github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #482] private-dev breaks gpg? #342

New issue

Closed

opened 2026-05-05 05:37:58 -06:00 by gitea-mirror · 10 comments

gitea-mirror commented

2026-05-05 05:37:58 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (Apr 26, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/482

This seems really odd, since this didn't happen prior to gpg 2.1. Basically, when I go to use gpg with mutt, I have to disable private-dev. Otherwise, gpg fails to work and says "No private key found" or something similar to that. I'm just curious as to why private-dev affects gpg when the gpg man page, the gpg-agent man page, and the pinentry man page all don't mention /dev at all.

Originally created by @chiraag-nataraj on GitHub (Apr 26, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/482 This seems really odd, since this didn't happen prior to gpg 2.1. Basically, when I go to use gpg with mutt, I have to disable `private-dev`. Otherwise, gpg fails to work and says "No private key found" or something similar to that. I'm just curious as to why `private-dev` affects gpg when the gpg man page, the gpg-agent man page, and the pinentry man page all don't mention /dev at all.

gitea-mirror

2026-05-05 05:37:58 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:38:05 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 27, 2016):

Under /dev I allow /dev/random and /dev/urandom. Are you also using --private-etc?

@netblue30 commented on GitHub (Apr 27, 2016): Under /dev I allow /dev/random and /dev/urandom. Are you also using --private-etc?

gitea-mirror commented

2026-05-05 05:38:08 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Apr 27, 2016):

Yeah, I'm also using --private-etc. Here's my complete profile:

# Necessary to get Mutt working
whitelist ${HOME}/.mutt
whitelist ${HOME}/.muttrc
whitelist ${HOME}/.signatures
whitelist ${HOME}/.mailcap
whitelist ${HOME}/sent
whitelist ${HOME}/.mutt_cache
whitelist ${HOME}/Mail
whitelist ${HOME}/.gnupg

# To store files
whitelist ${HOME}/Downloads

# Enhance security

private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry
# private-dev
private-etc Muttrc.d/,Muttrc,alternatives/,resolv.conf,ssl/,mime.types
noroot
caps.drop all
seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo
nogroups

@chiraag-nataraj commented on GitHub (Apr 27, 2016): Yeah, I'm also using --private-etc. Here's my complete profile: ``` # Necessary to get Mutt working whitelist ${HOME}/.mutt whitelist ${HOME}/.muttrc whitelist ${HOME}/.signatures whitelist ${HOME}/.mailcap whitelist ${HOME}/sent whitelist ${HOME}/.mutt_cache whitelist ${HOME}/Mail whitelist ${HOME}/.gnupg # To store files whitelist ${HOME}/Downloads # Enhance security private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry # private-dev private-etc Muttrc.d/,Muttrc,alternatives/,resolv.conf,ssl/,mime.types noroot caps.drop all seccomp.keep open,access,prctl,fstat,mmap,write,read,close,munmap,chown,unshare,fcntl,execve,brk,mprotect,arch_prctl,getpid,getuid,getgid,geteuid,getegid,rt_sigprocmask,rt_sigaction,uname,stat,getppid,getpgrp,getrlimit,getpeername,set_tid_address,set_robust_list,futex,getrusage,umask,ioctl,socket,connect,lseek,getsid,pipe,clone,dup2,wait4,openat,rt_sigreturn,getdents,exit_group,faccessat,lstat,pread64,pwrite64,ftruncate,select,unlink,mkdir,link,rmdir,alarm,readlink,sendto,fdatasync,recvfrom,chmod,getcwd,setrlimit,utime,mlock,clock_gettime,setresgid,chdir,fsync,nanosleep,poll,sendmmsg,bind,getsockname,recvmsg,writev,mremap,rename,truncate,sched_yield,sysinfo nogroups ```

gitea-mirror commented

2026-05-05 05:38:11 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 27, 2016):

Comment out private-etc and give it a try - maybe they keep some files over there.

@netblue30 commented on GitHub (Apr 27, 2016): Comment out private-etc and give it a try - maybe they keep some files over there.

gitea-mirror commented

2026-05-05 05:38:15 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Apr 27, 2016):

Here's the exact output when I uncomment private-dev and comment private-etc:

Reading profile /home/chiraag/.config/firejail/mutt.profile
Parent pid 9687, child pid 9688

Child process initialized
gpg: encrypted with 4096-bit RSA key, ID 6B8E9623, created 2013-11-25
      "Chiraag Nataraj <chiraag.nataraj@gmail.com>"
gpg: public key decryption failed: Invalid IPC response
gpg: decryption failed: No secret key
Waiting for Emacs...
Mailbox is unchanged.

parent is shutting down, bye...

@chiraag-nataraj commented on GitHub (Apr 27, 2016): Here's the exact output when I uncomment `private-dev` and comment `private-etc`: ``` Reading profile /home/chiraag/.config/firejail/mutt.profile Parent pid 9687, child pid 9688 Child process initialized gpg: encrypted with 4096-bit RSA key, ID 6B8E9623, created 2013-11-25 "Chiraag Nataraj <chiraag.nataraj@gmail.com>" gpg: public key decryption failed: Invalid IPC response gpg: decryption failed: No secret key Waiting for Emacs... Mailbox is unchanged. parent is shutting down, bye... ```

gitea-mirror commented

2026-05-05 05:38:18 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 28, 2016):

Let's mark it as a bug, I'll try to look into it.

@netblue30 commented on GitHub (Apr 28, 2016): Let's mark it as a bug, I'll try to look into it.

gitea-mirror commented

2026-05-05 05:38:20 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 4, 2016):

Okay it works with the latest firejail update. I'm going to go ahead and close this.

@chiraag-nataraj commented on GitHub (May 4, 2016): Okay it works with the latest firejail update. I'm going to go ahead and close this.

gitea-mirror commented

2026-05-05 05:38:22 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 5, 2016):

Never mind...I spoke too soon. It's still an issue with the latest rc.

@chiraag-nataraj commented on GitHub (May 5, 2016): Never mind...I spoke too soon. It's still an issue with the latest rc.

gitea-mirror commented

2026-05-05 05:38:24 -06:00

Author

Owner

@vn971 commented on GitHub (Jul 31, 2016):

Maybe it's just because of private-bin or seccomp.keep ?

@vn971 commented on GitHub (Jul 31, 2016): Maybe it's just because of `private-bin` or `seccomp.keep` ?

gitea-mirror commented

2026-05-05 05:38:25 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Aug 7, 2016):

Nope. private-bin is not the issue (I've commented it out before with no change). seccomp.keep yields the same results.

@chiraag-nataraj commented on GitHub (Aug 7, 2016): Nope. `private-bin` is not the issue (I've commented it out before with no change). `seccomp.keep` yields the same results.

gitea-mirror commented

2026-05-05 05:38:29 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Mar 28, 2017):

Okay...this is interesting. Somewhere along the way, I ended up using a different gpg-agent. I don't know if it's a result of some change in firejail or the change in gpg-agent, but this works now. I'll go ahead and close it.

@chiraag-nataraj commented on GitHub (Mar 28, 2017): Okay...this is interesting. Somewhere along the way, I ended up using a different `gpg-agent`. I don't know if it's a result of some change in `firejail` or the change in `gpg-agent`, but this works now. I'll go ahead and close it.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#342

No description provided.

Rows
Columns