[GH-ISSUE #6740] Cannot blacklist /run: disable_file: No such file or directory #3349

New issue

Open

opened 2026-05-05 09:56:07 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented 2026-05-05 09:56:07 -06:00

Owner

Copy link

Originally created by @kolAflash on GitHub (May 6, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6740

Description

I'd like to use --blacklist=/run, but Firejail crashes.

Steps to Reproduce

Steps to reproduce the behavior

1. Run in bash LC_ALL=C firejail --noprofile --blacklist=/run

Expected behavior

/run being restricted, maybe with the exception of /run/firejail/.

Actual behavior

Firejail crashes.

Environment

• Name/version/arch of the Linux kernel (uname -srm): Linux 6.1.0-34-amd64 x86_64
• Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Debian-12
• Version of Firejail (firejail --version): 0.9.72

 

Additional test with Debian-13 testing:

$ firejail --noprofile --blacklist=/run
firejail version 0.9.74

Parent pid 4252, child pid 4253
Warning: cannot find /var/run/utmp
Error ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory
Error: proc 4252 cannot sync with peer: unexpected EOF
Peer 4253 unexpectedly exited with status 1

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• [ ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [ ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --noprofile --blacklist=/run

Parent pid 3770357, child pid 3770358
Error disable file: fs.c:151 disable_file: No such file or directory
Error: proc 3770357 cannot sync with peer: unexpected EOF
Peer 3770358 unexpectedly exited with status 1

Output of LC_ALL=C firejail --debug --noprofile --blacklist=/run

Command name #/bin/bash#
DISPLAY=:0 parsed as 0
Using the local network stack
Initializing child process
Parent pid 3770989, child pid 3770990
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
IBUS_ADDRESS=unix:abstract=/tmp/dbus-rNXAyfRw,guid=00000000000000000000000000000000
IBUS_DAEMON_PID=4311
IBUS_ADDRESS=unix:abstract=/home/user/.cache/ibus/dbus-ytqIVnVy,guid=00000000000000000000000000000000
IBUS_DAEMON_PID=40791
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1096 791 253:1 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro
mountid=1096 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1097 1096 253:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro
mountid=1097 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1098 791 253:1 /var /var ro,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro
mountid=1098 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1099 1098 253:1 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro
mountid=1099 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1100 791 253:1 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro
mountid=1100 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /run
Disable /sys/fs
Failed mount: No such file or directory
Error disable file: fs.c:151 disable_file: No such file or directory
Error: proc 3770989 cannot sync with peer: unexpected EOF
Peer 3770990 unexpectedly exited with status 1

Misc

Similar issue with --read-only=/run.

Maybe remotely related:

• #332

Originally created by @kolAflash on GitHub (May 6, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6740 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description I'd like to use `--blacklist=/run`, but Firejail crashes. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Run in bash `LC_ALL=C firejail --noprofile --blacklist=/run` ### Expected behavior `/run` being restricted, maybe with the exception of `/run/firejail/`. ### Actual behavior Firejail crashes. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): `Linux 6.1.0-34-amd64 x86_64` - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): `Debian-12` - Version of Firejail (`firejail --version`): `0.9.72` &nbsp; Additional test with Debian-13 testing: ``` $ firejail --noprofile --blacklist=/run firejail version 0.9.74 Parent pid 4252, child pid 4253 Warning: cannot find /var/run/utmp Error ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory Error: proc 4252 cannot sync with peer: unexpected EOF Peer 4253 unexpectedly exited with status 1 ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - ~~[ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)~~ - ~~[ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc).~~ - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - ~~[ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers.~~ - ~~[ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)~~ ### Log <details> <summary>Output of <code>LC_ALL=C firejail --noprofile --blacklist=/run</code></summary> <p> ``` Parent pid 3770357, child pid 3770358 Error disable file: fs.c:151 disable_file: No such file or directory Error: proc 3770357 cannot sync with peer: unexpected EOF Peer 3770358 unexpectedly exited with status 1 ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug --noprofile --blacklist=/run</code></summary> <p> ``` Command name #/bin/bash# DISPLAY=:0 parsed as 0 Using the local network stack Initializing child process Parent pid 3770989, child pid 3770990 Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file IBUS_ADDRESS=unix:abstract=/tmp/dbus-rNXAyfRw,guid=00000000000000000000000000000000 IBUS_DAEMON_PID=4311 IBUS_ADDRESS=unix:abstract=/home/user/.cache/ibus/dbus-ytqIVnVy,guid=00000000000000000000000000000000 IBUS_DAEMON_PID=40791 Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1096 791 253:1 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro mountid=1096 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1097 1096 253:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro mountid=1097 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1098 791 253:1 /var /var ro,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro mountid=1098 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 1099 1098 253:1 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro mountid=1099 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 1100 791 253:1 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/system-root rw,errors=remount-ro mountid=1100 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Mounting tmpfs on /var/cache/apache2 Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /run Disable /sys/fs Failed mount: No such file or directory Error disable file: fs.c:151 disable_file: No such file or directory Error: proc 3770989 cannot sync with peer: unexpected EOF Peer 3770990 unexpectedly exited with status 1 ``` </p> </details> ### Misc Similar issue with `--read-only=/run`. Maybe remotely related: - #332

gitea-mirror added the

enhancement

label 2026-05-05 09:56:07 -06:00

gitea-mirror commented 2026-05-05 09:56:08 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (May 12, 2025):

Output of LC_ALL=C firejail --debug --noprofile --blacklist=/run

Command name #/bin/bash#
[...]
Disable /run
Disable /sys/fs
Failed mount: No such file or directory
Error disable file: fs.c:151 disable_file: No such file or directory
Error: proc 3770989 cannot sync with peer: unexpected EOF
Peer 3770990 unexpectedly exited with status 1

This happens because blacklisting is done by bind-mounting a dummy
file/directory from /run/firejail on top of the real file/directory.

If you blacklist /run, firejail can't access the paths inside /run/firejail in
order to perform the bind-mounting and accomplish the blacklisting.

This is made clearer with #6747:

$ firejail --debug --noprofile --blacklist=/run true
[...]
Disable /run
Disable /sys/fs
Failed to mount /run/firejail/firejail.ro.dir on /sys/fs: No such file or directory
Error: ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory
Error: proc 12345 cannot sync with peer: unexpected EOF
Peer 12345 unexpectedly exited with status 1

To blacklist /run, firejail bind-mounts /run/firejail/firejail.ro.dir (a
path with no read/write/execute permissions) on top of /run.

When trying to blacklist the next path, /sys/fs,
/run/firejail/firejail.ro.dir is not accessible, so firejail exits.

Maybe it could be made to work by keeping a reference to the original /run
(or /run/firejail) path and using that for blacklisting paths.

Currently you can try the following instead:

firejail --debug --noprofile \
  --noblacklist=/run/firejail \
  --blacklist='/run/*' \
  --whitelist=/run/firejail

<!-- gh-comment-id:2872020131 --> @kmk3 commented on GitHub (May 12, 2025): > Output of `LC_ALL=C firejail --debug --noprofile --blacklist=/run` > > ``` > Command name #/bin/bash# > [...] > Disable /run > Disable /sys/fs > Failed mount: No such file or directory > Error disable file: fs.c:151 disable_file: No such file or directory > Error: proc 3770989 cannot sync with peer: unexpected EOF > Peer 3770990 unexpectedly exited with status 1 > ``` This happens because blacklisting is done by bind-mounting a dummy file/directory from /run/firejail on top of the real file/directory. If you blacklist /run, firejail can't access the paths inside /run/firejail in order to perform the bind-mounting and accomplish the blacklisting. This is made clearer with #6747: > $ firejail --debug --noprofile --blacklist=/run true > [...] > Disable /run > Disable /sys/fs > Failed to mount /run/firejail/firejail.ro.dir on /sys/fs: No such file or directory > Error: ../../src/firejail/fs.c:148: disable_file: disable file: No such file or directory > Error: proc 12345 cannot sync with peer: unexpected EOF > Peer 12345 unexpectedly exited with status 1 To blacklist `/run`, firejail bind-mounts `/run/firejail/firejail.ro.dir` (a path with no read/write/execute permissions) on top of `/run`. When trying to blacklist the next path, `/sys/fs`, `/run/firejail/firejail.ro.dir` is not accessible, so firejail exits. Maybe it could be made to work by keeping a reference to the original `/run` (or `/run/firejail`) path and using that for blacklisting paths. Currently you can try the following instead: ```sh firejail --debug --noprofile \ --noblacklist=/run/firejail \ --blacklist='/run/*' \ --whitelist=/run/firejail ```

gitea-mirror commented 2026-05-05 09:56:09 -06:00

Author

Owner

Copy link

@kolAflash commented on GitHub (May 13, 2025):

@kmk3 Thanks!
--noblacklist=/run/firejail --blacklist='/run/*' seems to work fine. An additional --whitelist doesn't even seem to be needed.

I guess this won't block directories which are created below /run/ after Firejail is started. So I'd appreciate a fix allowing to simply --blacklist='/run/.

<!-- gh-comment-id:2875342731 --> @kolAflash commented on GitHub (May 13, 2025): @kmk3 Thanks! `--noblacklist=/run/firejail --blacklist='/run/*'` seems to work fine. An additional `--whitelist` doesn't even seem to be needed. I guess this won't block directories which are created below `/run/` after Firejail is started. So I'd appreciate a fix allowing to simply `--blacklist='/run/`.

gitea-mirror commented 2026-05-05 09:56:10 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (May 13, 2025):

Thanks!

No problem.

--noblacklist=/run/firejail --blacklist='/run/*' seems to work fine. An
additional --whitelist doesn't even seem to be needed.

I guess this won't block directories which are created below /run/ after
Firejail is started.

That's what --whitelist=/run/firejail is for.

<!-- gh-comment-id:2875691993 --> @kmk3 commented on GitHub (May 13, 2025): > Thanks! No problem. > `--noblacklist=/run/firejail --blacklist='/run/*'` seems to work fine. An > additional `--whitelist` doesn't even seem to be needed. > > I guess this won't block directories which are created below `/run/` after > Firejail is started. That's what `--whitelist=/run/firejail` is for.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3349

No description provided.