github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6815] kate: no internet connection #3383

New issue
Closed
opened 2026-05-05 09:57:27 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 09:57:27 -06:00
Owner
Copy link

Originally created by @madbehaviorus on GitHub (Jul 10, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6815

Description

Hello community,

with a fresh new installed Debian 12 mini with fully xfce4 environment, it is not possible to get an internet connection with Kate.

Steps to Reproduce

  1. Use firejail for all apps with profiles with "firecfg"
  2. Start neochat correctly with neochat (/usr/local/bin/kate=> softlink to the correct firejail profile)

Expected behavior

Using Kate with an internet connection.

Actual behavior

Using Kate with implemented terminal and try to get an internet connection, like for git pull, the address could not be resolved.

Behavior without a profile

The internet connection works.

LC_ALL=C firejail --noprofile /usr/bin/kate
Parent pid 8322, child pid 8323
Child process initialized in 5.88 ms
kf.service.services: KServiceTypeTrader: serviceType "ThumbCreator" not found
Hspell: can't open /usr/share/hspell/hebrew.wgz.sizes.
kf.sonnet.clients.hspell: HSpellDict::HSpellDict: Init failed

Environment

  • OS: Linux localhost 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux
$firejail --version

firejail version 0.9.75

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is disabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- IDS support is disabled
	- Landlock support is enabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-lib support is disabled
	- private-cache and tmpfs as user enabled
	- sandbox check is enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled
  • kate version: 22.12.3

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • [-] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • [-] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

LC_ALL=C firejail /usr/bin/kate
Reading profile /etc/firejail/kate.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 8466, child pid 8467
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Child process initialized in 169.46 ms
UdevQt: unable to create udev monitor connection
kf.service.services: KServiceTypeTrader: serviceType "ThumbCreator" not found

Output of LC_ALL=C firejail --debug /path/to/program 

LC_ALL=C firejail --debug /usr/bin/kate
Building quoted command line: '/usr/bin/kate' 
Command name #kate#
Found kate.profile profile in /etc/firejail directory
Reading profile /etc/firejail/kate.profile
Found allow-common-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/allow-common-devel.inc
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found whitelist-run-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-run-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
[profile] combined protocol list: "unix"
DISPLAY=:0.0 parsed as 0
Using the local network stack
Initializing child process
Parent pid 8508, child pid 8509
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces file
Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces.32 file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix
sbox run: /run/firejail/lib/fseccomp protocol build unix /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1475 963 254:1 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1475 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
1476 1475 254:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1476 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
1477 963 254:1 /var /var ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1477 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
1478 1477 254:1 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1478 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
1479 963 254:1 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1479 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 588: whitelist /run/NetworkManager/resolv.conf
Debug 609: expanded: /run/NetworkManager/resolv.conf
Debug 620: new_name: /run/NetworkManager/resolv.conf
Debug 630: dir: /run
Adding whitelist top level directory /run
Debug 588: whitelist /run/avahi-daemon/socket
Debug 609: expanded: /run/avahi-daemon/socket
Debug 620: new_name: /run/avahi-daemon/socket
Debug 630: dir: /run
Debug 588: whitelist /run/cups/cups.sock
Debug 609: expanded: /run/cups/cups.sock
Debug 620: new_name: /run/cups/cups.sock
Debug 630: dir: /run
Removed path: whitelist /run/cups/cups.sock
	new_name: /run/cups/cups.sock
	realpath: (null)
	No such file or directory
Debug 588: whitelist /run/dbus/system_bus_socket
Debug 609: expanded: /run/dbus/system_bus_socket
Debug 620: new_name: /run/dbus/system_bus_socket
Debug 630: dir: /run
Debug 588: whitelist /run/media
Debug 609: expanded: /run/media
Debug 620: new_name: /run/media
Debug 630: dir: /run
Removed path: whitelist /run/media
	new_name: /run/media
	realpath: (null)
	No such file or directory
Debug 588: whitelist /run/resolvconf/resolv.conf
Debug 609: expanded: /run/resolvconf/resolv.conf
Debug 620: new_name: /run/resolvconf/resolv.conf
Debug 630: dir: /run
Removed path: whitelist /run/resolvconf/resolv.conf
	new_name: /run/resolvconf/resolv.conf
	realpath: (null)
	No such file or directory
Debug 588: whitelist /run/netconfig/resolv.conf
Debug 609: expanded: /run/netconfig/resolv.conf
Debug 620: new_name: /run/netconfig/resolv.conf
Debug 630: dir: /run
Removed path: whitelist /run/netconfig/resolv.conf
	new_name: /run/netconfig/resolv.conf
	realpath: (null)
	No such file or directory
Debug 588: whitelist /run/shm
Debug 609: expanded: /run/shm
Debug 620: new_name: /run/shm
Debug 630: dir: /run
Debug 588: whitelist /run/systemd/journal/dev-log
Debug 609: expanded: /run/systemd/journal/dev-log
Debug 620: new_name: /run/systemd/journal/dev-log
Debug 630: dir: /run
Debug 588: whitelist /run/systemd/journal/socket
Debug 609: expanded: /run/systemd/journal/socket
Debug 620: new_name: /run/systemd/journal/socket
Debug 630: dir: /run
Debug 588: whitelist /run/systemd/resolve/resolv.conf
Debug 609: expanded: /run/systemd/resolve/resolv.conf
Debug 620: new_name: /run/systemd/resolve/resolv.conf
Debug 630: dir: /run
Removed path: whitelist /run/systemd/resolve/resolv.conf
	new_name: /run/systemd/resolve/resolv.conf
	realpath: (null)
	No such file or directory
Debug 588: whitelist /run/systemd/resolve/stub-resolv.conf
Debug 609: expanded: /run/systemd/resolve/stub-resolv.conf
Debug 620: new_name: /run/systemd/resolve/stub-resolv.conf
Debug 630: dir: /run
Removed path: whitelist /run/systemd/resolve/stub-resolv.conf
	new_name: /run/systemd/resolve/stub-resolv.conf
	realpath: (null)
	No such file or directory
Debug 588: whitelist /run/udev/data
Debug 609: expanded: /run/udev/data
Debug 620: new_name: /run/udev/data
Debug 630: dir: /run
Debug 588: whitelist /run/opengl-driver
Debug 609: expanded: /run/opengl-driver
Debug 620: new_name: /run/opengl-driver
Debug 630: dir: /run
Removed path: whitelist /run/opengl-driver
	new_name: /run/opengl-driver
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/aspell
Debug 609: expanded: /var/lib/aspell
Debug 620: new_name: /var/lib/aspell
Debug 630: dir: /var
Adding whitelist top level directory /var
Debug 588: whitelist /var/lib/ca-certificates
Debug 609: expanded: /var/lib/ca-certificates
Debug 620: new_name: /var/lib/ca-certificates
Debug 630: dir: /var
Removed path: whitelist /var/lib/ca-certificates
	new_name: /var/lib/ca-certificates
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/dbus
Debug 609: expanded: /var/lib/dbus
Debug 620: new_name: /var/lib/dbus
Debug 630: dir: /var
Debug 588: whitelist /var/lib/menu-xdg
Debug 609: expanded: /var/lib/menu-xdg
Debug 620: new_name: /var/lib/menu-xdg
Debug 630: dir: /var
Removed path: whitelist /var/lib/menu-xdg
	new_name: /var/lib/menu-xdg
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/lib/uim
Debug 609: expanded: /var/lib/uim
Debug 620: new_name: /var/lib/uim
Debug 630: dir: /var
Removed path: whitelist /var/lib/uim
	new_name: /var/lib/uim
	realpath: (null)
	No such file or directory
Debug 588: whitelist /var/cache/fontconfig
Debug 609: expanded: /var/cache/fontconfig
Debug 620: new_name: /var/cache/fontconfig
Debug 630: dir: /var
Debug 588: whitelist /var/tmp
Debug 609: expanded: /var/tmp
Debug 620: new_name: /var/tmp
Debug 630: dir: /var
Debug 588: whitelist /var/run
Debug 609: expanded: /var/run
Debug 620: new_name: /var/run
Debug 630: dir: /var
Debug 588: whitelist /var/lock
Debug 609: expanded: /var/lock
Debug 620: new_name: /var/lock
Debug 630: dir: /var
Debug 588: whitelist /tmp/.X11-unix
Debug 609: expanded: /tmp/.X11-unix
Debug 620: new_name: /tmp/.X11-unix
Debug 630: dir: /tmp
Adding whitelist top level directory /tmp
Debug 588: whitelist /tmp/sndio
Debug 609: expanded: /tmp/sndio
Debug 620: new_name: /tmp/sndio
Debug 630: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Mounting tmpfs on /run, check owner: no
1560 1174 0:113 / /run rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64
mountid=1560 fsname=/ dir=/run fstype=tmpfs
Whitelisting /run/user/1000
1587 1584 0:23 /firejail/firejail.ro.dir /run/user/1000/systemd ro,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1587 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Mounting tmpfs on /var, check owner: no
1588 1478 0:114 / /var rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64
mountid=1588 fsname=/ dir=/var fstype=tmpfs
Mounting tmpfs on /tmp, check owner: no
1589 963 0:115 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=1589 fsname=/ dir=/tmp fstype=tmpfs
Whitelisting /run/NetworkManager/resolv.conf
1590 1560 0:23 /NetworkManager/resolv.conf /run/NetworkManager/resolv.conf rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1590 fsname=/NetworkManager/resolv.conf dir=/run/NetworkManager/resolv.conf fstype=tmpfs
Whitelisting /run/avahi-daemon/socket
1591 1560 0:23 /avahi-daemon/socket /run/avahi-daemon/socket rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1591 fsname=/avahi-daemon/socket dir=/run/avahi-daemon/socket fstype=tmpfs
Whitelisting /run/dbus/system_bus_socket
1592 1560 0:23 /dbus/system_bus_socket /run/dbus/system_bus_socket rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1592 fsname=/dbus/system_bus_socket dir=/run/dbus/system_bus_socket fstype=tmpfs
Created symbolic link /run/shm -> /dev/shm
Whitelisting /run/systemd/journal/dev-log
1593 1560 0:23 /systemd/journal/dev-log /run/systemd/journal/dev-log rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1593 fsname=/systemd/journal/dev-log dir=/run/systemd/journal/dev-log fstype=tmpfs
Whitelisting /run/systemd/journal/socket
1594 1560 0:23 /systemd/journal/socket /run/systemd/journal/socket rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1594 fsname=/systemd/journal/socket dir=/run/systemd/journal/socket fstype=tmpfs
Whitelisting /run/udev/data
1595 1560 0:23 /udev/data /run/udev/data rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1595 fsname=/udev/data dir=/run/udev/data fstype=tmpfs
Whitelisting /var/lib/aspell
1596 1588 254:1 /var/lib/aspell /var/lib/aspell ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1596 fsname=/var/lib/aspell dir=/var/lib/aspell fstype=ext4
Whitelisting /var/lib/dbus
1597 1588 254:1 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1597 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=ext4
Whitelisting /var/cache/fontconfig
1598 1588 254:1 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1598 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4
Whitelisting /var/tmp
1599 1588 0:93 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1599 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1600 1589 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1600 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /home/portable/.local/share/Trash
Disable /home/portable/.bash_history
Not blacklist /home/portable/.python-history
Not blacklist /home/portable/.python_history
Not blacklist /home/portable/.pythonhist
Disable /home/portable/.lesshst
Disable /home/portable/.config/autostart
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/portable/.Xauthority
1607 1518 254:1 /home/portable/.Xauthority /home/portable/.Xauthority ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1607 fsname=/home/portable/.Xauthority dir=/home/portable/.Xauthority fstype=ext4
Disable /home/portable/.config/kwalletrc
Not blacklist /home/portable/.config/kwinrc
Mounting read-only /home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs=
1609 1518 254:1 /home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= /home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1609 fsname=/home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= dir=/home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= fstype=ext4
Mounting read-only /home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs=
1610 1518 254:1 /home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= /home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1610 fsname=/home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= dir=/home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= fstype=ext4
Disable /home/portable/.local/share/gvfs-metadata
Mounting read-only /home/portable/.config/dconf
1612 1518 254:1 /home/portable/.config/dconf /home/portable/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1612 fsname=/home/portable/.config/dconf dir=/home/portable/.config/dconf fstype=ext4
Disable /usr/bin/systemctl
Disable /usr/bin/systemctl (requested /bin/systemctl)
Disable /usr/bin/systemd-run
Disable /usr/bin/systemd-run (requested /bin/systemd-run)
Disable /run/user/1000/systemd
Disable /etc/systemd/network
Disable /etc/systemd/system
Disable /etc/init.d
Disable /etc/adduser.conf
Disable /etc/apparmor
Disable /etc/apparmor.d
Disable /etc/cron.weekly
Disable /etc/cron.hourly
Disable /etc/cron.yearly
Disable /etc/cron.d
Disable /etc/cron.monthly
Disable /etc/crontab
Disable /etc/cron.daily
Disable /etc/default
Disable /etc/grub.d
Disable /etc/kernel-img.conf
Disable /etc/kernel
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/modules-load.d
Disable /etc/modules
Disable /etc/rcS.d
Disable /etc/rc2.d
Disable /etc/rc1.d
Disable /etc/rc4.d
Disable /etc/rc0.d
Disable /etc/rc6.d
Disable /etc/rc3.d
Disable /etc/rc5.d
Disable /etc/logcheck
Mounting read-only /home/portable/.bash_logout
1691 1518 254:1 /home/portable/.bash_logout /home/portable/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1691 fsname=/home/portable/.bash_logout dir=/home/portable/.bash_logout fstype=ext4
Mounting read-only /home/portable/.bashrc
1692 1518 254:1 /home/portable/.bashrc /home/portable/.bashrc ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1692 fsname=/home/portable/.bashrc dir=/home/portable/.bashrc fstype=ext4
Mounting read-only /home/portable/.profile
1693 1518 254:1 /home/portable/.profile /home/portable/.profile ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1693 fsname=/home/portable/.profile dir=/home/portable/.profile fstype=ext4
Mounting read-only /home/portable/.ssh/config
1694 1518 254:1 /home/portable/.ssh/config /home/portable/.ssh/config ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1694 fsname=/home/portable/.ssh/config dir=/home/portable/.ssh/config fstype=ext4
Mounting read-only /home/portable/.local/share/applications
1695 1518 254:1 /home/portable/.local/share/applications /home/portable/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1695 fsname=/home/portable/.local/share/applications dir=/home/portable/.local/share/applications fstype=ext4
Mounting read-only /home/portable/.config/mimeapps.list
1696 1518 254:1 /home/portable/.config/mimeapps.list /home/portable/.config/mimeapps.list ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1696 fsname=/home/portable/.config/mimeapps.list dir=/home/portable/.config/mimeapps.list fstype=ext4
Mounting read-only /home/portable/.config/user-dirs.dirs
1697 1518 254:1 /home/portable/.config/user-dirs.dirs /home/portable/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1697 fsname=/home/portable/.config/user-dirs.dirs dir=/home/portable/.config/user-dirs.dirs fstype=ext4
Mounting read-only /home/portable/.config/user-dirs.locale
1698 1518 254:1 /home/portable/.config/user-dirs.locale /home/portable/.config/user-dirs.locale ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1698 fsname=/home/portable/.config/user-dirs.locale dir=/home/portable/.config/user-dirs.locale fstype=ext4
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Warning (blacklisting): cannot open /etc/ssh/*: Permission denied
Not blacklist /home/portable/.git-credentials
Disable /home/portable/.gnupg
Disable /home/portable/.local/share/kwalletd
Disable /home/portable/.local/share/pki
Disable /home/portable/.pki
Disable /home/portable/.ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/busybox
Disable /usr/bin/busybox (requested /bin/busybox)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount3 (requested /usr/bin/fusermount)
Disable /usr/bin/fusermount3 (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/nmap
Disable /usr/bin/nmap (requested /bin/nmap)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/lib/openssh
Disable /usr/bin/passwd
Disable /usr/bin/passwd (requested /bin/passwd)
Disable /usr/lib/xorg/Xorg.wrap
Disable /usr/lib/polkit-1/polkit-agent-helper-1 (requested /usr/lib/policykit-1/polkit-agent-helper-1)
Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Disable /usr/bin/hostname
Disable /usr/bin/hostname (requested /bin/hostname)
Disable /usr/bin/netstat
Disable /usr/bin/netstat (requested /bin/netstat)
Disable /usr/bin/nm-online
Disable /usr/bin/nm-online (requested /bin/nm-online)
Disable /usr/bin/nmcli
Disable /usr/bin/nmcli (requested /bin/nmcli)
Disable /usr/bin/nmtui
Disable /usr/bin/nmtui (requested /bin/nmtui)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-connect)
Disable /usr/bin/nmtui (requested /bin/nmtui-connect)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-edit)
Disable /usr/bin/nmtui (requested /bin/nmtui-edit)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-hostname)
Disable /usr/bin/nmtui (requested /bin/nmtui-hostname)
Disable /usr/bin/networkctl
Disable /usr/bin/networkctl (requested /bin/networkctl)
Disable /usr/bin/ss
Disable /usr/bin/ss (requested /bin/ss)
Disable /usr/bin/xfce4-terminal
Disable /usr/bin/xfce4-terminal (requested /bin/xfce4-terminal)
Disable /usr/bin/xfce4-terminal.wrapper
Disable /usr/bin/xfce4-terminal.wrapper (requested /bin/xfce4-terminal.wrapper)
Warning (blacklisting): cannot open /initrd.img.old: Permission denied
Warning (blacklisting): cannot open /initrd.img: Permission denied
Warning (blacklisting): cannot open /vmlinuz: Permission denied
Warning (blacklisting): cannot open /vmlinuz.old: Permission denied
Disable /home/portable/.cache/flatpak
Disable /home/portable/.local/share/flatpak/.changed
Disable /home/portable/.local/share/flatpak/repo
Disable /home/portable/.local/share/flatpak/overrides
Disable /home/portable/.local/share/flatpak/db
Disable /home/portable/.var
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /run/user/1000/.dbus-proxy
Disable /run/user/1000/.flatpak
Disable /run/user/1000/.flatpak-helper
Disable /run/user/1000/app
Warning (blacklisting): cannot stat /run/user/1000/doc: Permission denied
Disable /usr/share/flatpak
Disable /usr/bin/dig
Disable /usr/bin/dig (requested /bin/dig)
Disable /usr/bin/host
Disable /usr/bin/host (requested /bin/host)
Disable /usr/bin/nslookup
Disable /usr/bin/nslookup (requested /bin/nslookup)
Disable /usr/bin/ssh
Disable /usr/bin/ssh (requested /bin/ssh)
Mounting noexec /run/user/1000
1889 1881 0:23 /firejail/firejail.ro.dir /run/user/1000/app ro,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64
mountid=1889 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/app fstype=tmpfs
Warning: not remounting /run/user/1000/doc
Mounting noexec /dev/shm
1890 1539 0:101 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1890 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1892 1891 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1892 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Mounting noexec /tmp/.X11-unix
1893 1892 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1893 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Not blacklist /home/portable/.ammonite
Not blacklist /home/portable/.bundle
Disable /home/portable/.cache/KDE/neochat
Disable /home/portable/.cache/calibre
Disable /home/portable/.cache/gajim
Disable /home/portable/.cache/keepassxc
Disable /home/portable/.cache/mozilla
Disable /home/portable/.cache/systemsettings
Not blacklist /home/portable/.cargo
Disable /home/portable/.config/Thunar
Disable /home/portable/.config/calibre
Disable /home/portable/.config/catfish
Disable /home/portable/.config/cherrytree
Disable /home/portable/.config/enchant
Disable /home/portable/.config/gajim
Disable /home/portable/.config/gedit
Not blacklist /home/portable/.config/git
Not blacklist /home/portable/.config/jgit
Not blacklist /home/portable/.config/katemetainfos
Not blacklist /home/portable/.config/katepartrc
Not blacklist /home/portable/.config/katerc
Not blacklist /home/portable/.config/kateschemarc
Not blacklist /home/portable/.config/katesyntaxhighlightingrc
Not blacklist /home/portable/.config/katevirc
Disable /home/portable/.config/kdeconnect
Disable /home/portable/.config/keepassxc
Disable /home/portable/.config/nautilus
Disable /home/portable/.config/neochatrc
Disable /home/portable/.config/pavucontrol.ini
Disable /home/portable/.config/vlc
Disable /home/portable/.config/xfce4-dict
Disable /home/portable/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
Not blacklist /home/portable/.g8
Not blacklist /home/portable/.gitconfig
Not blacklist /home/portable/.gradle
Not blacklist /home/portable/.ivy2
Not blacklist /home/portable/.java
Disable /home/portable/.local/share/KDE/neochat
Disable /home/portable/.local/share/gajim
Not blacklist /home/portable/.local/share/kate
Disable /home/portable/.local/share/nautilus
Disable /home/portable/.local/share/vlc
Disable /home/portable/.mozilla
Not blacklist /home/portable/.node-gyp
Not blacklist /home/portable/.npm
Not blacklist /home/portable/.npmrc
Not blacklist /home/portable/.nvm
Not blacklist /home/portable/.pylint.d
Not blacklist /home/portable/.sbt
Disable /home/portable/.ssr
Disable /home/portable/.wget-hsts
Not blacklist /home/portable/.yarn
Not blacklist /home/portable/.yarn-config
Not blacklist /home/portable/.yarncache
Not blacklist /home/portable/.yarnrc
Not blacklist /home/portable/Nextcloud
Mounting read-only /tmp/.X11-unix
1922 1893 254:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro
mountid=1922 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /home/portable/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse
disable pipewire
Current directory: /home/portable
DISPLAY=:0.0 parsed as 0
Install protocol filter: unix
configuring 19 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000009   jmp 000f
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 35 01 00 40000000   jge X32_ABI 000c (false 000b)
 000b: 35 01 00 00000000   jge read 000d (false 000c)
 000c: 06 00 00 00050001   ret ERRNO(1)
 000d: 15 01 00 00000029   jeq socket 000f (false 000e)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 20 00 00 00000010   ld  data.args[0]
 0010: 15 00 01 00000001   jeq 1 0011 (false 0012)
 0011: 06 00 00 7fff0000   ret ALLOW
 0012: 06 00 00 0005005f   ret ERRNO(95)
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dropping all capabilities
Drop privileges: pid 4, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00050001   ret ERRNO(1)
Dual 32/64 bit seccomp filter configured
configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 5, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 47 00 0000009f   jeq adjtimex 004f (false 0008)
 0008: 15 46 00 00000131   jeq clock_adjtime 004f (false 0009)
 0009: 15 45 00 000000e3   jeq clock_settime 004f (false 000a)
 000a: 15 44 00 000000a4   jeq settimeofday 004f (false 000b)
 000b: 15 43 00 0000009a   jeq modify_ldt 004f (false 000c)
 000c: 15 42 00 000000d4   jeq lookup_dcookie 004f (false 000d)
 000d: 15 41 00 0000012a   jeq perf_event_open 004f (false 000e)
 000e: 15 40 00 000001b6   jeq pidfd_getfd 004f (false 000f)
 000f: 15 3f 00 00000137   jeq process_vm_writev 004f (false 0010)
 0010: 15 3e 00 000000b0   jeq delete_module 004f (false 0011)
 0011: 15 3d 00 00000139   jeq finit_module 004f (false 0012)
 0012: 15 3c 00 000000af   jeq init_module 004f (false 0013)
 0013: 15 3b 00 000000a1   jeq chroot 004f (false 0014)
 0014: 15 3a 00 000001af   jeq fsconfig 004f (false 0015)
 0015: 15 39 00 000001b0   jeq fsmount 004f (false 0016)
 0016: 15 38 00 000001ae   jeq fsopen 004f (false 0017)
 0017: 15 37 00 000001b1   jeq fspick 004f (false 0018)
 0018: 15 36 00 000000a5   jeq mount 004f (false 0019)
 0019: 15 35 00 000001ad   jeq move_mount 004f (false 001a)
 001a: 15 34 00 000001ac   jeq open_tree 004f (false 001b)
 001b: 15 33 00 0000009b   jeq pivot_root 004f (false 001c)
 001c: 15 32 00 000000a6   jeq umount2 004f (false 001d)
 001d: 15 31 00 0000009c   jeq _sysctl 004f (false 001e)
 001e: 15 30 00 000000b7   jeq afs_syscall 004f (false 001f)
 001f: 15 2f 00 000000ae   jeq create_module 004f (false 0020)
 0020: 15 2e 00 000000b1   jeq get_kernel_syms 004f (false 0021)
 0021: 15 2d 00 000000b5   jeq getpmsg 004f (false 0022)
 0022: 15 2c 00 000000b6   jeq putpmsg 004f (false 0023)
 0023: 15 2b 00 000000b2   jeq query_module 004f (false 0024)
 0024: 15 2a 00 000000b9   jeq security 004f (false 0025)
 0025: 15 29 00 0000008b   jeq sysfs 004f (false 0026)
 0026: 15 28 00 000000b8   jeq tuxcall 004f (false 0027)
 0027: 15 27 00 00000086   jeq uselib 004f (false 0028)
 0028: 15 26 00 00000088   jeq ustat 004f (false 0029)
 0029: 15 25 00 000000ec   jeq vserver 004f (false 002a)
 002a: 15 24 00 000000ad   jeq ioperm 004f (false 002b)
 002b: 15 23 00 000000ac   jeq iopl 004f (false 002c)
 002c: 15 22 00 000000f6   jeq kexec_load 004f (false 002d)
 002d: 15 21 00 00000140   jeq kexec_file_load 004f (false 002e)
 002e: 15 20 00 000000a9   jeq reboot 004f (false 002f)
 002f: 15 1f 00 000000a7   jeq swapon 004f (false 0030)
 0030: 15 1e 00 000000a8   jeq swapoff 004f (false 0031)
 0031: 15 1d 00 00000130   jeq open_by_handle_at 004f (false 0032)
 0032: 15 1c 00 0000012f   jeq name_to_handle_at 004f (false 0033)
 0033: 15 1b 00 000000fb   jeq ioprio_set 004f (false 0034)
 0034: 15 1a 00 00000067   jeq syslog 004f (false 0035)
 0035: 15 19 00 0000012c   jeq fanotify_init 004f (false 0036)
 0036: 15 18 00 000000f8   jeq add_key 004f (false 0037)
 0037: 15 17 00 000000f9   jeq request_key 004f (false 0038)
 0038: 15 16 00 000000ed   jeq mbind 004f (false 0039)
 0039: 15 15 00 00000100   jeq migrate_pages 004f (false 003a)
 003a: 15 14 00 00000117   jeq move_pages 004f (false 003b)
 003b: 15 13 00 000000fa   jeq keyctl 004f (false 003c)
 003c: 15 12 00 000000ce   jeq io_setup 004f (false 003d)
 003d: 15 11 00 000000cf   jeq io_destroy 004f (false 003e)
 003e: 15 10 00 000000d0   jeq io_getevents 004f (false 003f)
 003f: 15 0f 00 000000d1   jeq io_submit 004f (false 0040)
 0040: 15 0e 00 000000d2   jeq io_cancel 004f (false 0041)
 0041: 15 0d 00 000000d8   jeq remap_file_pages 004f (false 0042)
 0042: 15 0c 00 000000ee   jeq set_mempolicy 004f (false 0043)
 0043: 15 0b 00 00000116   jeq vmsplice 004f (false 0044)
 0044: 15 0a 00 00000143   jeq userfaultfd 004f (false 0045)
 0045: 15 09 00 000000a3   jeq acct 004f (false 0046)
 0046: 15 08 00 00000141   jeq bpf 004f (false 0047)
 0047: 15 07 00 000000b4   jeq nfsservctl 004f (false 0048)
 0048: 15 06 00 000000ab   jeq setdomainname 004f (false 0049)
 0049: 15 05 00 000000aa   jeq sethostname 004f (false 004a)
 004a: 15 04 00 00000099   jeq vhangup 004f (false 004b)
 004b: 15 03 00 00000065   jeq ptrace 004f (false 004c)
 004c: 15 02 00 00000087   jeq personality 004f (false 004d)
 004d: 15 01 00 00000136   jeq process_vm_readv 004f (false 004e)
 004e: 06 00 00 7fff0000   ret ALLOW
 004f: 06 00 01 00050001   ret ERRNO(1)
seccomp filter configured
Build restrict-namespaces filter
sbox run: /run/firejail/lib/fseccomp restrict-namespaces /run/firejail/mnt/seccomp/seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts 
Dropping all capabilities
Drop privileges: pid 6, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
restrict-namespaces filter configured
Build restrict-namespaces filter
sbox run: /run/firejail/lib/fseccomp restrict-namespaces.32 /run/firejail/mnt/seccomp/seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts 
Dropping all capabilities
Drop privileges: pid 7, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
restrict-namespaces filter configured
Install namespaces filter
configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces 
Dropping all capabilities
Drop privileges: pid 8, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 04 00000038   jeq clone 0008 (false 000c)
 0008: 20 00 00 00000010   ld  data.args[0]
 0009: 45 00 01 7e020000   jset 7e020000 000a (false 000b)
 000a: 06 00 00 00050001   ret ERRNO(1)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 15 00 01 000001b3   jeq 1b3 000d (false 000e)
 000d: 06 00 00 00050026   ret ERRNO(38)
 000e: 15 00 04 00000110   jeq 110 000f (false 0013)
 000f: 20 00 00 00000010   ld  data.args[0]
 0010: 45 00 01 7e020080   jset 7e020080 0011 (false 0012)
 0011: 06 00 00 00050001   ret ERRNO(1)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 04 00000134   jeq 134 0014 (false 0018)
 0014: 20 00 00 00000018   ld  data.args[8]
 0015: 15 01 00 00000000   jeq 0 0017 (false 0016)
 0016: 45 00 01 7e020080   jset 7e020080 0017 (false 0018)
 0017: 06 00 00 00050001   ret ERRNO(1)
 0018: 06 00 00 7fff0000   ret ALLOW
 0019: 06 00 00 7fff0000   ret ALLOW
configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 
Dropping all capabilities
Drop privileges: pid 9, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 00 04 00000078   jeq 78 0005 (false 0009)
 0005: 20 00 00 00000010   ld  data.args[0]
 0006: 45 00 01 7e020000   jset 7e020000 0007 (false 0008)
 0007: 06 00 00 00050001   ret ERRNO(1)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 000001b3   jeq 1b3 000a (false 000b)
 000a: 06 00 00 00050026   ret ERRNO(38)
 000b: 15 00 04 00000136   jeq 136 000c (false 0010)
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 45 00 01 7e020080   jset 7e020080 000e (false 000f)
 000e: 06 00 00 00050001   ret ERRNO(1)
 000f: 06 00 00 7fff0000   ret ALLOW
 0010: 15 00 04 0000015a   jeq 15a 0011 (false 0015)
 0011: 20 00 00 00000018   ld  data.args[8]
 0012: 15 01 00 00000000   jeq 0 0014 (false 0013)
 0013: 45 00 01 7e020080   jset 7e020080 0014 (false 0015)
 0014: 06 00 00 00050001   ret ERRNO(1)
 0015: 06 00 00 7fff0000   ret ALLOW
 0016: 06 00 00 7fff0000   ret ALLOW
Mounting read-only /run/firejail/mnt/seccomp
1928 1564 0:74 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1928 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             200 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- portable portable         640 seccomp
-rw-r--r-- portable portable         432 seccomp.32
-rw-r--r-- portable portable         207 seccomp.list
-rw-r--r-- portable portable         208 seccomp.namespaces
-rw-r--r-- portable portable         184 seccomp.namespaces.32
-rw-r--r-- portable portable           0 seccomp.postexec
-rw-r--r-- portable portable           0 seccomp.postexec32
-rw-r--r-- portable portable         152 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
/run/firejail/mnt/seccomp/seccomp.namespaces
/run/firejail/mnt/seccomp/seccomp.namespaces.32
Dropping all capabilities
nogroups command not ignored
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Warning: cleaning all supplementary groups
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/kate
Child process initialized in 170.17 ms
Installing /run/firejail/mnt/seccomp/seccomp.namespaces.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.namespaces seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 10

UdevQt: unable to create udev monitor connection
kf.service.services: KServiceTypeTrader: serviceType "ThumbCreator" not found



Edit 1-2,4 fix characters
Edit 3: updated @ newest version and profiles
Originally created by @madbehaviorus on GitHub (Jul 10, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6815 ### Description Hello community, with a fresh new installed Debian 12 mini with fully xfce4 environment, it is not possible to get an internet connection with Kate. ### Steps to Reproduce 1. Use firejail for all apps with profiles with "firecfg" 2. Start neochat correctly with neochat (/usr/local/bin/kate=> softlink to the correct firejail profile) ### Expected behavior Using Kate with an internet connection. ### Actual behavior Using Kate with implemented terminal and try to get an internet connection, like for git pull, the address could not be resolved. ### Behavior without a profile The internet connection works. ``` LC_ALL=C firejail --noprofile /usr/bin/kate Parent pid 8322, child pid 8323 Child process initialized in 5.88 ms kf.service.services: KServiceTypeTrader: serviceType "ThumbCreator" not found Hspell: can't open /usr/share/hspell/hebrew.wgz.sizes. kf.sonnet.clients.hspell: HSpellDict::HSpellDict: Init failed ``` ### Environment * OS: `Linux localhost 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux` ``` $firejail --version firejail version 0.9.75 Compile time support: - always force nonewprivs support is disabled - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` * kate version: 22.12.3 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [-] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [-] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` LC_ALL=C firejail /usr/bin/kate Reading profile /etc/firejail/kate.profile Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 8466, child pid 8467 Warning: not remounting /run/user/1000/doc Warning: cleaning all supplementary groups Child process initialized in 169.46 ms UdevQt: unable to create udev monitor connection kf.service.services: KServiceTypeTrader: serviceType "ThumbCreator" not found ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` LC_ALL=C firejail --debug /usr/bin/kate Building quoted command line: '/usr/bin/kate' Command name #kate# Found kate.profile profile in /etc/firejail directory Reading profile /etc/firejail/kate.profile Found allow-common-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/allow-common-devel.inc Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found whitelist-run-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-run-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc [profile] combined protocol list: "unix" DISPLAY=:0.0 parsed as 0 Using the local network stack Initializing child process Parent pid 8508, child pid 8509 Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces file Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces.32 file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix sbox run: /run/firejail/lib/fseccomp protocol build unix /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1475 963 254:1 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1475 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 1476 1475 254:1 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1476 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 1477 963 254:1 /var /var ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1477 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 1478 1477 254:1 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1478 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 1479 963 254:1 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1479 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/dri directory Process /dev/shm directory Generate private-tmp whitelist commands blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 588: whitelist /run/NetworkManager/resolv.conf Debug 609: expanded: /run/NetworkManager/resolv.conf Debug 620: new_name: /run/NetworkManager/resolv.conf Debug 630: dir: /run Adding whitelist top level directory /run Debug 588: whitelist /run/avahi-daemon/socket Debug 609: expanded: /run/avahi-daemon/socket Debug 620: new_name: /run/avahi-daemon/socket Debug 630: dir: /run Debug 588: whitelist /run/cups/cups.sock Debug 609: expanded: /run/cups/cups.sock Debug 620: new_name: /run/cups/cups.sock Debug 630: dir: /run Removed path: whitelist /run/cups/cups.sock new_name: /run/cups/cups.sock realpath: (null) No such file or directory Debug 588: whitelist /run/dbus/system_bus_socket Debug 609: expanded: /run/dbus/system_bus_socket Debug 620: new_name: /run/dbus/system_bus_socket Debug 630: dir: /run Debug 588: whitelist /run/media Debug 609: expanded: /run/media Debug 620: new_name: /run/media Debug 630: dir: /run Removed path: whitelist /run/media new_name: /run/media realpath: (null) No such file or directory Debug 588: whitelist /run/resolvconf/resolv.conf Debug 609: expanded: /run/resolvconf/resolv.conf Debug 620: new_name: /run/resolvconf/resolv.conf Debug 630: dir: /run Removed path: whitelist /run/resolvconf/resolv.conf new_name: /run/resolvconf/resolv.conf realpath: (null) No such file or directory Debug 588: whitelist /run/netconfig/resolv.conf Debug 609: expanded: /run/netconfig/resolv.conf Debug 620: new_name: /run/netconfig/resolv.conf Debug 630: dir: /run Removed path: whitelist /run/netconfig/resolv.conf new_name: /run/netconfig/resolv.conf realpath: (null) No such file or directory Debug 588: whitelist /run/shm Debug 609: expanded: /run/shm Debug 620: new_name: /run/shm Debug 630: dir: /run Debug 588: whitelist /run/systemd/journal/dev-log Debug 609: expanded: /run/systemd/journal/dev-log Debug 620: new_name: /run/systemd/journal/dev-log Debug 630: dir: /run Debug 588: whitelist /run/systemd/journal/socket Debug 609: expanded: /run/systemd/journal/socket Debug 620: new_name: /run/systemd/journal/socket Debug 630: dir: /run Debug 588: whitelist /run/systemd/resolve/resolv.conf Debug 609: expanded: /run/systemd/resolve/resolv.conf Debug 620: new_name: /run/systemd/resolve/resolv.conf Debug 630: dir: /run Removed path: whitelist /run/systemd/resolve/resolv.conf new_name: /run/systemd/resolve/resolv.conf realpath: (null) No such file or directory Debug 588: whitelist /run/systemd/resolve/stub-resolv.conf Debug 609: expanded: /run/systemd/resolve/stub-resolv.conf Debug 620: new_name: /run/systemd/resolve/stub-resolv.conf Debug 630: dir: /run Removed path: whitelist /run/systemd/resolve/stub-resolv.conf new_name: /run/systemd/resolve/stub-resolv.conf realpath: (null) No such file or directory Debug 588: whitelist /run/udev/data Debug 609: expanded: /run/udev/data Debug 620: new_name: /run/udev/data Debug 630: dir: /run Debug 588: whitelist /run/opengl-driver Debug 609: expanded: /run/opengl-driver Debug 620: new_name: /run/opengl-driver Debug 630: dir: /run Removed path: whitelist /run/opengl-driver new_name: /run/opengl-driver realpath: (null) No such file or directory Debug 588: whitelist /var/lib/aspell Debug 609: expanded: /var/lib/aspell Debug 620: new_name: /var/lib/aspell Debug 630: dir: /var Adding whitelist top level directory /var Debug 588: whitelist /var/lib/ca-certificates Debug 609: expanded: /var/lib/ca-certificates Debug 620: new_name: /var/lib/ca-certificates Debug 630: dir: /var Removed path: whitelist /var/lib/ca-certificates new_name: /var/lib/ca-certificates realpath: (null) No such file or directory Debug 588: whitelist /var/lib/dbus Debug 609: expanded: /var/lib/dbus Debug 620: new_name: /var/lib/dbus Debug 630: dir: /var Debug 588: whitelist /var/lib/menu-xdg Debug 609: expanded: /var/lib/menu-xdg Debug 620: new_name: /var/lib/menu-xdg Debug 630: dir: /var Removed path: whitelist /var/lib/menu-xdg new_name: /var/lib/menu-xdg realpath: (null) No such file or directory Debug 588: whitelist /var/lib/uim Debug 609: expanded: /var/lib/uim Debug 620: new_name: /var/lib/uim Debug 630: dir: /var Removed path: whitelist /var/lib/uim new_name: /var/lib/uim realpath: (null) No such file or directory Debug 588: whitelist /var/cache/fontconfig Debug 609: expanded: /var/cache/fontconfig Debug 620: new_name: /var/cache/fontconfig Debug 630: dir: /var Debug 588: whitelist /var/tmp Debug 609: expanded: /var/tmp Debug 620: new_name: /var/tmp Debug 630: dir: /var Debug 588: whitelist /var/run Debug 609: expanded: /var/run Debug 620: new_name: /var/run Debug 630: dir: /var Debug 588: whitelist /var/lock Debug 609: expanded: /var/lock Debug 620: new_name: /var/lock Debug 630: dir: /var Debug 588: whitelist /tmp/.X11-unix Debug 609: expanded: /tmp/.X11-unix Debug 620: new_name: /tmp/.X11-unix Debug 630: dir: /tmp Adding whitelist top level directory /tmp Debug 588: whitelist /tmp/sndio Debug 609: expanded: /tmp/sndio Debug 620: new_name: /tmp/sndio Debug 630: dir: /tmp Removed path: whitelist /tmp/sndio new_name: /tmp/sndio realpath: (null) No such file or directory Mounting tmpfs on /run, check owner: no 1560 1174 0:113 / /run rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64 mountid=1560 fsname=/ dir=/run fstype=tmpfs Whitelisting /run/user/1000 1587 1584 0:23 /firejail/firejail.ro.dir /run/user/1000/systemd ro,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1587 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs Mounting tmpfs on /var, check owner: no 1588 1478 0:114 / /var rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64 mountid=1588 fsname=/ dir=/var fstype=tmpfs Mounting tmpfs on /tmp, check owner: no 1589 963 0:115 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64 mountid=1589 fsname=/ dir=/tmp fstype=tmpfs Whitelisting /run/NetworkManager/resolv.conf 1590 1560 0:23 /NetworkManager/resolv.conf /run/NetworkManager/resolv.conf rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1590 fsname=/NetworkManager/resolv.conf dir=/run/NetworkManager/resolv.conf fstype=tmpfs Whitelisting /run/avahi-daemon/socket 1591 1560 0:23 /avahi-daemon/socket /run/avahi-daemon/socket rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1591 fsname=/avahi-daemon/socket dir=/run/avahi-daemon/socket fstype=tmpfs Whitelisting /run/dbus/system_bus_socket 1592 1560 0:23 /dbus/system_bus_socket /run/dbus/system_bus_socket rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1592 fsname=/dbus/system_bus_socket dir=/run/dbus/system_bus_socket fstype=tmpfs Created symbolic link /run/shm -> /dev/shm Whitelisting /run/systemd/journal/dev-log 1593 1560 0:23 /systemd/journal/dev-log /run/systemd/journal/dev-log rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1593 fsname=/systemd/journal/dev-log dir=/run/systemd/journal/dev-log fstype=tmpfs Whitelisting /run/systemd/journal/socket 1594 1560 0:23 /systemd/journal/socket /run/systemd/journal/socket rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1594 fsname=/systemd/journal/socket dir=/run/systemd/journal/socket fstype=tmpfs Whitelisting /run/udev/data 1595 1560 0:23 /udev/data /run/udev/data rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1595 fsname=/udev/data dir=/run/udev/data fstype=tmpfs Whitelisting /var/lib/aspell 1596 1588 254:1 /var/lib/aspell /var/lib/aspell ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1596 fsname=/var/lib/aspell dir=/var/lib/aspell fstype=ext4 Whitelisting /var/lib/dbus 1597 1588 254:1 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1597 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=ext4 Whitelisting /var/cache/fontconfig 1598 1588 254:1 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1598 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Whitelisting /var/tmp 1599 1588 0:93 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1599 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 1600 1589 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1600 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /home/portable/.local/share/Trash Disable /home/portable/.bash_history Not blacklist /home/portable/.python-history Not blacklist /home/portable/.python_history Not blacklist /home/portable/.pythonhist Disable /home/portable/.lesshst Disable /home/portable/.config/autostart Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/portable/.Xauthority 1607 1518 254:1 /home/portable/.Xauthority /home/portable/.Xauthority ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1607 fsname=/home/portable/.Xauthority dir=/home/portable/.Xauthority fstype=ext4 Disable /home/portable/.config/kwalletrc Not blacklist /home/portable/.config/kwinrc Mounting read-only /home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= 1609 1518 254:1 /home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= /home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1609 fsname=/home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= dir=/home/portable/.cache/ksycoca5_de_5pWPiXVAFtUbkVtoj3cJsDJgROs= fstype=ext4 Mounting read-only /home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= 1610 1518 254:1 /home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= /home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1610 fsname=/home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= dir=/home/portable/.cache/ksycoca5_en_5pWPiXVAFtUbkVtoj3cJsDJgROs= fstype=ext4 Disable /home/portable/.local/share/gvfs-metadata Mounting read-only /home/portable/.config/dconf 1612 1518 254:1 /home/portable/.config/dconf /home/portable/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1612 fsname=/home/portable/.config/dconf dir=/home/portable/.config/dconf fstype=ext4 Disable /usr/bin/systemctl Disable /usr/bin/systemctl (requested /bin/systemctl) Disable /usr/bin/systemd-run Disable /usr/bin/systemd-run (requested /bin/systemd-run) Disable /run/user/1000/systemd Disable /etc/systemd/network Disable /etc/systemd/system Disable /etc/init.d Disable /etc/adduser.conf Disable /etc/apparmor Disable /etc/apparmor.d Disable /etc/cron.weekly Disable /etc/cron.hourly Disable /etc/cron.yearly Disable /etc/cron.d Disable /etc/cron.monthly Disable /etc/crontab Disable /etc/cron.daily Disable /etc/default Disable /etc/grub.d Disable /etc/kernel-img.conf Disable /etc/kernel Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/modules-load.d Disable /etc/modules Disable /etc/rcS.d Disable /etc/rc2.d Disable /etc/rc1.d Disable /etc/rc4.d Disable /etc/rc0.d Disable /etc/rc6.d Disable /etc/rc3.d Disable /etc/rc5.d Disable /etc/logcheck Mounting read-only /home/portable/.bash_logout 1691 1518 254:1 /home/portable/.bash_logout /home/portable/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1691 fsname=/home/portable/.bash_logout dir=/home/portable/.bash_logout fstype=ext4 Mounting read-only /home/portable/.bashrc 1692 1518 254:1 /home/portable/.bashrc /home/portable/.bashrc ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1692 fsname=/home/portable/.bashrc dir=/home/portable/.bashrc fstype=ext4 Mounting read-only /home/portable/.profile 1693 1518 254:1 /home/portable/.profile /home/portable/.profile ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1693 fsname=/home/portable/.profile dir=/home/portable/.profile fstype=ext4 Mounting read-only /home/portable/.ssh/config 1694 1518 254:1 /home/portable/.ssh/config /home/portable/.ssh/config ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1694 fsname=/home/portable/.ssh/config dir=/home/portable/.ssh/config fstype=ext4 Mounting read-only /home/portable/.local/share/applications 1695 1518 254:1 /home/portable/.local/share/applications /home/portable/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1695 fsname=/home/portable/.local/share/applications dir=/home/portable/.local/share/applications fstype=ext4 Mounting read-only /home/portable/.config/mimeapps.list 1696 1518 254:1 /home/portable/.config/mimeapps.list /home/portable/.config/mimeapps.list ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1696 fsname=/home/portable/.config/mimeapps.list dir=/home/portable/.config/mimeapps.list fstype=ext4 Mounting read-only /home/portable/.config/user-dirs.dirs 1697 1518 254:1 /home/portable/.config/user-dirs.dirs /home/portable/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1697 fsname=/home/portable/.config/user-dirs.dirs dir=/home/portable/.config/user-dirs.dirs fstype=ext4 Mounting read-only /home/portable/.config/user-dirs.locale 1698 1518 254:1 /home/portable/.config/user-dirs.locale /home/portable/.config/user-dirs.locale ro,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1698 fsname=/home/portable/.config/user-dirs.locale dir=/home/portable/.config/user-dirs.locale fstype=ext4 Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Warning (blacklisting): cannot open /etc/ssh/*: Permission denied Not blacklist /home/portable/.git-credentials Disable /home/portable/.gnupg Disable /home/portable/.local/share/kwalletd Disable /home/portable/.local/share/pki Disable /home/portable/.pki Disable /home/portable/.ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/busybox Disable /usr/bin/busybox (requested /bin/busybox) Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount3 (requested /usr/bin/fusermount) Disable /usr/bin/fusermount3 (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/nmap Disable /usr/bin/nmap (requested /bin/nmap) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/lib/openssh Disable /usr/bin/passwd Disable /usr/bin/passwd (requested /bin/passwd) Disable /usr/lib/xorg/Xorg.wrap Disable /usr/lib/polkit-1/polkit-agent-helper-1 (requested /usr/lib/policykit-1/polkit-agent-helper-1) Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper Disable /usr/bin/hostname Disable /usr/bin/hostname (requested /bin/hostname) Disable /usr/bin/netstat Disable /usr/bin/netstat (requested /bin/netstat) Disable /usr/bin/nm-online Disable /usr/bin/nm-online (requested /bin/nm-online) Disable /usr/bin/nmcli Disable /usr/bin/nmcli (requested /bin/nmcli) Disable /usr/bin/nmtui Disable /usr/bin/nmtui (requested /bin/nmtui) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-connect) Disable /usr/bin/nmtui (requested /bin/nmtui-connect) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-edit) Disable /usr/bin/nmtui (requested /bin/nmtui-edit) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-hostname) Disable /usr/bin/nmtui (requested /bin/nmtui-hostname) Disable /usr/bin/networkctl Disable /usr/bin/networkctl (requested /bin/networkctl) Disable /usr/bin/ss Disable /usr/bin/ss (requested /bin/ss) Disable /usr/bin/xfce4-terminal Disable /usr/bin/xfce4-terminal (requested /bin/xfce4-terminal) Disable /usr/bin/xfce4-terminal.wrapper Disable /usr/bin/xfce4-terminal.wrapper (requested /bin/xfce4-terminal.wrapper) Warning (blacklisting): cannot open /initrd.img.old: Permission denied Warning (blacklisting): cannot open /initrd.img: Permission denied Warning (blacklisting): cannot open /vmlinuz: Permission denied Warning (blacklisting): cannot open /vmlinuz.old: Permission denied Disable /home/portable/.cache/flatpak Disable /home/portable/.local/share/flatpak/.changed Disable /home/portable/.local/share/flatpak/repo Disable /home/portable/.local/share/flatpak/overrides Disable /home/portable/.local/share/flatpak/db Disable /home/portable/.var Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /run/user/1000/.dbus-proxy Disable /run/user/1000/.flatpak Disable /run/user/1000/.flatpak-helper Disable /run/user/1000/app Warning (blacklisting): cannot stat /run/user/1000/doc: Permission denied Disable /usr/share/flatpak Disable /usr/bin/dig Disable /usr/bin/dig (requested /bin/dig) Disable /usr/bin/host Disable /usr/bin/host (requested /bin/host) Disable /usr/bin/nslookup Disable /usr/bin/nslookup (requested /bin/nslookup) Disable /usr/bin/ssh Disable /usr/bin/ssh (requested /bin/ssh) Mounting noexec /run/user/1000 1889 1881 0:23 /firejail/firejail.ro.dir /run/user/1000/app ro,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=802352k,mode=755,inode64 mountid=1889 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/app fstype=tmpfs Warning: not remounting /run/user/1000/doc Mounting noexec /dev/shm 1890 1539 0:101 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1890 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1892 1891 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1892 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Mounting noexec /tmp/.X11-unix 1893 1892 254:1 /tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1893 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Not blacklist /home/portable/.ammonite Not blacklist /home/portable/.bundle Disable /home/portable/.cache/KDE/neochat Disable /home/portable/.cache/calibre Disable /home/portable/.cache/gajim Disable /home/portable/.cache/keepassxc Disable /home/portable/.cache/mozilla Disable /home/portable/.cache/systemsettings Not blacklist /home/portable/.cargo Disable /home/portable/.config/Thunar Disable /home/portable/.config/calibre Disable /home/portable/.config/catfish Disable /home/portable/.config/cherrytree Disable /home/portable/.config/enchant Disable /home/portable/.config/gajim Disable /home/portable/.config/gedit Not blacklist /home/portable/.config/git Not blacklist /home/portable/.config/jgit Not blacklist /home/portable/.config/katemetainfos Not blacklist /home/portable/.config/katepartrc Not blacklist /home/portable/.config/katerc Not blacklist /home/portable/.config/kateschemarc Not blacklist /home/portable/.config/katesyntaxhighlightingrc Not blacklist /home/portable/.config/katevirc Disable /home/portable/.config/kdeconnect Disable /home/portable/.config/keepassxc Disable /home/portable/.config/nautilus Disable /home/portable/.config/neochatrc Disable /home/portable/.config/pavucontrol.ini Disable /home/portable/.config/vlc Disable /home/portable/.config/xfce4-dict Disable /home/portable/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml Not blacklist /home/portable/.g8 Not blacklist /home/portable/.gitconfig Not blacklist /home/portable/.gradle Not blacklist /home/portable/.ivy2 Not blacklist /home/portable/.java Disable /home/portable/.local/share/KDE/neochat Disable /home/portable/.local/share/gajim Not blacklist /home/portable/.local/share/kate Disable /home/portable/.local/share/nautilus Disable /home/portable/.local/share/vlc Disable /home/portable/.mozilla Not blacklist /home/portable/.node-gyp Not blacklist /home/portable/.npm Not blacklist /home/portable/.npmrc Not blacklist /home/portable/.nvm Not blacklist /home/portable/.pylint.d Not blacklist /home/portable/.sbt Disable /home/portable/.ssr Disable /home/portable/.wget-hsts Not blacklist /home/portable/.yarn Not blacklist /home/portable/.yarn-config Not blacklist /home/portable/.yarncache Not blacklist /home/portable/.yarnrc Not blacklist /home/portable/Nextcloud Mounting read-only /tmp/.X11-unix 1922 1893 254:1 /tmp/.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/chromebook-root rw,errors=remount-ro mountid=1922 fsname=/tmp/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Disable /sys/fs Disable /sys/module disable pulseaudio blacklist /home/portable/.config/pulse blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse disable pipewire Current directory: /home/portable DISPLAY=:0.0 parsed as 0 Install protocol filter: unix configuring 19 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000009 jmp 000f 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 35 01 00 40000000 jge X32_ABI 000c (false 000b) 000b: 35 01 00 00000000 jge read 000d (false 000c) 000c: 06 00 00 00050001 ret ERRNO(1) 000d: 15 01 00 00000029 jeq socket 000f (false 000e) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 20 00 00 00000010 ld data.args[0] 0010: 15 00 01 00000001 jeq 1 0011 (false 0012) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 06 00 00 0005005f ret ERRNO(95) configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 4, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00050001 ret ERRNO(1) Dual 32/64 bit seccomp filter configured configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 5, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 47 00 0000009f jeq adjtimex 004f (false 0008) 0008: 15 46 00 00000131 jeq clock_adjtime 004f (false 0009) 0009: 15 45 00 000000e3 jeq clock_settime 004f (false 000a) 000a: 15 44 00 000000a4 jeq settimeofday 004f (false 000b) 000b: 15 43 00 0000009a jeq modify_ldt 004f (false 000c) 000c: 15 42 00 000000d4 jeq lookup_dcookie 004f (false 000d) 000d: 15 41 00 0000012a jeq perf_event_open 004f (false 000e) 000e: 15 40 00 000001b6 jeq pidfd_getfd 004f (false 000f) 000f: 15 3f 00 00000137 jeq process_vm_writev 004f (false 0010) 0010: 15 3e 00 000000b0 jeq delete_module 004f (false 0011) 0011: 15 3d 00 00000139 jeq finit_module 004f (false 0012) 0012: 15 3c 00 000000af jeq init_module 004f (false 0013) 0013: 15 3b 00 000000a1 jeq chroot 004f (false 0014) 0014: 15 3a 00 000001af jeq fsconfig 004f (false 0015) 0015: 15 39 00 000001b0 jeq fsmount 004f (false 0016) 0016: 15 38 00 000001ae jeq fsopen 004f (false 0017) 0017: 15 37 00 000001b1 jeq fspick 004f (false 0018) 0018: 15 36 00 000000a5 jeq mount 004f (false 0019) 0019: 15 35 00 000001ad jeq move_mount 004f (false 001a) 001a: 15 34 00 000001ac jeq open_tree 004f (false 001b) 001b: 15 33 00 0000009b jeq pivot_root 004f (false 001c) 001c: 15 32 00 000000a6 jeq umount2 004f (false 001d) 001d: 15 31 00 0000009c jeq _sysctl 004f (false 001e) 001e: 15 30 00 000000b7 jeq afs_syscall 004f (false 001f) 001f: 15 2f 00 000000ae jeq create_module 004f (false 0020) 0020: 15 2e 00 000000b1 jeq get_kernel_syms 004f (false 0021) 0021: 15 2d 00 000000b5 jeq getpmsg 004f (false 0022) 0022: 15 2c 00 000000b6 jeq putpmsg 004f (false 0023) 0023: 15 2b 00 000000b2 jeq query_module 004f (false 0024) 0024: 15 2a 00 000000b9 jeq security 004f (false 0025) 0025: 15 29 00 0000008b jeq sysfs 004f (false 0026) 0026: 15 28 00 000000b8 jeq tuxcall 004f (false 0027) 0027: 15 27 00 00000086 jeq uselib 004f (false 0028) 0028: 15 26 00 00000088 jeq ustat 004f (false 0029) 0029: 15 25 00 000000ec jeq vserver 004f (false 002a) 002a: 15 24 00 000000ad jeq ioperm 004f (false 002b) 002b: 15 23 00 000000ac jeq iopl 004f (false 002c) 002c: 15 22 00 000000f6 jeq kexec_load 004f (false 002d) 002d: 15 21 00 00000140 jeq kexec_file_load 004f (false 002e) 002e: 15 20 00 000000a9 jeq reboot 004f (false 002f) 002f: 15 1f 00 000000a7 jeq swapon 004f (false 0030) 0030: 15 1e 00 000000a8 jeq swapoff 004f (false 0031) 0031: 15 1d 00 00000130 jeq open_by_handle_at 004f (false 0032) 0032: 15 1c 00 0000012f jeq name_to_handle_at 004f (false 0033) 0033: 15 1b 00 000000fb jeq ioprio_set 004f (false 0034) 0034: 15 1a 00 00000067 jeq syslog 004f (false 0035) 0035: 15 19 00 0000012c jeq fanotify_init 004f (false 0036) 0036: 15 18 00 000000f8 jeq add_key 004f (false 0037) 0037: 15 17 00 000000f9 jeq request_key 004f (false 0038) 0038: 15 16 00 000000ed jeq mbind 004f (false 0039) 0039: 15 15 00 00000100 jeq migrate_pages 004f (false 003a) 003a: 15 14 00 00000117 jeq move_pages 004f (false 003b) 003b: 15 13 00 000000fa jeq keyctl 004f (false 003c) 003c: 15 12 00 000000ce jeq io_setup 004f (false 003d) 003d: 15 11 00 000000cf jeq io_destroy 004f (false 003e) 003e: 15 10 00 000000d0 jeq io_getevents 004f (false 003f) 003f: 15 0f 00 000000d1 jeq io_submit 004f (false 0040) 0040: 15 0e 00 000000d2 jeq io_cancel 004f (false 0041) 0041: 15 0d 00 000000d8 jeq remap_file_pages 004f (false 0042) 0042: 15 0c 00 000000ee jeq set_mempolicy 004f (false 0043) 0043: 15 0b 00 00000116 jeq vmsplice 004f (false 0044) 0044: 15 0a 00 00000143 jeq userfaultfd 004f (false 0045) 0045: 15 09 00 000000a3 jeq acct 004f (false 0046) 0046: 15 08 00 00000141 jeq bpf 004f (false 0047) 0047: 15 07 00 000000b4 jeq nfsservctl 004f (false 0048) 0048: 15 06 00 000000ab jeq setdomainname 004f (false 0049) 0049: 15 05 00 000000aa jeq sethostname 004f (false 004a) 004a: 15 04 00 00000099 jeq vhangup 004f (false 004b) 004b: 15 03 00 00000065 jeq ptrace 004f (false 004c) 004c: 15 02 00 00000087 jeq personality 004f (false 004d) 004d: 15 01 00 00000136 jeq process_vm_readv 004f (false 004e) 004e: 06 00 00 7fff0000 ret ALLOW 004f: 06 00 01 00050001 ret ERRNO(1) seccomp filter configured Build restrict-namespaces filter sbox run: /run/firejail/lib/fseccomp restrict-namespaces /run/firejail/mnt/seccomp/seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts Dropping all capabilities Drop privileges: pid 6, uid 1000, gid 1000, force_nogroups 1 No supplementary groups restrict-namespaces filter configured Build restrict-namespaces filter sbox run: /run/firejail/lib/fseccomp restrict-namespaces.32 /run/firejail/mnt/seccomp/seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts Dropping all capabilities Drop privileges: pid 7, uid 1000, gid 1000, force_nogroups 1 No supplementary groups restrict-namespaces filter configured Install namespaces filter configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces Dropping all capabilities Drop privileges: pid 8, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 04 00000038 jeq clone 0008 (false 000c) 0008: 20 00 00 00000010 ld data.args[0] 0009: 45 00 01 7e020000 jset 7e020000 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 01 000001b3 jeq 1b3 000d (false 000e) 000d: 06 00 00 00050026 ret ERRNO(38) 000e: 15 00 04 00000110 jeq 110 000f (false 0013) 000f: 20 00 00 00000010 ld data.args[0] 0010: 45 00 01 7e020080 jset 7e020080 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 04 00000134 jeq 134 0014 (false 0018) 0014: 20 00 00 00000018 ld data.args[8] 0015: 15 01 00 00000000 jeq 0 0017 (false 0016) 0016: 45 00 01 7e020080 jset 7e020080 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 06 00 00 7fff0000 ret ALLOW configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 Dropping all capabilities Drop privileges: pid 9, uid 1000, gid 1000, force_nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 04 00000078 jeq 78 0005 (false 0009) 0005: 20 00 00 00000010 ld data.args[0] 0006: 45 00 01 7e020000 jset 7e020000 0007 (false 0008) 0007: 06 00 00 00050001 ret ERRNO(1) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 000001b3 jeq 1b3 000a (false 000b) 000a: 06 00 00 00050026 ret ERRNO(38) 000b: 15 00 04 00000136 jeq 136 000c (false 0010) 000c: 20 00 00 00000010 ld data.args[0] 000d: 45 00 01 7e020080 jset 7e020080 000e (false 000f) 000e: 06 00 00 00050001 ret ERRNO(1) 000f: 06 00 00 7fff0000 ret ALLOW 0010: 15 00 04 0000015a jeq 15a 0011 (false 0015) 0011: 20 00 00 00000018 ld data.args[8] 0012: 15 01 00 00000000 jeq 0 0014 (false 0013) 0013: 45 00 01 7e020080 jset 7e020080 0014 (false 0015) 0014: 06 00 00 00050001 ret ERRNO(1) 0015: 06 00 00 7fff0000 ret ALLOW 0016: 06 00 00 7fff0000 ret ALLOW Mounting read-only /run/firejail/mnt/seccomp 1928 1564 0:74 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1928 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 200 . drwxr-xr-x root root 240 .. -rw-r--r-- portable portable 640 seccomp -rw-r--r-- portable portable 432 seccomp.32 -rw-r--r-- portable portable 207 seccomp.list -rw-r--r-- portable portable 208 seccomp.namespaces -rw-r--r-- portable portable 184 seccomp.namespaces.32 -rw-r--r-- portable portable 0 seccomp.postexec -rw-r--r-- portable portable 0 seccomp.postexec32 -rw-r--r-- portable portable 152 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.namespaces /run/firejail/mnt/seccomp/seccomp.namespaces.32 Dropping all capabilities nogroups command not ignored noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Warning: cleaning all supplementary groups Closing non-standard file descriptors Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/kate Child process initialized in 170.17 ms Installing /run/firejail/mnt/seccomp/seccomp.namespaces.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.namespaces seccomp filter Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 10 UdevQt: unable to create udev monitor connection kf.service.services: KServiceTypeTrader: serviceType "ThumbCreator" not found ``` </p> </details> Edit 1-2,4 fix characters Edit 3: updated @ newest version and profiles
gitea-mirror 2026-05-05 09:57:27 -06:00
gitea-mirror commented 2026-05-05 09:57:30 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 10, 2025):

firejail version 0.9.72

Note that we do not maintain that version of firejail:

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

What happens with firejail-git?

If it does not work, you can try commenting the profile until it works and post
the lines that are causing issues.

<!-- gh-comment-id:3059217116 --> @kmk3 commented on GitHub (Jul 10, 2025): > firejail version 0.9.72 Note that we do not maintain that version of firejail: * <https://github.com/netblue30/firejail/blob/master/SECURITY.md> Versions other than the latest usually have outdated profiles and may contain bugs and security vulnerabilities that were fixed in later versions. See also: * <https://github.com/netblue30/firejail#installing> What happens with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building)? If it does not work, you can try commenting the profile until it works and post the lines that are causing issues.
gitea-mirror commented 2026-05-05 09:57:31 -06:00
Author
Owner
Copy link

@madbehaviorus commented on GitHub (Jul 10, 2025):

Thank you for your information's.

I upgrade to version 0.9.75 and update the profiles.
I can now use the internet connections with change the following variables:

#net none
protocol unix,inet,inet6,netlink

# Firejail profile for kate
# Description: Powerful text editor
# This file is overwritten after every install/update
# Persistent local customizations
include kate.local
# Persistent global definitions
include globals.local

ignore noexec ${HOME}

noblacklist ${HOME}/.config/katemetainfos
noblacklist ${HOME}/.config/katepartrc
noblacklist ${HOME}/.config/katerc
noblacklist ${HOME}/.config/kateschemarc
noblacklist ${HOME}/.config/katesyntaxhighlightingrc
noblacklist ${HOME}/.config/katevirc
noblacklist ${HOME}/.config/kwinrc
noblacklist ${HOME}/.local/share/kate
noblacklist ${HOME}/.local/share/kxmlgui5/kate
noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree
noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole
noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin
noblacklist ${HOME}/.local/share/kxmlgui5/katepart
noblacklist ${HOME}/.local/share/kxmlgui5/kateproject
noblacklist ${HOME}/.local/share/kxmlgui5/katesearch

# Allows files commonly used by IDEs
include allow-common-devel.inc

include disable-common.inc
#include disable-devel.inc
include disable-exec.inc
#include disable-interpreters.inc
include disable-programs.inc

include whitelist-run-common.inc
include whitelist-var-common.inc

#apparmor
caps.drop all
#net none
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix,inet,inet6,netlink
seccomp

#private-bin kate,kbuildsycoca4,kdeinit4
private-dev
#private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg
private-tmp

#dbus-user none
#dbus-system none

restrict-namespaces
join-or-start kate
<!-- gh-comment-id:3059442179 --> @madbehaviorus commented on GitHub (Jul 10, 2025): Thank you for your information's. I upgrade to version 0.9.75 and update the profiles. I can now use the internet connections with change the following variables: ``` #net none protocol unix,inet,inet6,netlink ``` ``` # Firejail profile for kate # Description: Powerful text editor # This file is overwritten after every install/update # Persistent local customizations include kate.local # Persistent global definitions include globals.local ignore noexec ${HOME} noblacklist ${HOME}/.config/katemetainfos noblacklist ${HOME}/.config/katepartrc noblacklist ${HOME}/.config/katerc noblacklist ${HOME}/.config/kateschemarc noblacklist ${HOME}/.config/katesyntaxhighlightingrc noblacklist ${HOME}/.config/katevirc noblacklist ${HOME}/.config/kwinrc noblacklist ${HOME}/.local/share/kate noblacklist ${HOME}/.local/share/kxmlgui5/kate noblacklist ${HOME}/.local/share/kxmlgui5/katefiletree noblacklist ${HOME}/.local/share/kxmlgui5/katekonsole noblacklist ${HOME}/.local/share/kxmlgui5/kateopenheaderplugin noblacklist ${HOME}/.local/share/kxmlgui5/katepart noblacklist ${HOME}/.local/share/kxmlgui5/kateproject noblacklist ${HOME}/.local/share/kxmlgui5/katesearch # Allows files commonly used by IDEs include allow-common-devel.inc include disable-common.inc #include disable-devel.inc include disable-exec.inc #include disable-interpreters.inc include disable-programs.inc include whitelist-run-common.inc include whitelist-var-common.inc #apparmor caps.drop all #net none netfilter nodvd nogroups noinput nonewprivs noroot nosound notv nou2f novideo protocol unix,inet,inet6,netlink seccomp #private-bin kate,kbuildsycoca4,kdeinit4 private-dev #private-etc alternatives,fonts,kde4rc,kde5rc,ld.so.cache,machine-id,xdg private-tmp #dbus-user none #dbus-system none restrict-namespaces join-or-start kate ```
gitea-mirror commented 2026-05-05 09:57:31 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 11, 2025):

Thank you for your information's.

I upgrade to version 0.9.75 and update the profiles. I can now use the internet connections with change the following variables:

#net none
protocol unix,inet,inet6,netlink

Nice, glad it worked.

Is netlink actually needed or does it work with just protocol unix,inet,inet6?

<!-- gh-comment-id:3060518918 --> @kmk3 commented on GitHub (Jul 11, 2025): > Thank you for your information's. > > I upgrade to version 0.9.75 and update the profiles. I can now use the internet connections with change the following variables: > > ``` > #net none > protocol unix,inet,inet6,netlink > ``` Nice, glad it worked. Is `netlink` actually needed or does it work with just `protocol unix,inet,inet6`?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3383
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?