rc.so.0.0.0 lrwxrwxrwx 1 nobody nobody 19 13. Sep 2024 /usr/lib/libtss2-rc.so.0 -> libtss2-rc.so.0.0.0 -rwxr-xr-x 1 nobody nobody 31752 13. Sep 2024 /usr/lib/libtss2-rc.so.0.0.0 lrwxrwxrwx 1 nobody nobody 20 13. Sep 2024 /usr/lib/libtss2-sys.so -> libtss2-sys.so.1.0.1 lrwxrwxrwx 1 nobody nobody 20 13. Sep 2024 /usr/lib/libtss2-sys.so.1 -> libtss2-sys.so.1.0.1 -rwxr-xr-x 1 nobody nobody 128976 13. Sep 2024 /usr/lib/libtss2-sys.so.1.0.1 lrwxrwxrwx 1 nobody nobody 25 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so -> libtss2-tcti-cmd.so.0.0.0 lrwxrwxrwx 1 nobody nobody 25 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so.0 -> libtss2-tcti-cmd.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30680 13. Sep 2024 /usr/lib/libtss2-tcti-cmd.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-device.so -> libtss2-tcti-device.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-device.so.0 -> libtss2-tcti-device.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-device.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so -> libtss2-tcti-i2c-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so.0 -> libtss2-tcti-i2c-helper.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-i2c-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 24 13. Sep 2024 /usr/lib/libtss2-tctildr.so -> libtss2-tctildr.so.0.0.0 lrwxrwxrwx 1 nobody nobody 24 13. Sep 2024 /usr/lib/libtss2-tctildr.so.0 -> libtss2-tctildr.so.0.0.0 -rwxr-xr-x 1 nobody nobody 26768 13. Sep 2024 /usr/lib/libtss2-tctildr.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so -> libtss2-tcti-mssim.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so.0 -> libtss2-tcti-mssim.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-mssim.so.0.0.0 lrwxrwxrwx 1 nobody nobody 26 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so -> libtss2-tcti-pcap.so.0.0.0 lrwxrwxrwx 1 nobody nobody 26 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so.0 -> libtss2-tcti-pcap.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30696 13. Sep 2024 /usr/lib/libtss2-tcti-pcap.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so -> libtss2-tcti-spidev.so.0.0.0 lrwxrwxrwx 1 nobody nobody 28 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so.0 -> libtss2-tcti-spidev.so.0.0.0 -rwxr-xr-x 1 nobody nobody 18400 13. Sep 2024 /usr/lib/libtss2-tcti-spidev.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so -> libtss2-tcti-spi-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 32 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so.0 -> libtss2-tcti-spi-helper.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-spi-helper.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so -> libtss2-tcti-swtpm.so.0.0.0 lrwxrwxrwx 1 nobody nobody 27 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so.0 -> libtss2-tcti-swtpm.so.0.0.0 -rwxr-xr-x 1 nobody nobody 30688 13. Sep 2024 /usr/lib/libtss2-tcti-swtpm.so.0.0.0 /usr/lib/pkcs11: total 1684 -rwxr-xr-x 1 nobody nobody 68208 18. Mär 18:43 gnome-keyring-pkcs11.so lrwxrwxrwx 1 nobody nobody 23 7. Dez 12:22 libtpm2_pkcs11.so -> libtpm2_pkcs11.so.0.0.0 lrwxrwxrwx 1 nobody nobody 23 7. Dez 12:22 libtpm2_pkcs11.so.0 -> libtpm2_pkcs11.so.0.0.0 -rwxr-xr-x 1 nobody nobody 249992 7. Dez 12:22 libtpm2_pkcs11.so.0.0.0 lrwxrwxrwx 1 nobody nobody 26 14. Jan 17:15 onepin-opensc-pkcs11.so -> ../onepin-opensc-pkcs11.so lrwxrwxrwx 1 nobody nobody 19 14. Jan 17:15 opensc-pkcs11.so -> ../opensc-pkcs11.so -rwxr-xr-x 1 nobody nobody 1174112 4. Jul 2024 p11-kit-client.so -rwxr-xr-x 1 nobody nobody 203544 4. Jul 2024 p11-kit-trust.so lrwxrwxrwx 1 nobody nobody 16 14. Jan 17:15 pkcs11-spy.so -> ../pkcs11-spy.so /usr/share/p11-kit: total 0 drwxr-xr-x 1 nobody nobody 116 30. Mär 18:16 modules Parent is shutting down, bye... ```
gitea-mirror commented 2026-05-05 09:55:45 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Apr 19, 2025):

It is at least the device that appears when I insert the Nitrokey.

$ diff with_nitrokey.txt without_nitrokey.txt 
29d28
< hidraw0
191d189
< usb

Alright, makes sense to me.

The changes to the .local are automatically applied the next time LibreWolf
is started, right?

Yes, see:

$ /usr/local/bin/librewolf 
Reading profile /etc/firejail/librewolf.profile
Reading profile /etc/firejail/librewolf.local
Reading profile /etc/firejail/firefox-common.profile
[...]

$ ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit
ls: cannot access '/dev/tcm*': No such file or directory
crw------- 1 root root 245,     2 18. Apr 20:41  /dev/hidraw2
crw-rw---- 1 tss  root  10,   224 18. Apr 18:50  /dev/tpm0
crw-rw---- 1 root tss  253, 65536 18. Apr 18:50  /dev/tpmrm0
crw-rw---- 1 root tss  253, 65536 18. Apr 18:50  /dev/tpmrm0
[...]

$ firejail --profile=librewolf ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit
[...]
ls: cannot access '/dev/tcm*': No such file or directory
crw------- 1 nobody nobody 245,     2 18. Apr 20:41  /dev/hidraw2
crw-rw---- 1 nobody nobody  10,   224 18. Apr 18:50  /dev/tpm0
crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50  /dev/tpmrm0
crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50  /dev/tpmrm0
[...]

Considering the tss group, the issue could be related to noroot /
nogroups.

And without .local modifications:

$ firejail --profile=librewolf ls -l \
  /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \
  /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit
[...]
ls: cannot access '/dev/hidraw2': No such file or directory
ls: cannot access '/dev/tcm*': No such file or directory
ls: cannot access '/dev/tpm0': No such file or directory
ls: cannot access '/dev/tpmrm0': No such file or directory
ls: cannot access '/dev/tpmrm0': No such file or directory
ls: cannot access '/etc/tpm2-tss': No such file or directory

Nice, this confirms that the following commands affect the output:

ignore nou2f

keep-dev-tpm
private-etc tpm2-tss

I see that whitelist /usr/share/p11-kit is already in
whitelist-usr-share-common.inc.

To narrow the issue down, can you try commenting librewolf.profile /
firefox-common.profile until it works?

<!-- gh-comment-id:2816688276 --> @kmk3 commented on GitHub (Apr 19, 2025): > It is at least the device that appears when I insert the Nitrokey. > > ``` > $ diff with_nitrokey.txt without_nitrokey.txt > 29d28 > < hidraw0 > 191d189 > < usb > ``` Alright, makes sense to me. > The changes to the .local are automatically applied the next time LibreWolf > is started, right? Yes, see: > ```console > $ /usr/local/bin/librewolf > Reading profile /etc/firejail/librewolf.profile > Reading profile /etc/firejail/librewolf.local > Reading profile /etc/firejail/firefox-common.profile > [...] > ``` --- > ```console > $ ls -l \ > /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ > /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit > ls: cannot access '/dev/tcm*': No such file or directory > crw------- 1 root root 245, 2 18. Apr 20:41 /dev/hidraw2 > crw-rw---- 1 tss root 10, 224 18. Apr 18:50 /dev/tpm0 > crw-rw---- 1 root tss 253, 65536 18. Apr 18:50 /dev/tpmrm0 > crw-rw---- 1 root tss 253, 65536 18. Apr 18:50 /dev/tpmrm0 > [...] > ``` > ```console > $ firejail --profile=librewolf ls -l \ > /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ > /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit > [...] > ls: cannot access '/dev/tcm*': No such file or directory > crw------- 1 nobody nobody 245, 2 18. Apr 20:41 /dev/hidraw2 > crw-rw---- 1 nobody nobody 10, 224 18. Apr 18:50 /dev/tpm0 > crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50 /dev/tpmrm0 > crw-rw---- 1 nobody nobody 253, 65536 18. Apr 18:50 /dev/tpmrm0 > [...] > ``` Considering the `tss` group, the issue could be related to `noroot` / `nogroups`. > And without `.local` modifications: > ``` > $ firejail --profile=librewolf ls -l \ > /dev/hidraw2 /dev/tcm* /dev/tpm* /dev/tpmrm* /etc/tpm2-tss \ > /usr/lib/libtss* /usr/lib/pkcs11 /usr/share/p11-kit > [...] > ls: cannot access '/dev/hidraw2': No such file or directory > ls: cannot access '/dev/tcm*': No such file or directory > ls: cannot access '/dev/tpm0': No such file or directory > ls: cannot access '/dev/tpmrm0': No such file or directory > ls: cannot access '/dev/tpmrm0': No such file or directory > ls: cannot access '/etc/tpm2-tss': No such file or directory > ``` Nice, this confirms that the following commands affect the output: ``` ignore nou2f keep-dev-tpm private-etc tpm2-tss ``` I see that `whitelist /usr/share/p11-kit` is already in whitelist-usr-share-common.inc. --- To narrow the issue down, can you try commenting librewolf.profile / firefox-common.profile until it works?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3342
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?