github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #481] Firejail fails to launch several applications after system update #341

New issue
Closed
opened 2026-05-05 05:37:58 -06:00 by gitea-mirror · 6 comments
gitea-mirror commented 2026-05-05 05:37:58 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Apr 25, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/481

After updating my system today firejail fails to launch most applications, unless I use --noprofile to disable the generic profile.

$ firejail --debug --trace /usr/bin/firefox
...
Save seccomp filter, size 744 bytes
Dropping all capabilities
noroot user namespace installed
Starting "/usr/bin/firefox"
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: "/usr/bin/firefox"
Child process initialized
2:bash:open /dev/tty:3
2:firefox:open /usr/bin/firefox:3
2:firefox.real:access /usr/lib/firefox/libxul.so:0
2:firefox.real:fopen /usr/lib/firefox/dependentlibs.list:0x7f417711a400
2:firefox.real:open /usr/lib/firefox/liblgpllibs.so:4
2:firefox.real:open /usr/lib/firefox/libmozgtk.so:4
Sandbox monitor: waitpid 2 retval 2 status 31

parent is shutting down, bye...

Checking syslog:

$ less /var/log/syslog
Apr 25 18:31:54 localhost firejail[12228]: firejail --debug --trace /usr/bin/firefox
Apr 25 18:31:54 localhost firejail[2]: sandbox 12228, execvp into "/usr/bin/firefox"
Apr 25 18:31:54 localhost firejail[12228]: exiting...

Running Debian sid

$ uname -a
Linux fx8350 4.5.0-1-amd64 #1 SMP Debian 4.5.1-1 (2016-04-14) x86_64 GNU/Linux

Firejail from the repo:

$ firejail --version
firejail version 0.9.38

The generic profile:

$ cat /etc/firejail/generic.profile 
################################
# Generic GUI application profile
################################
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc
blacklist ${HOME}/.pki/nssdb
blacklist ${HOME}/.lastpass
blacklist ${HOME}/.keepassx
blacklist ${HOME}/.password-store
caps.drop all
seccomp
protocol unix,inet,inet6
netfilter
noroot

The last updates:

$ cat /var/log/apt/history.log | tail
Start-Date: 2016-04-25  16:51:48
Commandline: apt upgrade
Requested-By: user (1000)
Install: gcc-6-base:amd64 (6.0.1-2, automatic), gcc-6-base:i386 (6.0.1-2, automatic)
Upgrade: console-setup-linux:amd64 (1.141, 1.142), console-setup:amd64 (1.141, 1.142),
 keyboard-configuration:amd64 (1.141, 1.142), libsystemd0:amd64 (229-4, 229-5),
 libsystemd0:i386 (229-4, 229-5), libitm1:amd64 (5.3.1-15, 6.0.1-2), udev:amd64 (229-4,
 229-5), libcilkrts5:amd64 (5.3.1-15, 6.0.1-2), libquadmath0:amd64 (5.3.1-15, 6.0.1-2), 
libudev1:amd64 (229-4, 229-5), libudev1:i386 (229-4, 229-5), libgcc1:amd64 (1:5.3.1-15,
 1:6.0.1-2), libgcc1:i386 (1:5.3.1-15, 1:6.0.1-2), libtsan0:amd64 (5.3.1-15, 6.0.1-2), 
libubsan0:amd64 (5.3.1-15, 6.0.1-2), libgfortran3:amd64 (5.3.1-15, 6.0.1-2), systemd-
sysv:amd64 (229-4, 229-5), libselinux1:amd64 (2.4-3+b1, 2.5-1), libselinux1:i386 
(2.4-3+b1, 2.5-1), libpam-systemd:amd64 (229-4, 229-5), liblsan0:amd64 (5.3.1-15, 
6.0.1-2), systemd:amd64 (229-4, 229-5), libgomp1:amd64 (5.3.1-15, 6.0.1-2), 
libgomp1:i386 (5.3.1-15, 6.0.1-2), libwebkit2gtk-4.0-37:amd64 (2.12.1-1, 2.12.1-1+b1), 
libatomic1:amd64 (5.3.1-15, 6.0.1-2), libcc1-0:amd64 (5.3.1-15, 6.0.1-2), 
libstdc++6:amd64 (5.3.1-15, 6.0.1-2), libstdc++6:i386 (5.3.1-15, 6.0.1-2), 
libjavascriptcoregtk-4.0-18:amd64 (2.12.1-1, 2.12.1-1+b1)

End-Date: 2016-04-25  16:52:35

Any suggestion?
I understand this may not be a bug with firejail, but this was my starting point.

Originally created by @ghost on GitHub (Apr 25, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/481 After updating my system today firejail fails to launch most applications, unless I use --noprofile to disable the generic profile. ``` $ firejail --debug --trace /usr/bin/firefox ... Save seccomp filter, size 744 bytes Dropping all capabilities noroot user namespace installed Starting "/usr/bin/firefox" execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: "/usr/bin/firefox" Child process initialized 2:bash:open /dev/tty:3 2:firefox:open /usr/bin/firefox:3 2:firefox.real:access /usr/lib/firefox/libxul.so:0 2:firefox.real:fopen /usr/lib/firefox/dependentlibs.list:0x7f417711a400 2:firefox.real:open /usr/lib/firefox/liblgpllibs.so:4 2:firefox.real:open /usr/lib/firefox/libmozgtk.so:4 Sandbox monitor: waitpid 2 retval 2 status 31 parent is shutting down, bye... ``` Checking syslog: ``` $ less /var/log/syslog Apr 25 18:31:54 localhost firejail[12228]: firejail --debug --trace /usr/bin/firefox Apr 25 18:31:54 localhost firejail[2]: sandbox 12228, execvp into "/usr/bin/firefox" Apr 25 18:31:54 localhost firejail[12228]: exiting... ``` Running Debian sid ``` $ uname -a Linux fx8350 4.5.0-1-amd64 #1 SMP Debian 4.5.1-1 (2016-04-14) x86_64 GNU/Linux ``` Firejail from the repo: ``` $ firejail --version firejail version 0.9.38 ``` The generic profile: ``` $ cat /etc/firejail/generic.profile ################################ # Generic GUI application profile ################################ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc blacklist ${HOME}/.pki/nssdb blacklist ${HOME}/.lastpass blacklist ${HOME}/.keepassx blacklist ${HOME}/.password-store caps.drop all seccomp protocol unix,inet,inet6 netfilter noroot ``` The last updates: ``` $ cat /var/log/apt/history.log | tail Start-Date: 2016-04-25 16:51:48 Commandline: apt upgrade Requested-By: user (1000) Install: gcc-6-base:amd64 (6.0.1-2, automatic), gcc-6-base:i386 (6.0.1-2, automatic) Upgrade: console-setup-linux:amd64 (1.141, 1.142), console-setup:amd64 (1.141, 1.142), keyboard-configuration:amd64 (1.141, 1.142), libsystemd0:amd64 (229-4, 229-5), libsystemd0:i386 (229-4, 229-5), libitm1:amd64 (5.3.1-15, 6.0.1-2), udev:amd64 (229-4, 229-5), libcilkrts5:amd64 (5.3.1-15, 6.0.1-2), libquadmath0:amd64 (5.3.1-15, 6.0.1-2), libudev1:amd64 (229-4, 229-5), libudev1:i386 (229-4, 229-5), libgcc1:amd64 (1:5.3.1-15, 1:6.0.1-2), libgcc1:i386 (1:5.3.1-15, 1:6.0.1-2), libtsan0:amd64 (5.3.1-15, 6.0.1-2), libubsan0:amd64 (5.3.1-15, 6.0.1-2), libgfortran3:amd64 (5.3.1-15, 6.0.1-2), systemd- sysv:amd64 (229-4, 229-5), libselinux1:amd64 (2.4-3+b1, 2.5-1), libselinux1:i386 (2.4-3+b1, 2.5-1), libpam-systemd:amd64 (229-4, 229-5), liblsan0:amd64 (5.3.1-15, 6.0.1-2), systemd:amd64 (229-4, 229-5), libgomp1:amd64 (5.3.1-15, 6.0.1-2), libgomp1:i386 (5.3.1-15, 6.0.1-2), libwebkit2gtk-4.0-37:amd64 (2.12.1-1, 2.12.1-1+b1), libatomic1:amd64 (5.3.1-15, 6.0.1-2), libcc1-0:amd64 (5.3.1-15, 6.0.1-2), libstdc++6:amd64 (5.3.1-15, 6.0.1-2), libstdc++6:i386 (5.3.1-15, 6.0.1-2), libjavascriptcoregtk-4.0-18:amd64 (2.12.1-1, 2.12.1-1+b1) End-Date: 2016-04-25 16:52:35 ``` Any suggestion? I understand this may not be a bug with firejail, but this was my starting point.
gitea-mirror commented 2026-05-05 05:38:03 -06:00
Author
Owner
Copy link

@liloman commented on GitHub (Apr 26, 2016):

It was broken for me yesterday It seemed something related to the new checkings on get*uid. I just checkout to former commits and problem solved.

<!-- gh-comment-id:214688187 --> @liloman commented on GitHub (Apr 26, 2016): It was broken for me yesterday It seemed something related to the new checkings on get*uid. I just checkout to former commits and problem solved.
gitea-mirror commented 2026-05-05 05:38:06 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 26, 2016):

Hi, nobeljone.
Invoking firejail with those arguments makes it work again. Thanks for the tip!
I find strange that if I comment the seccomp and caps.drop all in the generic.profile the problem still persists.

Hi, liloman.
Do you mean that this behaviour does not happen with former commits?

<!-- gh-comment-id:214762994 --> @ghost commented on GitHub (Apr 26, 2016): Hi, nobeljone. Invoking firejail with those arguments makes it work again. Thanks for the tip! I find strange that if I comment the `seccomp` and `caps.drop all` in the `generic.profile` the problem still persists. Hi, liloman. Do you mean that this behaviour does not happen with former commits?
gitea-mirror commented 2026-05-05 05:38:10 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 27, 2016):

I'll set a Sid system here and take a look, thanks for letting me know.

@liloman: what commits you checked out?

<!-- gh-comment-id:215061277 --> @netblue30 commented on GitHub (Apr 27, 2016): I'll set a Sid system here and take a look, thanks for letting me know. @liloman: what commits you checked out?
gitea-mirror commented 2026-05-05 05:38:12 -06:00
Author
Owner
Copy link

@irregulator commented on GitHub (May 1, 2016):

Both Iceweasel and Icedove are failing to start because default seccomp filter blacklists 'mount' syscall.

I am running firejail version "0.9.40rc2", compiled out of 2bd593cbeb in master branch. I'm also running Debian testing with icedove version "38.7.0-1deb8u1" and iceweasel version "38.8.0esr-1~deb8u1"

Firejail execution example and audit logs indicating the problem are:

firejail icedove  
Reading profile /usr/local/etc/firejail/icedove.profile
Reading profile /usr/local/etc/firejail/firefox.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-devel.inc
Reading profile /usr/local/etc/firejail/whitelist-common.inc
Parent pid 10499, child pid 10500
Blacklist violations are logged to syslog

Child process initialized

Parent is shutting down, bye...

type=SECCOMP msg=audit(1462106848.449:3321): auid=1000 uid=1000 gid=1000 ses=1 pid=10502 comm="icedove" exe="/usr/lib/icedove/icedove" sig=31 arch=c000003e syscall=165 compat=0 ip=0x7f0b02be866a code=0x0

I've also managed to launch both icedove and iceweasel like so:

firejail --seccomp.drop=umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,nfsservctl,get_kernel_syms icedove

i.e. not dropping 'mount' syscall

<!-- gh-comment-id:216039765 --> @irregulator commented on GitHub (May 1, 2016): Both Iceweasel and Icedove are failing to start because default seccomp filter blacklists 'mount' syscall. I am running firejail version "0.9.40~rc2", compiled out of 2bd593cbeb17f109f8f53c811671fa8166411421 in master branch. I'm also running Debian testing with icedove version "38.7.0-1~deb8u1" and iceweasel version "38.8.0esr-1~deb8u1" Firejail execution example and audit logs indicating the problem are: ``` firejail icedove Reading profile /usr/local/etc/firejail/icedove.profile Reading profile /usr/local/etc/firejail/firefox.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/disable-devel.inc Reading profile /usr/local/etc/firejail/whitelist-common.inc Parent pid 10499, child pid 10500 Blacklist violations are logged to syslog Child process initialized Parent is shutting down, bye... ``` ``` type=SECCOMP msg=audit(1462106848.449:3321): auid=1000 uid=1000 gid=1000 ses=1 pid=10502 comm="icedove" exe="/usr/lib/icedove/icedove" sig=31 arch=c000003e syscall=165 compat=0 ip=0x7f0b02be866a code=0x0 ``` I've also managed to launch both icedove and iceweasel like so: ``` firejail --seccomp.drop=umount2,ptrace,kexec_load,kexec_file_load,open_by_handle_at,init_module,finit_module,delete_module,iopl,ioperm,swapon,swapoff,syslog,process_vm_readv,process_vm_writev,sysfs,_sysctl,adjtimex,clock_adjtime,lookup_dcookie,perf_event_open,fanotify_init,kcmp,add_key,request_key,keyctl,uselib,acct,modify_ldt,pivot_root,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,mbind,get_mempolicy,set_mempolicy,migrate_pages,move_pages,vmsplice,chroot,tuxcall,reboot,nfsservctl,get_kernel_syms icedove ``` i.e. not dropping 'mount' syscall
gitea-mirror commented 2026-05-05 05:38:16 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (May 1, 2016):

Moving the discussion here: https://github.com/netblue30/firejail/issues/494

<!-- gh-comment-id:216073117 --> @netblue30 commented on GitHub (May 1, 2016): Moving the discussion here: https://github.com/netblue30/firejail/issues/494
gitea-mirror commented 2026-05-05 05:38:18 -06:00
Author
Owner
Copy link

@Wadkar07 commented on GitHub (May 22, 2018):

hey hello,
i am new to linux and github, i am using parrot sec os and i am facing a problem of firejail:
Reading profile /etc/firejail/wine.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Parent pid 12326, child pid 12327
Child process initialized in 778.40 ms
Usage: wine PROGRAM [ARGUMENTS...] Run the specified program
wine --help Display this help and exit
wine --version Output version information and exit

Parent is shutting down, bye...

<!-- gh-comment-id:391090887 --> @Wadkar07 commented on GitHub (May 22, 2018): hey hello, i am new to linux and github, i am using parrot sec os and i am facing a problem of firejail: Reading profile /etc/firejail/wine.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Parent pid 12326, child pid 12327 Child process initialized in 778.40 ms Usage: wine PROGRAM [ARGUMENTS...] Run the specified program wine --help Display this help and exit wine --version Output version information and exit Parent is shutting down, bye...
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#341
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?