github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6882] firefox: --allow-debuggers: PTRACE_TRACEME: Permission denied (AppArmor) #3403

New issue

Closed

opened 2026-05-05 09:58:07 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 09:58:07 -06:00

Owner

Originally created by @vinc17fr on GitHub (Aug 28, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6882

Description

The --allow-debuggers option no longer works.

Steps to Reproduce

Run the following command (taken from the firejail(1) man page):

firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox

Expected behavior

Firefox should start.

Actual behavior

I get the following errors:

strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied
strace: attach: ptrace(PTRACE_SEIZE, 50): Permission denied

Note: with gdb, I get a similar error:

warning: Could not trace the inferior process.
warning: ptrace: Permission denied

Behavior without a profile

With --noprofile instead of the firefox profile, strace runs normally.

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.41+deb13-amd64 x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Debian/unstable
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): strace 6.16
Version of Firejail (firejail --version): 0.9.76

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox

Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
firejail version 0.9.76

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 662050, child pid 662054
Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied
Warning: NVIDIA card detected, nogroups command ignored
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning fcopy: cannot create symbolic link /etc/pulse/client.conf.d/01-enable-autospawn.conf
Private /etc installed in 170.74 ms
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Base filesystem installed in 151.10 ms
Warning: NVIDIA card detected, nogroups command ignored
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Child process initialized in 502.39 ms
strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied
strace: attach: ptrace(PTRACE_SEIZE, 50): Permission denied

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox: fjdebug.txt

Originally created by @vinc17fr on GitHub (Aug 28, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6882 ### Description The `--allow-debuggers` option no longer works. ### Steps to Reproduce Run the following command (taken from the firejail(1) man page): ``` firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox ``` ### Expected behavior Firefox should start. ### Actual behavior I get the following errors: ``` strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied strace: attach: ptrace(PTRACE_SEIZE, 50): Permission denied ``` Note: with `gdb`, I get a similar error: ``` warning: Could not trace the inferior process. warning: ptrace: Permission denied ``` ### Behavior without a profile With `--noprofile` instead of the firefox profile, `strace` runs normally. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.12.41+deb13-amd64 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Debian/unstable - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): strace 6.16 - Version of Firejail (`firejail --version`): 0.9.76 ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox</code></summary> <p> ``` Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file firejail version 0.9.76 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 662050, child pid 662054 Warning: cannot open source file /usr/lib/x86_64-linux-gnu/firejail/seccomp.debug32, file not copied Warning: NVIDIA card detected, nogroups command ignored Warning: cannot find /var/run/utmp Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning fcopy: cannot create symbolic link /etc/pulse/client.conf.d/01-enable-autospawn.conf Private /etc installed in 170.74 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Base filesystem installed in 151.10 ms Warning: NVIDIA card detected, nogroups command ignored Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Child process initialized in 502.39 ms strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied strace: attach: ptrace(PTRACE_SEIZE, 50): Permission denied Parent is shutting down, bye... ``` </p> </details> Output of <code>LC_ALL=C firejail --debug --allow-debuggers --profile=/etc/firejail/firefox.profile strace -f firefox</code>: [fjdebug.txt](https://github.com/user-attachments/files/22028055/fjdebug.txt)

gitea-mirror

2026-05-05 09:58:07 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 09:58:11 -06:00

Author

Owner

@kmk3 commented on GitHub (Aug 28, 2025):

The --allow-debuggers option no longer works.

What changed compared to when it worked?

Such as kernel/package versions.

Is only firefox affected?

$ LC_ALL=C firejail --allow-debuggers \
  --profile=/etc/firejail/firefox.profile \
  strace -f firefox
[...]
strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied
strace: attach: ptrace(PTRACE_SEIZE, 50): Permission denied

What is the output of the following?

cat /proc/sys/kernel/yama/ptrace_scope
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
cat /proc/sys/kernel/yama/ptrace_scope

Does it work after executing it?

@kmk3 commented on GitHub (Aug 28, 2025): > The `--allow-debuggers` option no longer works. What changed compared to when it worked? Such as kernel/package versions. Is only firefox affected? > ``` > $ LC_ALL=C firejail --allow-debuggers \ > --profile=/etc/firejail/firefox.profile \ > strace -f firefox > [...] > strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied > strace: attach: ptrace(PTRACE_SEIZE, 50): Permission denied > ``` What is the output of the following? ```sh cat /proc/sys/kernel/yama/ptrace_scope echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope cat /proc/sys/kernel/yama/ptrace_scope ``` Does it work after executing it?

gitea-mirror commented

2026-05-05 09:58:11 -06:00

Author

Owner

@vinc17fr commented on GitHub (Aug 29, 2025):

The --allow-debuggers option no longer works.

What changed compared to when it worked?

Lots of things: this was several years ago. But perhaps this was with the zoom profile, for which strace actually works (I attempted to use gdb with the firefox profile but was blocked for another reason).

Is only firefox affected?

If you mean what is straced, no. Even that:

qaa% strace true
strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied
strace: attach: ptrace(PTRACE_SEIZE, 49): Permission denied

If you mean the profile, no again. I've tried various profiles, and I generally get the same error, or "Error: no suitable strace executable found". But this works with the zoom profile.

What is the output of the following?

cat /proc/sys/kernel/yama/ptrace_scope
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
cat /proc/sys/kernel/yama/ptrace_scope

Always 0.

Does it work after executing it?

No (as expected, since the value was already 0).

And on a Debian 12.11 machine:

citron:~> cat /proc/sys/kernel/yama/ptrace_scope
0
citron:~> firejail --allow-debuggers --profile=xz strace true
strace: test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied
strace: ptrace(PTRACE_TRACEME, ...): Permission denied
+++ exited with 1 +++

@vinc17fr commented on GitHub (Aug 29, 2025): > > The `--allow-debuggers` option no longer works. > > What changed compared to when it worked? Lots of things: this was several years ago. But perhaps this was with the `zoom` profile, for which `strace` actually works (I attempted to use gdb with the `firefox` profile but was blocked for [another reason](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031004)). > Is only firefox affected? If you mean what is straced, no. Even that: ``` qaa% strace true strace: do_test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied strace: attach: ptrace(PTRACE_SEIZE, 49): Permission denied ``` If you mean the profile, no again. I've tried various profiles, and I generally get the same error, or "Error: no suitable strace executable found". But this works with the `zoom` profile. > What is the output of the following? > > cat /proc/sys/kernel/yama/ptrace_scope > echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope > cat /proc/sys/kernel/yama/ptrace_scope Always 0. > Does it work after executing it? No (as expected, since the value was already 0). And on a Debian 12.11 machine: ``` citron:~> cat /proc/sys/kernel/yama/ptrace_scope 0 citron:~> firejail --allow-debuggers --profile=xz strace true strace: test_ptrace_get_syscall_info: PTRACE_TRACEME: Permission denied strace: ptrace(PTRACE_TRACEME, ...): Permission denied +++ exited with 1 +++ ```

gitea-mirror commented

2026-05-05 09:58:12 -06:00

Author

Owner

@vinc17fr commented on GitHub (Aug 29, 2025):

Adding --ignore=apparmor makes strace work. Like that:

firejail --allow-debuggers --ignore=apparmor --profile=firefox strace true

@vinc17fr commented on GitHub (Aug 29, 2025): Adding `--ignore=apparmor` makes `strace` work. Like that: ``` firejail --allow-debuggers --ignore=apparmor --profile=firefox strace true ```

gitea-mirror commented

2026-05-05 09:58:12 -06:00

Author

Owner

@vinc17fr commented on GitHub (Aug 29, 2025):

Note that adding --ignore=apparmor is a bad workaround as one may not want to disable AppArmor completely just to enable ptrace.

I'm wondering whether this could be the cause of the failure: /etc/apparmor.d/firejail-default contains

##########
# With ptrace it is possible to inspect and hijack running programs.
##########
# Uncomment this line to allow all ptrace access
#ptrace,
# Allow obtaining some process information, but not ptrace(2)
ptrace (read,readby) peer=@{profile_name},
ptrace (read,readby) peer=@{profile_name}//&unconfined,

@vinc17fr commented on GitHub (Aug 29, 2025): Note that adding `--ignore=apparmor` is a bad workaround as one may not want to disable AppArmor completely just to enable ptrace. I'm wondering whether this could be the cause of the failure: `/etc/apparmor.d/firejail-default` contains ``` ########## # With ptrace it is possible to inspect and hijack running programs. ########## # Uncomment this line to allow all ptrace access #ptrace, # Allow obtaining some process information, but not ptrace(2) ptrace (read,readby) peer=@{profile_name}, ptrace (read,readby) peer=@{profile_name}//&unconfined, ```

gitea-mirror commented

2026-05-05 09:58:13 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 23, 2025):

Actually this is a bug - under debug apparmor was supposed to be disabled!

@netblue30 commented on GitHub (Dec 23, 2025): Actually this is a bug - under debug apparmor was supposed to be disabled!

gitea-mirror commented

2026-05-05 09:58:13 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 23, 2025):

Added fix in 46b4c12b23, thanks for the bug!

Test:

$ firejail --allow-debuggers --profile=firefox
[...]
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 165.22 ms
bash-5.2$ 
bash-5.2$ 
bash-5.2$ strace /usr/bin/ls
execve("/usr/bin/ls", ["/usr/bin/ls"], 0x7ffd463001a0 /* 47 vars */) = 0
brk(NULL)                               = 0x559aa6c27000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff06bcee000
[...]

Notice apparmor complaining about firejail apparmor profile not being loaded into the kernel.

@netblue30 commented on GitHub (Dec 23, 2025): Added fix in https://github.com/netblue30/firejail/commit/46b4c12b233e6078761fd42e1a996ec176d87d59, thanks for the bug! Test: ````` $ firejail --allow-debuggers --profile=firefox [...] Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 165.22 ms bash-5.2$ bash-5.2$ bash-5.2$ strace /usr/bin/ls execve("/usr/bin/ls", ["/usr/bin/ls"], 0x7ffd463001a0 /* 47 vars */) = 0 brk(NULL) = 0x559aa6c27000 mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7ff06bcee000 [...] ````` Notice apparmor complaining about firejail apparmor profile not being loaded into the kernel.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3403

No description provided.

Rows
Columns