github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6822] koreader: Error: failed to run /run/firejail/lib/fsec-print (whitelist in /usr/lib) #3386

New issue
Open
opened 2026-05-05 09:57:32 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:57:32 -06:00
Owner
Copy link

Originally created by @cameronj86 on GitHub (Jul 13, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6822

Description

Default profile won't work

Fails to load

Steps to Reproduce

  1. create symlink to the koreader binary
  2. Sidestep first error by adding whitelist /usr/lib/koreader/fonts
  3. run LC_ALL=C firejail --profile=koreader --trace=/tmp/trace.txt /usr/bin/koreader
  4. Error is in part of the output

Expected behavior

App runs

Actual behavior

App doesn't run

Behavior without a profile

Launches successfully

Additional context

Going through and actually trying the profiles of interest to see if they work and loading tix for the ones that do not.

Environment

  • Linux 6.12.10-amd64 x86_64
  • Debian Trixie 13
  • koreader 2025.04 (installed via official .deb if that matters)
  • firejail version 0.9.74

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of `LC_ALL=C firejail --profile=koreader --debug /usr/bin/koreader` 

pid=824550: locking /run/firejail/firejail-run.lock ...
pid=824550: locked /run/firejail/firejail-run.lock
pid=824550: unlocking /run/firejail/firejail-run.lock ...
pid=824550: unlocked /run/firejail/firejail-run.lock
Reading profile /home/macallik/.config/firejail/koreader.profile
Reading profile /etc/firejail/allow-lua.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
[profile] combined protocol list: "unix,netlink"
Warning: private-lib feature is disabled in Firejail configuration file
firejail version 0.9.74

pid=824550: locking /run/firejail/firejail-run.lock ...
pid=824550: locked /run/firejail/firejail-run.lock
DISPLAY=:0 parsed as 0
pid=824550: unlocking /run/firejail/firejail-run.lock ...
pid=824550: unlocked /run/firejail/firejail-run.lock
Parent pid 824550, child pid 824551
nogroups command not ignored
Warning: cannot find /var/run/utmp
Warning fcopy: cannot create symbolic link /etc/alternatives/my.cnf
Warning: file /etc/gcrypt not found.
Warning: file /etc/locale not found.
Private /etc installed in 23.92 ms
Base filesystem installed in 165.37 ms
DISPLAY=:0 parsed as 0
fexecve: No such file or directory
Error: failed to run /run/firejail/lib/fsec-print, exiting...
Error: proc 824550 cannot sync with peer: unexpected EOF
Peer 824551 unexpectedly exited with status 1
bash: Looking: command not found

Originally created by @cameronj86 on GitHub (Jul 13, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6822 ### Description Default profile won't work Fails to load ### Steps to Reproduce 1. create symlink to the koreader binary 2. Sidestep first error by adding `whitelist /usr/lib/koreader/fonts` 3. run `LC_ALL=C firejail --profile=koreader --trace=/tmp/trace.txt /usr/bin/koreader` 4. Error is in part of the output ### Expected behavior App runs ### Actual behavior App doesn't run ### Behavior without a profile Launches successfully ### Additional context Going through and actually trying the profiles of interest to see if they work and loading tix for the ones that do not. ### Environment - Linux 6.12.10-amd64 x86_64 - Debian Trixie 13 - koreader 2025.04 (installed via official .deb if that matters) - firejail version 0.9.74 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>`LC_ALL=C firejail --profile=koreader --debug /usr/bin/koreader`</code></summary> <p> ``` pid=824550: locking /run/firejail/firejail-run.lock ... pid=824550: locked /run/firejail/firejail-run.lock pid=824550: unlocking /run/firejail/firejail-run.lock ... pid=824550: unlocked /run/firejail/firejail-run.lock Reading profile /home/macallik/.config/firejail/koreader.profile Reading profile /etc/firejail/allow-lua.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc [profile] combined protocol list: "unix,netlink" Warning: private-lib feature is disabled in Firejail configuration file firejail version 0.9.74 pid=824550: locking /run/firejail/firejail-run.lock ... pid=824550: locked /run/firejail/firejail-run.lock DISPLAY=:0 parsed as 0 pid=824550: unlocking /run/firejail/firejail-run.lock ... pid=824550: unlocked /run/firejail/firejail-run.lock Parent pid 824550, child pid 824551 nogroups command not ignored Warning: cannot find /var/run/utmp Warning fcopy: cannot create symbolic link /etc/alternatives/my.cnf Warning: file /etc/gcrypt not found. Warning: file /etc/locale not found. Private /etc installed in 23.92 ms Base filesystem installed in 165.37 ms DISPLAY=:0 parsed as 0 fexecve: No such file or directory Error: failed to run /run/firejail/lib/fsec-print, exiting... Error: proc 824550 cannot sync with peer: unexpected EOF Peer 824551 unexpectedly exited with status 1 bash: Looking: command not found ``` </p> </details>
gitea-mirror added the
enhancement
 label 2026-05-05 09:57:32 -06:00
gitea-mirror commented 2026-05-05 09:57:34 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 13, 2025):

What is the output of the following?

which -a koreader
ls -l $(which -a koreader)

Reading profile /home/macallik/.config/firejail/koreader.profile

What happens with the profile in /etc/firejail?

  1. create symlink to the koreader binary

How?

Do you mean with firecfg?

  1. Sidestep first error by adding whitelist /usr/lib/koreader/fonts

What error?

This shouldn't be necessary as there is no whitelisting in /usr/lib AFAIK.

fexecve: No such file or directory
Error: failed to run /run/firejail/lib/fsec-print, exiting...
Error: proc 824550 cannot sync with peer: unexpected EOF
Peer 824551 unexpectedly exited with status 1
bash: Looking: command not found

Strange, I don't remember seeing this error before.

I only found the following instance, which was due to the user manually
whitelisting a path in /usr/lib:

<!-- gh-comment-id:3066810644 --> @kmk3 commented on GitHub (Jul 13, 2025): What is the output of the following? ```sh which -a koreader ls -l $(which -a koreader) ``` > Reading profile /home/macallik/.config/firejail/koreader.profile What happens with the profile in /etc/firejail? > 1. create symlink to the koreader binary How? Do you mean with firecfg? > 2. Sidestep first error by adding `whitelist /usr/lib/koreader/fonts` What error? This shouldn't be necessary as there is no whitelisting in /usr/lib AFAIK. > ``` > fexecve: No such file or directory > Error: failed to run /run/firejail/lib/fsec-print, exiting... > Error: proc 824550 cannot sync with peer: unexpected EOF > Peer 824551 unexpectedly exited with status 1 > bash: Looking: command not found > ``` Strange, I don't remember seeing this error before. I only found the following instance, which was due to the user manually whitelisting a path in /usr/lib: * #6379
gitea-mirror commented 2026-05-05 09:57:35 -06:00
Author
Owner
Copy link

@cameronj86 commented on GitHub (Jul 13, 2025):

Everything is working as expected but found it in my clipboard from troubleshooting last night

What is the output of the following?

$ which -a koreader
/home/macallik/.local/bin/firejailBin/koreader
/usr/bin/koreader
/bin/koreader

How?

Followed the instructions in the manpage:
$ ln -s /usr/bin/firejail /home/macallik/.local/bin/firejailBin/koreader

What happens with the profile in /etc/firejail?

I created the config version when I added whitelist /usr/lib/koreader/fonts

$ diff ~/.config/firejail/koreader.profile /etc/firejail/koreader.profile 
< whitelist /usr/lib/koreader/fonts  
< whitelist /home/macallik/.local/bin/firejailBin  # Sounds like this might be the issue in retrospect

What error?

Here are the steps I took:

  1. Experienced font issue that wouldn't allow koreader to load. Never experienced this running w/o firejail
  2. Added whitelist /usr/lib/koreader/fonts
  3. (Not 100% sure which came first) Added whitelist /home/macallik/.local/bin/firejailBin
  4. (Not 100% sure which came first) Upgraded koreader from 2024.11 -> 2025.04
  5. Troubleshoot some more
  6. Load tix
  7. Woke up this morning to replicate the bug w/ the default profile and can no longer reproduce it 😬

I thought I was saving time by skipping the initial error but by editing the setup, I broke things. I will just report the initial error moving forward.

I can no longer reproduce the error message but I still have the initial error from last night's clipboard below. My belief at the time was that firejail completed and koreader was failing mid-launch due to firejail:

Font-related error message 

ffi.findlib: freetype [6]
ffi.load: libs/libfreetype.so.6
ffi.findlib: harfbuzz [0]
ffi.load: libs/libharfbuzz.so.0
ffi.findlib: zstd [1]
ffi.load: libs/libzstd.so.1
07/13/25-02:27:15 ERROR #! Font  infont  ( DroidSansMono.ttf ) not supported:  ./ffi/freetype.lua:32: Failed to load font './fonts/DroidSansMono.ttf', freetype error code: 1 
07/13/25-02:27:15 ERROR #! Font  infont  ( DroidSansMono.ttf ) not supported:  ./ffi/freetype.lua:32: Failed to load font './fonts/DroidSansMono.ttf', freetype error code: 1 
/usr/lib/koreader/luajit: frontend/ui/font.lua:386: attempt to index local 'face' (a nil value)
stack traceback:
        frontend/ui/font.lua:386: in function 'getAdjustedFace'
        frontend/ui/widget/textwidget.lua:102: in function 'updateSize'
        frontend/ui/widget/textwidget.lua:303: in function 'getWidth'
        frontend/ui/widget/menu.lua:199: in function 'init'
        frontend/ui/widget/widget.lua:46: in function 'new'
        frontend/ui/widget/menu.lua:1087: in function 'updateItems'
        frontend/ui/widget/filechooser.lua:497: in function 'updateItems'
        frontend/ui/widget/menu.lua:1207: in function 'switchItemTable'
        frontend/ui/widget/filechooser.lua:514: in function 'refreshPath'
        frontend/ui/widget/filechooser.lua:292: in function 'init'
        frontend/ui/widget/widget.lua:46: in function 'new'
        frontend/apps/filemanager/filemanager

Let me know if I'm mistaken. My current operating theory is that the initial conflict might have been related to the 2024.11 release, so it might be a moot point. Will close out in 24-48 hours unless something else crops up

<!-- gh-comment-id:3067124655 --> @cameronj86 commented on GitHub (Jul 13, 2025): Everything is working as expected but found it in my clipboard from troubleshooting last night >What is the output of the following? ```bash $ which -a koreader /home/macallik/.local/bin/firejailBin/koreader /usr/bin/koreader /bin/koreader ``` >How? Followed the instructions in the manpage: `$ ln -s /usr/bin/firejail /home/macallik/.local/bin/firejailBin/koreader` >What happens with the profile in /etc/firejail? I created the config version when I added `whitelist /usr/lib/koreader/fonts` ```bash $ diff ~/.config/firejail/koreader.profile /etc/firejail/koreader.profile < whitelist /usr/lib/koreader/fonts < whitelist /home/macallik/.local/bin/firejailBin # Sounds like this might be the issue in retrospect ``` > What error? Here are the steps I took: 1. Experienced font issue that wouldn't allow koreader to load. Never experienced this running w/o firejail 2. Added `whitelist /usr/lib/koreader/fonts` 3. (Not 100% sure which came first) Added `whitelist /home/macallik/.local/bin/firejailBin` 4. (Not 100% sure which came first) Upgraded koreader from 2024.11 -> 2025.04 5. Troubleshoot some more 6. Load tix 7. Woke up this morning to replicate the bug w/ the default profile and can no longer reproduce it 😬 I thought I was saving time by skipping the initial error but by editing the setup, I broke things. I will just report the initial error moving forward. I can no longer reproduce the error message but I still have the initial error from last night's clipboard below. My belief at the time was that firejail completed and koreader was failing mid-launch due to firejail: <details> <summary>Font-related error message</summary> <p> ``` ffi.findlib: freetype [6] ffi.load: libs/libfreetype.so.6 ffi.findlib: harfbuzz [0] ffi.load: libs/libharfbuzz.so.0 ffi.findlib: zstd [1] ffi.load: libs/libzstd.so.1 07/13/25-02:27:15 ERROR #! Font infont ( DroidSansMono.ttf ) not supported: ./ffi/freetype.lua:32: Failed to load font './fonts/DroidSansMono.ttf', freetype error code: 1 07/13/25-02:27:15 ERROR #! Font infont ( DroidSansMono.ttf ) not supported: ./ffi/freetype.lua:32: Failed to load font './fonts/DroidSansMono.ttf', freetype error code: 1 /usr/lib/koreader/luajit: frontend/ui/font.lua:386: attempt to index local 'face' (a nil value) stack traceback: frontend/ui/font.lua:386: in function 'getAdjustedFace' frontend/ui/widget/textwidget.lua:102: in function 'updateSize' frontend/ui/widget/textwidget.lua:303: in function 'getWidth' frontend/ui/widget/menu.lua:199: in function 'init' frontend/ui/widget/widget.lua:46: in function 'new' frontend/ui/widget/menu.lua:1087: in function 'updateItems' frontend/ui/widget/filechooser.lua:497: in function 'updateItems' frontend/ui/widget/menu.lua:1207: in function 'switchItemTable' frontend/ui/widget/filechooser.lua:514: in function 'refreshPath' frontend/ui/widget/filechooser.lua:292: in function 'init' frontend/ui/widget/widget.lua:46: in function 'new' frontend/apps/filemanager/filemanager ``` </p> </details> Let me know if I'm mistaken. My current operating theory is that the initial conflict might have been related to the 2024.11 release, so it might be a moot point. Will close out in 24-48 hours unless something else crops up
gitea-mirror commented 2026-05-05 09:57:35 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 17, 2025):

This /usr/lib part indeed seems to be the issue:

$ firejail --debug --profile=koreader --whitelist=/usr/lib/koreader/fonts true
[...]
Install protocol filter: unix,netlink
configuring 21 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol
[...]
fexecve: No such file or directory
Error: failed to run /run/firejail/lib/fsec-print, exiting...
Error: proc 10000 cannot sync with peer: unexpected EOF
Peer 10000 unexpectedly exited with status 1
<!-- gh-comment-id:3085346220 --> @kmk3 commented on GitHub (Jul 17, 2025): This /usr/lib part indeed seems to be the issue: ```console $ firejail --debug --profile=koreader --whitelist=/usr/lib/koreader/fonts true [...] Install protocol filter: unix,netlink configuring 21 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol [...] fexecve: No such file or directory Error: failed to run /run/firejail/lib/fsec-print, exiting... Error: proc 10000 cannot sync with peer: unexpected EOF Peer 10000 unexpectedly exited with status 1 ```
gitea-mirror commented 2026-05-05 09:57:36 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 19, 2025):

Whitelisting in /usr/lib should work with private-lib (though it might be
brittle); see the --enable-private-lib configure option.

Whitelisting in /etc seems to work fine without using private-etc, so it
should be doable to support whitelisting in /usr/lib without using
private-lib

I'll leave this open for now.

<!-- gh-comment-id:3091930942 --> @kmk3 commented on GitHub (Jul 19, 2025): Whitelisting in /usr/lib should work with `private-lib` (though it might be brittle); see the `--enable-private-lib` configure option. Whitelisting in /etc seems to work fine without using `private-etc`, so it should be doable to support whitelisting in /usr/lib without using `private-lib` I'll leave this open for now.
gitea-mirror commented 2026-05-05 09:57:38 -06:00
Author
Owner
Copy link

@cameronj86 commented on GitHub (Jul 28, 2025):

Related to koreader functionality specifically, I have since been able to replicate and resolve the issue by commenting out:
include disable-programs.inc

<!-- gh-comment-id:3129962002 --> @cameronj86 commented on GitHub (Jul 28, 2025): Related to koreader functionality specifically, I have since been able to replicate and resolve the issue by commenting out: `include disable-programs.inc`
gitea-mirror commented 2026-05-05 09:57:38 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Jul 29, 2025):

Related to koreader functionality specifically, I have since been able to
replicate and resolve the issue by commenting out: include disable-programs.inc

Nice, though note that this file blocks many common paths.

You could try commenting disable-programs.inc to see which lines are causing
the issue and post them here.

If it's only a few lines, it might also be better to ignore just those specific
lines in koreader.local than all of disable-programs.inc.

<!-- gh-comment-id:3130778384 --> @kmk3 commented on GitHub (Jul 29, 2025): > Related to koreader functionality specifically, I have since been able to > replicate and resolve the issue by commenting out: `include > disable-programs.inc` Nice, though note that this file blocks many common paths. You could try commenting disable-programs.inc to see which lines are causing the issue and post them here. If it's only a few lines, it might also be better to ignore just those specific lines in koreader.local than all of disable-programs.inc.
gitea-mirror commented 2026-05-05 09:57:39 -06:00
Author
Owner
Copy link

@cameronj86 commented on GitHub (Aug 6, 2025):

Sorry, I guess it's centric to my setup, but since I'm using private /path/to/sandbox in my config, disable-programs.inc is not necessary for my setup.

<!-- gh-comment-id:3157194702 --> @cameronj86 commented on GitHub (Aug 6, 2025): Sorry, I guess it's centric to my setup, but since I'm using `private /path/to/sandbox` in my config, `disable-programs.inc` is not necessary for my setup.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3386
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?