github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6968] ssh: cannot connect to dbus-system com.intel.tss2.TctiTabrmd #3438

New issue
Open
opened 2026-05-05 09:59:59 -06:00 by gitea-mirror · 3 comments
gitea-mirror commented 2026-05-05 09:59:59 -06:00
Owner
Copy link

Originally created by @qdii on GitHub (Nov 20, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6968

Description

Real security nerds store their SSH credentials on their TPM so that they cannot be extracted from their computers.

When a SSH connection is started, the ssh client connects to tpm2-abrmd service over the DBUS interface com.intel.tss2.TctiTabrmd, specifically the CreateConnection member, in order to use the TPM.

Steps to Reproduce

Steps to reproduce the behavior

  1. Configure the TPM2 Access Broker & Resource Manager daemon
  2. Set up your SSH credentials in the tpm
  3. Use ssh to connect to a machine

Expected behavior

The SSH connection succeeds

Actual behavior

ssh fails with the following error:

❯ ssh wrg

** (process:4): CRITICAL **: 18:43:04.180: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.2/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:4): CRITICAL **: 18:43:04.182: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/libtpm2_pkcs11.so failed: 5

Behavior without a profile

The connection is established correctly

Additional context

Any other detail that may help to understand/debug the problem

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.17.8-arch1-1 x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): openssh 10.2p1-2
  • Version of Firejail (firejail --version): 0.9.76
  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD):

Checklist

  • I am using a supported version of firejail
  • I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

❯ LC_ALL=C firejail ssh wrg

** (process:4): CRITICAL **: 19:52:53.060: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.2/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:4): CRITICAL **: 19:52:53.061: failed to allocate dbus proxy object: Could not connect: Permission denied
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/libtpm2_pkcs11.so failed: 5

Output of LC_ALL=C firejail --debug /path/to/program
Originally created by @qdii on GitHub (Nov 20, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6968 ### Description Real security nerds [store their SSH credentials on their TPM](https://wiki.archlinux.org/title/Trusted_Platform_Module#SSH) so that they cannot be extracted from their computers. When a SSH connection is started, the `ssh` client connects to `tpm2-abrmd` service over the DBUS interface `com.intel.tss2.TctiTabrmd`, specifically the `CreateConnection` member, in order to use the TPM. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Configure the [TPM2 Access Broker & Resource Manager](https://github.com/tpm2-software/tpm2-abrmd?tab=readme-ov-file#tpm2-access-broker--resource-manager) daemon 2. Set up your SSH credentials in the tpm 3. Use `ssh` to connect to a machine ### Expected behavior The SSH connection succeeds ### Actual behavior `ssh` fails with the following error: ``` ❯ ssh wrg ** (process:4): CRITICAL **: 18:43:04.180: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI WARNING: Listing FAPI token objects failed: "tcti:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.2/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ** (process:4): CRITICAL **: 18:43:04.182: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed. C_Initialize for provider /usr/lib/libtpm2_pkcs11.so failed: 5 ``` ### Behavior without a profile The connection is established correctly ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.17.8-arch1-1 x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): openssh 10.2p1-2 - Version of Firejail (`firejail --version`): 0.9.76 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] I am using a [supported version](https://github.com/netblue30/firejail/tree/master/SECURITY.md) of firejail - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` ❯ LC_ALL=C firejail ssh wrg ** (process:4): CRITICAL **: 19:52:53.060: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI WARNING: Listing FAPI token objects failed: "tcti:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.2/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ** (process:4): CRITICAL **: 19:52:53.061: failed to allocate dbus proxy object: Could not connect: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed. C_Initialize for provider /usr/lib/libtpm2_pkcs11.so failed: 5 ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary>
gitea-mirror commented 2026-05-05 10:00:00 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 21, 2025):

  • I am using the full program path (e.g. firejail /usr/bin/vlc instead
    of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
LC_ALL=C firejail ssh wrg

It likely does not matter in this case, but the recommended way is:

LC_ALL=C firejail /usr/bin/ssh wrg

When a SSH connection is started, the ssh client connects to tpm2-abrmd
service over the DBUS interface com.intel.tss2.TctiTabrmd, specifically the
CreateConnection member, in order to use the TPM.

Is that a user or system dbus service?

Do you know what other methods it calls (using the full path like
com.intel.tss2.TctiTabrmd.CreateConnection)?

You can use something like d-feet to inspect what it does.

Does it work with the following in ~/.config/firejail/allow-ssh.local?

ignore dbus-user none
dbus-user filter
dbus-user.talk com.intel.tss2.TctiTabrmd.*
<!-- gh-comment-id:3561164734 --> @kmk3 commented on GitHub (Nov 21, 2025): > - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead > of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) > ``` > LC_ALL=C firejail ssh wrg > ``` It likely does not matter in this case, but the recommended way is: ```sh LC_ALL=C firejail /usr/bin/ssh wrg ``` > When a SSH connection is started, the `ssh` client connects to `tpm2-abrmd` > service over the DBUS interface `com.intel.tss2.TctiTabrmd`, specifically the > `CreateConnection` member, in order to use the TPM. Is that a user or system dbus service? Do you know what other methods it calls (using the full path like `com.intel.tss2.TctiTabrmd.CreateConnection`)? You can use something like `d-feet` to inspect what it does. Does it work with the following in ~/.config/firejail/allow-ssh.local? ``` ignore dbus-user none dbus-user filter dbus-user.talk com.intel.tss2.TctiTabrmd.* ```
gitea-mirror commented 2026-05-05 10:00:01 -06:00
Author
Owner
Copy link

@qdii commented on GitHub (Nov 28, 2025):

It's the dbus system bus, according to d-feet:

Image

Running dbus-monitor --system while opening a SSH connection gives me this:

[sudo] password for qdii: 
signal time=1764355472.918603 sender=org.freedesktop.DBus -> destination=:1.44 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
   string ":1.44"
signal time=1764355472.918634 sender=org.freedesktop.DBus -> destination=:1.44 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost
   string ":1.44"
method call time=1764355478.922123 sender=:1.45 -> destination=org.freedesktop.DBus serial=1 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=Hello
method return time=1764355478.922145 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=1
   string ":1.45"
signal time=1764355478.922160 sender=org.freedesktop.DBus -> destination=(null destination) serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameOwnerChanged
   string ":1.45"
   string ""
   string ":1.45"
signal time=1764355478.922185 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired
   string ":1.45"
method call time=1764355478.922728 sender=:1.45 -> destination=org.freedesktop.DBus serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch
   string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',arg0='com.intel.tss2.Tabrmd'"
method return time=1764355478.922741 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=2
method call time=1764355478.922760 sender=:1.45 -> destination=org.freedesktop.DBus serial=3 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner
   string "com.intel.tss2.Tabrmd"
method return time=1764355478.922788 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=3
   string ":1.34"
method call time=1764355478.922797 sender=:1.45 -> destination=org.freedesktop.DBus serial=4 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch
   string "type='signal',sender='com.intel.tss2.Tabrmd',interface='org.freedesktop.DBus.Properties',member='PropertiesChanged',path='/com/intel/tss2/Tabrmd/Tcti',arg0='com.intel.tss2.TctiTabrmd'"
method return time=1764355478.922808 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=4
method call time=1764355478.922814 sender=:1.45 -> destination=org.freedesktop.DBus serial=5 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch
   string "type='signal',sender='com.intel.tss2.Tabrmd',interface='com.intel.tss2.TctiTabrmd',path='/com/intel/tss2/Tabrmd/Tcti'"
method return time=1764355478.922835 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=5
method call time=1764355478.922842 sender=:1.45 -> destination=org.freedesktop.DBus serial=6 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=StartServiceByName
   string "com.intel.tss2.Tabrmd"
   uint32 0
method return time=1764355478.922853 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=6
   uint32 2
method call time=1764355478.922939 sender=:1.45 -> destination=org.freedesktop.DBus serial=7 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner
   string "com.intel.tss2.Tabrmd"
method return time=1764355478.922964 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=7
   string ":1.34"
method call time=1764355478.923214 sender=:1.45 -> destination=:1.34 serial=8 path=/com/intel/tss2/Tabrmd/Tcti; interface=org.freedesktop.DBus.Properties; member=GetAll
   string "com.intel.tss2.TctiTabrmd"
method return time=1764355478.923426 sender=:1.34 -> destination=:1.45 serial=34 reply_serial=8
   array [
   ]
method call time=1764355478.923637 sender=:1.45 -> destination=:1.34 serial=9 path=/com/intel/tss2/Tabrmd/Tcti; interface=com.intel.tss2.TctiTabrmd; member=CreateConnection
method call time=1764355478.923791 sender=:1.34 -> destination=org.freedesktop.DBus serial=35 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
   string ":1.45"
method return time=1764355478.923800 sender=org.freedesktop.DBus -> destination=:1.34 serial=4294967295 reply_serial=35
   uint32 14412
method return time=1764355478.924092 sender=:1.34 -> destination=:1.45 serial=36 reply_serial=9
   uint64 227077890083923995
method call time=1764355478.932804 sender=:1.45 -> destination=org.freedesktop.DBus serial=10 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=StartServiceByName
   string "com.intel.tss2.Tabrmd"
   uint32 0
method return time=1764355478.932847 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=10
   uint32 2
method call time=1764355478.933051 sender=:1.45 -> destination=org.freedesktop.DBus serial=11 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner
   string "com.intel.tss2.Tabrmd"
method return time=1764355478.933078 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=11
   string ":1.34"
method call time=1764355478.933269 sender=:1.45 -> destination=:1.34 serial=12 path=/com/intel/tss2/Tabrmd/Tcti; interface=org.freedesktop.DBus.Properties; member=GetAll
   string "com.intel.tss2.TctiTabrmd"
method return time=1764355478.933476 sender=:1.34 -> destination=:1.45 serial=37 reply_serial=12
   array [
   ]
method call time=1764355478.933708 sender=:1.45 -> destination=:1.34 serial=13 path=/com/intel/tss2/Tabrmd/Tcti; interface=com.intel.tss2.TctiTabrmd; member=CreateConnection
method call time=1764355478.933967 sender=:1.34 -> destination=org.freedesktop.DBus serial=38 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
   string ":1.45"
method return time=1764355478.933975 sender=org.freedesktop.DBus -> destination=:1.34 serial=4294967295 reply_serial=38
   uint32 14412
method return time=1764355478.934123 sender=:1.34 -> destination=:1.45 serial=39 reply_serial=13
   uint64 16896891746209829678
method call time=1764355478.952541 sender=:1.45 -> destination=org.freedesktop.DBus serial=14 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=StartServiceByName
   string "com.intel.tss2.Tabrmd"
   uint32 0
method return time=1764355478.952551 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=14
   uint32 2
method call time=1764355478.952788 sender=:1.45 -> destination=org.freedesktop.DBus serial=15 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner
   string "com.intel.tss2.Tabrmd"
method return time=1764355478.952795 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=15
   string ":1.34"
method call time=1764355478.953013 sender=:1.45 -> destination=:1.34 serial=16 path=/com/intel/tss2/Tabrmd/Tcti; interface=org.freedesktop.DBus.Properties; member=GetAll
   string "com.intel.tss2.TctiTabrmd"
method return time=1764355478.953265 sender=:1.34 -> destination=:1.45 serial=40 reply_serial=16
   array [
   ]
method call time=1764355478.953560 sender=:1.45 -> destination=:1.34 serial=17 path=/com/intel/tss2/Tabrmd/Tcti; interface=com.intel.tss2.TctiTabrmd; member=CreateConnection
method call time=1764355478.953771 sender=:1.34 -> destination=org.freedesktop.DBus serial=41 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID
   string ":1.45"
method return time=1764355478.953778 sender=org.freedesktop.DBus -> destination=:1.34 serial=4294967295 reply_serial=41
   uint32 14412
method return time=1764355478.954007 sender=:1.34 -> destination=:1.45 serial=42 reply_serial=17
   uint64 3222664257757946534
signal time=1764355479.552806 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost
   string ":1.45"
signal time=1764355479.552839 sender=org.freedesktop.DBus -> destination=(null destination) serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameOwnerChanged
   string ":1.45"
   string ":1.45"
   string ""
<!-- gh-comment-id:3590130617 --> @qdii commented on GitHub (Nov 28, 2025): It's the dbus system bus, according to d-feet: <img width="1430" height="313" alt="Image" src="https://github.com/user-attachments/assets/26ecdba9-5555-4b32-95e7-43bd15a9f5ed" /> Running `dbus-monitor --system` while opening a SSH connection gives me this: ```❯ sudo dbus-monitor --system [sudo] password for qdii: signal time=1764355472.918603 sender=org.freedesktop.DBus -> destination=:1.44 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired string ":1.44" signal time=1764355472.918634 sender=org.freedesktop.DBus -> destination=:1.44 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost string ":1.44" method call time=1764355478.922123 sender=:1.45 -> destination=org.freedesktop.DBus serial=1 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=Hello method return time=1764355478.922145 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=1 string ":1.45" signal time=1764355478.922160 sender=org.freedesktop.DBus -> destination=(null destination) serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameOwnerChanged string ":1.45" string "" string ":1.45" signal time=1764355478.922185 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameAcquired string ":1.45" method call time=1764355478.922728 sender=:1.45 -> destination=org.freedesktop.DBus serial=2 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch string "type='signal',sender='org.freedesktop.DBus',interface='org.freedesktop.DBus',member='NameOwnerChanged',path='/org/freedesktop/DBus',arg0='com.intel.tss2.Tabrmd'" method return time=1764355478.922741 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=2 method call time=1764355478.922760 sender=:1.45 -> destination=org.freedesktop.DBus serial=3 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner string "com.intel.tss2.Tabrmd" method return time=1764355478.922788 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=3 string ":1.34" method call time=1764355478.922797 sender=:1.45 -> destination=org.freedesktop.DBus serial=4 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch string "type='signal',sender='com.intel.tss2.Tabrmd',interface='org.freedesktop.DBus.Properties',member='PropertiesChanged',path='/com/intel/tss2/Tabrmd/Tcti',arg0='com.intel.tss2.TctiTabrmd'" method return time=1764355478.922808 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=4 method call time=1764355478.922814 sender=:1.45 -> destination=org.freedesktop.DBus serial=5 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=AddMatch string "type='signal',sender='com.intel.tss2.Tabrmd',interface='com.intel.tss2.TctiTabrmd',path='/com/intel/tss2/Tabrmd/Tcti'" method return time=1764355478.922835 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=5 method call time=1764355478.922842 sender=:1.45 -> destination=org.freedesktop.DBus serial=6 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=StartServiceByName string "com.intel.tss2.Tabrmd" uint32 0 method return time=1764355478.922853 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=6 uint32 2 method call time=1764355478.922939 sender=:1.45 -> destination=org.freedesktop.DBus serial=7 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner string "com.intel.tss2.Tabrmd" method return time=1764355478.922964 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=7 string ":1.34" method call time=1764355478.923214 sender=:1.45 -> destination=:1.34 serial=8 path=/com/intel/tss2/Tabrmd/Tcti; interface=org.freedesktop.DBus.Properties; member=GetAll string "com.intel.tss2.TctiTabrmd" method return time=1764355478.923426 sender=:1.34 -> destination=:1.45 serial=34 reply_serial=8 array [ ] method call time=1764355478.923637 sender=:1.45 -> destination=:1.34 serial=9 path=/com/intel/tss2/Tabrmd/Tcti; interface=com.intel.tss2.TctiTabrmd; member=CreateConnection method call time=1764355478.923791 sender=:1.34 -> destination=org.freedesktop.DBus serial=35 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID string ":1.45" method return time=1764355478.923800 sender=org.freedesktop.DBus -> destination=:1.34 serial=4294967295 reply_serial=35 uint32 14412 method return time=1764355478.924092 sender=:1.34 -> destination=:1.45 serial=36 reply_serial=9 uint64 227077890083923995 method call time=1764355478.932804 sender=:1.45 -> destination=org.freedesktop.DBus serial=10 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=StartServiceByName string "com.intel.tss2.Tabrmd" uint32 0 method return time=1764355478.932847 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=10 uint32 2 method call time=1764355478.933051 sender=:1.45 -> destination=org.freedesktop.DBus serial=11 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner string "com.intel.tss2.Tabrmd" method return time=1764355478.933078 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=11 string ":1.34" method call time=1764355478.933269 sender=:1.45 -> destination=:1.34 serial=12 path=/com/intel/tss2/Tabrmd/Tcti; interface=org.freedesktop.DBus.Properties; member=GetAll string "com.intel.tss2.TctiTabrmd" method return time=1764355478.933476 sender=:1.34 -> destination=:1.45 serial=37 reply_serial=12 array [ ] method call time=1764355478.933708 sender=:1.45 -> destination=:1.34 serial=13 path=/com/intel/tss2/Tabrmd/Tcti; interface=com.intel.tss2.TctiTabrmd; member=CreateConnection method call time=1764355478.933967 sender=:1.34 -> destination=org.freedesktop.DBus serial=38 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID string ":1.45" method return time=1764355478.933975 sender=org.freedesktop.DBus -> destination=:1.34 serial=4294967295 reply_serial=38 uint32 14412 method return time=1764355478.934123 sender=:1.34 -> destination=:1.45 serial=39 reply_serial=13 uint64 16896891746209829678 method call time=1764355478.952541 sender=:1.45 -> destination=org.freedesktop.DBus serial=14 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=StartServiceByName string "com.intel.tss2.Tabrmd" uint32 0 method return time=1764355478.952551 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=14 uint32 2 method call time=1764355478.952788 sender=:1.45 -> destination=org.freedesktop.DBus serial=15 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetNameOwner string "com.intel.tss2.Tabrmd" method return time=1764355478.952795 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 reply_serial=15 string ":1.34" method call time=1764355478.953013 sender=:1.45 -> destination=:1.34 serial=16 path=/com/intel/tss2/Tabrmd/Tcti; interface=org.freedesktop.DBus.Properties; member=GetAll string "com.intel.tss2.TctiTabrmd" method return time=1764355478.953265 sender=:1.34 -> destination=:1.45 serial=40 reply_serial=16 array [ ] method call time=1764355478.953560 sender=:1.45 -> destination=:1.34 serial=17 path=/com/intel/tss2/Tabrmd/Tcti; interface=com.intel.tss2.TctiTabrmd; member=CreateConnection method call time=1764355478.953771 sender=:1.34 -> destination=org.freedesktop.DBus serial=41 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=GetConnectionUnixProcessID string ":1.45" method return time=1764355478.953778 sender=org.freedesktop.DBus -> destination=:1.34 serial=4294967295 reply_serial=41 uint32 14412 method return time=1764355478.954007 sender=:1.34 -> destination=:1.45 serial=42 reply_serial=17 uint64 3222664257757946534 signal time=1764355479.552806 sender=org.freedesktop.DBus -> destination=:1.45 serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameLost string ":1.45" signal time=1764355479.552839 sender=org.freedesktop.DBus -> destination=(null destination) serial=4294967295 path=/org/freedesktop/DBus; interface=org.freedesktop.DBus; member=NameOwnerChanged string ":1.45" string ":1.45" string "" ```
gitea-mirror commented 2026-05-05 10:00:02 -06:00
Author
Owner
Copy link

@qdii commented on GitHub (Nov 28, 2025):

I have tried this so far:

❯ cat .config/firejail/allow-ssh.local
ignore dbus-system none
dbus-system filter
dbus-system.talk org.freedesktop.DBus
dbus-system.talk com.intel.tss2.Tabrmd

But I get this:

❯ ssh ovi

** (process:4): WARNING **: 20:14:32.711: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
WARNING: Listing FAPI token objects failed: "tcti:IO failure"
Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.2/docs/FAPI.md for more details
WARNING: FAPI backend was not initialized.

** (process:4): WARNING **: 20:14:32.715: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 
WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 
ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded 
ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI 
ERROR: Could not initialize tpm ctx: 0x5
ERROR: Getting tokens from esysdb backend failed.
C_Initialize for provider /usr/lib/libtpm2_pkcs11.so failed: 5
<!-- gh-comment-id:3590173288 --> @qdii commented on GitHub (Nov 28, 2025): I have tried this so far: ``` ❯ cat .config/firejail/allow-ssh.local ignore dbus-system none dbus-system filter dbus-system.talk org.freedesktop.DBus dbus-system.talk com.intel.tss2.Tabrmd ``` But I get this: ``` ❯ ssh ovi ** (process:4): WARNING **: 20:14:32.711: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI WARNING: Listing FAPI token objects failed: "tcti:IO failure" Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.2/docs/FAPI.md for more details WARNING: FAPI backend was not initialized. ** (process:4): WARNING **: 20:14:32.715: Failed to create connection with service: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-tabrmd.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpmrm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tpm0: Permission denied ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 ERROR:tcti:src/tss2-tcti/tcti-device.c:455:Tss2_Tcti_Device_Init() Failed to open specified TCTI device file /dev/tcm0: No such file or directory ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-device.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tcti-swtpm.c:617:Tss2_Tcti_Swtpm_Init() Cannot connect to swtpm TPM socket ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-swtpm.so.0 WARNING:tcti:src/util-io/io.c:262:socket_connect() Failed to connect to host 127.0.0.1, port 2321: errno 111: Connection refused ERROR:tcti:src/tss2-tcti/tctildr-dl.c:149:tcti_from_file() Could not initialize TCTI file: libtss2-tcti-mssim.so.0 ERROR:tcti:src/tss2-tcti/tctildr-dl.c:263:tctildr_get_default() No standard TCTI could be loaded ERROR:tcti:src/tss2-tcti/tctildr.c:477:tctildr_init_context_data() Failed to instantiate TCTI ERROR: Could not initialize tpm ctx: 0x5 ERROR: Getting tokens from esysdb backend failed. C_Initialize for provider /usr/lib/libtpm2_pkcs11.so failed: 5 ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3438
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?