github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #7037] paths containing ".." are valid, why are they refused? #3462

New issue
Closed
opened 2026-05-05 10:00:45 -06:00 by gitea-mirror · 0 comments
gitea-mirror commented 2026-05-05 10:00:45 -06:00
Owner
Copy link

Originally created by @Dieterbe on GitHub (Jan 20, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7037

Description

The firejail code explicitly forbids '..' here https://github.com/netblue30/firejail/blob/master/src/firejail/fs_whitelist.c#L622
Various checks against ".." have been part of the codebase for at least 10 years.. i suppose in some cases because the ".." can mean parent dir; but there are legitimate cases where filenames contain ".." (literally, no symbolism) and those break in firejail

Steps to Reproduce

Steps to reproduce the behavior

  1. run swww-daemon with default options. it creates a file /run/user/1000/wayland-1-swww-daemon..sock which looks a bit weird, but is legal, and apparently deliberate.
  2. run ssh:
LC_ALL=C firejail /usr/bin/ssh
Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock
Error: proc 124939 cannot sync with peer: unexpected EOF
Peer 124940 unexpectedly exited with status 1
  1. optional, it seems the same error can be reproduced by running other apps, e.g.:
LC_ALL=C firejail /usr/bin/flameshot
Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock
Error: proc 125594 cannot sync with peer: unexpected EOF
Peer 125595 unexpectedly exited with status 1

Expected behavior

don't error and run ssh (or flameshot) as expected

Actual behavior

errors, see above

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Works fine:

~ ❯❯❯ LC_ALL=C firejail --noprofile /usr/bin/ssh
firejail version 0.9.78

Parent pid 126418, child pid 126419
Base filesystem installed in 1.27 ms
Child process initialized in 16.86 ms
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
           [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
           [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
           [-J destination] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
           [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command [argument ...]]
       ssh [-Q query_option]

Parent is shutting down, bye...

~ ❯❯❯ LC_ALL=C firejail --noprofile /usr/bin/flameshot
firejail version 0.9.78

Parent pid 126557, child pid 126558
Base filesystem installed in 0.39 ms
Child process initialized in 5.96 ms
Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8.
Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead.
If this causes problems, reconfigure your locale. See the locale(1) manual
for more information.
"No Flameshot translation found for C"
"No Qt translation found for C"
"No Flameshot translation found for C"
"No Qt translation found for C"
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...

Additional context

Any other detail that may help to understand/debug the problem

Environment

Linux 6.18.5-arch1-1 x86_64
Arch Linux (btw)
flameshot 13.3.0-2
firejail 0.9.78-1

Checklist

  • I am using firejail 0.9.78 or later
  • I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock
Error: proc 128723 cannot sync with peer: unexpected EOF
Peer 128724 unexpectedly exited with status 1

Output of LC_ALL=C firejail --debug /path/to/program 

Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=129125: locking /run/firejail/firejail-run.lock ...
pid=129125: locked /run/firejail/firejail-run.lock
pid=129125: unlocking /run/firejail/firejail-run.lock ...
pid=129125: unlocked /run/firejail/firejail-run.lock
Building quoted command line: '/usr/bin/ssh' 
Command name #ssh#
Found ssh.profile profile in /etc/firejail directory
Reading profile /etc/firejail/ssh.profile
Found ssh.local profile in /home/dieter/.config/firejail directory
Reading profile /home/dieter/.config/firejail/ssh.local
Cannot access .local file globals.local: No such file or directory, skipping...
Found allow-ssh.inc profile in /etc/firejail directory
Reading profile /etc/firejail/allow-ssh.inc
Cannot access .local file allow-ssh.local: No such file or directory, skipping...
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Cannot access .local file disable-common.local: No such file or directory, skipping...
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Cannot access .local file disable-exec.local: No such file or directory, skipping...
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Cannot access .local file disable-programs.local: No such file or directory, skipping...
Found whitelist-runuser-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-runuser-common.inc
Cannot access .local file whitelist-runuser-common.local: No such file or directory, skipping...
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Cannot access .local file whitelist-usr-share-common.local: No such file or directory, skipping...
[profile] combined protocol list: "unix,inet,inet6"
firejail version 0.9.78

pid=129125: locking /run/firejail/firejail-run.lock ...
pid=129125: locked /run/firejail/firejail-run.lock
DISPLAY=:1 parsed as 1
pid=129125: unlocking /run/firejail/firejail-run.lock ...
pid=129125: unlocked /run/firejail/firejail-run.lock
Enabling IPC namespace
Using the local network stack
Parent pid 129125, child pid 129126
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 1
No supplementary groups
Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0
nogroups command not ignored
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
3560 3524 0:28 /@/etc /etc ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@
mountid=3560 fsname=/@/etc dir=/etc fstype=btrfs
Mounting noexec /etc
3561 3560 0:28 /@/etc /etc ro,nosuid,nodev,noexec,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@
mountid=3561 fsname=/@/etc dir=/etc fstype=btrfs
Mounting read-only /var
3564 3562 0:28 /@log /var/log rw,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log
mountid=3564 fsname=/@log dir=/var/log fstype=btrfs
Mounting read-only /var/cache/pacman/pkg
3565 3563 0:28 /@pkg /var/cache/pacman/pkg ro,relatime master:161 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/@pkg
mountid=3565 fsname=/@pkg dir=/var/cache/pacman/pkg fstype=btrfs
Mounting read-only /var/log
3566 3564 0:28 /@log /var/log ro,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log
mountid=3566 fsname=/@log dir=/var/log fstype=btrfs
Mounting noexec /var
3571 3570 0:28 /@log /var/log ro,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log
mountid=3571 fsname=/@log dir=/var/log fstype=btrfs
Mounting noexec /var/cache/pacman/pkg
3572 3569 0:28 /@pkg /var/cache/pacman/pkg ro,nosuid,nodev,noexec,relatime master:161 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/@pkg
mountid=3572 fsname=/@pkg dir=/var/cache/pacman/pkg fstype=btrfs
Mounting noexec /var/log
3573 3571 0:28 /@log /var/log ro,nosuid,nodev,noexec,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log
mountid=3573 fsname=/@log dir=/var/log fstype=btrfs
Mounting read-only /usr
3574 3524 0:28 /@/usr /usr ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@
mountid=3574 fsname=/@/usr dir=/usr fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/cache/lighttpd
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/dieter/.config/firejail
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
Globbing /run/firejail/mnt/dev/snd on /dev/snd (type=sound)
skipping /run/firejail/mnt/dev/snd on /dev/snd due to its type (type=sound)
Globbing /run/firejail/mnt/dev/dri on /dev/dri (type=3d)
skipping /run/firejail/mnt/dev/dri on /dev/dri due to its type (type=3d)
Globbing /run/firejail/mnt/dev/kfd on /dev/kfd (type=3d)
No match /run/firejail/mnt/dev/kfd (type=3d)
Globbing /run/firejail/mnt/dev/nvidia[0-9]* on /dev/nvidia[0-9]* (type=3d)
skipping /run/firejail/mnt/dev/nvidia0 on /dev/nvidia0 due to its type (type=3d)
Globbing /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl (type=3d)
skipping /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl due to its type (type=3d)
Globbing /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset (type=3d)
skipping /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset due to its type (type=3d)
Globbing /run/firejail/mnt/dev/nvidia-uvm on /dev/nvidia-uvm (type=3d)
skipping /run/firejail/mnt/dev/nvidia-uvm on /dev/nvidia-uvm due to its type (type=3d)
Globbing /run/firejail/mnt/dev/video[0-9]* on /dev/video[0-9]* (type=video)
skipping /run/firejail/mnt/dev/video0 on /dev/video0 due to its type (type=video)
skipping /run/firejail/mnt/dev/video1 on /dev/video1 due to its type (type=video)
skipping /run/firejail/mnt/dev/video2 on /dev/video2 due to its type (type=video)
skipping /run/firejail/mnt/dev/video3 on /dev/video3 due to its type (type=video)
Globbing /run/firejail/mnt/dev/dvb on /dev/dvb (type=tv)
No match /run/firejail/mnt/dev/dvb (type=tv)
Globbing /run/firejail/mnt/dev/sr[0-9]* on /dev/sr[0-9]* (type=dvd)
No match /run/firejail/mnt/dev/sr[0-9]* (type=dvd)
Globbing /run/firejail/mnt/dev/tcm[0-9]* on /dev/tcm[0-9]* (type=tpm)
No match /run/firejail/mnt/dev/tcm[0-9]* (type=tpm)
Globbing /run/firejail/mnt/dev/tcmrm[0-9]* on /dev/tcmrm[0-9]* (type=tpm)
No match /run/firejail/mnt/dev/tcmrm[0-9]* (type=tpm)
Globbing /run/firejail/mnt/dev/tpm[0-9]* on /dev/tpm[0-9]* (type=tpm)
mounting /run/firejail/mnt/dev/tpm0 on /dev/tpm0 (type=tpm) file
Globbing /run/firejail/mnt/dev/tpmrm[0-9]* on /dev/tpmrm[0-9]* (type=tpm)
mounting /run/firejail/mnt/dev/tpmrm0 on /dev/tpmrm0 (type=tpm) file
Globbing /run/firejail/mnt/dev/hidraw[0-9]* on /dev/hidraw[0-9]* (type=u2f)
mounting /run/firejail/mnt/dev/hidraw0 on /dev/hidraw0 (type=u2f) file
mounting /run/firejail/mnt/dev/hidraw1 on /dev/hidraw1 (type=u2f) file
Globbing /run/firejail/mnt/dev/usb on /dev/usb (type=u2f)
No match /run/firejail/mnt/dev/usb (type=u2f)
Globbing /run/firejail/mnt/dev/input on /dev/input (type=input)
skipping /run/firejail/mnt/dev/input on /dev/input due to its type (type=input)
Globbing /run/firejail/mnt/dev/ntsync on /dev/ntsync (type=ntsync)
No match /run/firejail/mnt/dev/ntsync (type=ntsync)
Process /dev/shm directory
Creating empty /run/firejail/mnt/dbus directory
Creating empty /run/firejail/mnt/dbus/user file
blacklist /run/user/1000/bus
Creating empty /run/firejail/mnt/dbus/system file
blacklist /run/dbus/system_bus_socket
blacklist /run/firejail/dbus
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Creating a new /etc/hostname file
Creating empty /run/firejail/mnt/hostname file
Creating a new /etc/hosts file
Loading user hosts file
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules/6.18.5-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /proc/kmsg
Debug 588: whitelist ${RUNUSER}/ssh-agent.socket
Debug 609: expanded: /run/user/1000/ssh-agent.socket
Debug 620: new_name: /run/user/1000/ssh-agent.socket
Debug 630: dir: /run/user/1000
Adding whitelist top level directory /run/user/1000
Debug 588: whitelist ${RUNUSER}/gcr/ssh
Debug 609: expanded: /run/user/1000/gcr/ssh
Debug 620: new_name: /run/user/1000/gcr/ssh
Debug 630: dir: /run/user/1000
Debug 588: whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh
Debug 609: expanded: /run/user/1000/gnupg/*/S.gpg-agent.ssh
Debug 620: new_name: /run/user/1000/gnupg/*/S.gpg-agent.ssh
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh
	new_name: /run/user/1000/gnupg/*/S.gpg-agent.ssh
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh
Debug 609: expanded: /run/user/1000/gnupg/S.gpg-agent.ssh
Debug 620: new_name: /run/user/1000/gnupg/S.gpg-agent.ssh
Debug 630: dir: /run/user/1000
Debug 588: whitelist ${RUNUSER}/gvfsd-sftp
Debug 609: expanded: /run/user/1000/gvfsd-sftp
Debug 620: new_name: /run/user/1000/gvfsd-sftp
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/gvfsd-sftp
	new_name: /run/user/1000/gvfsd-sftp
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/keyring/ssh
Debug 609: expanded: /run/user/1000/keyring/ssh
Debug 620: new_name: /run/user/1000/keyring/ssh
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/keyring/ssh
	new_name: /run/user/1000/keyring/ssh
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/bus
Debug 609: expanded: /run/user/1000/bus
Debug 620: new_name: /run/user/1000/bus
Debug 630: dir: /run/user/1000
Debug 588: whitelist ${RUNUSER}/dconf
Debug 609: expanded: /run/user/1000/dconf
Debug 620: new_name: /run/user/1000/dconf
Debug 630: dir: /run/user/1000
Debug 588: whitelist ${RUNUSER}/gdm/Xauthority
Debug 609: expanded: /run/user/1000/gdm/Xauthority
Debug 620: new_name: /run/user/1000/gdm/Xauthority
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/gdm/Xauthority
	new_name: /run/user/1000/gdm/Xauthority
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/ICEauthority
Debug 609: expanded: /run/user/1000/ICEauthority
Debug 620: new_name: /run/user/1000/ICEauthority
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/ICEauthority
	new_name: /run/user/1000/ICEauthority
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
Debug 609: expanded: /run/user/1000/.mutter-Xwaylandauth.*
Debug 620: new_name: /run/user/1000/.mutter-Xwaylandauth.*
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/.mutter-Xwaylandauth.*
	new_name: /run/user/1000/.mutter-Xwaylandauth.*
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/pulse/native
Debug 609: expanded: /run/user/1000/pulse/native
Debug 620: new_name: /run/user/1000/pulse/native
Debug 630: dir: /run/user/1000
Debug 588: whitelist ${RUNUSER}/pipewire-*
Debug 609: expanded: /run/user/1000/pipewire-*
Debug 620: new_name: /run/user/1000/pipewire-*
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/pipewire-*
	new_name: /run/user/1000/pipewire-*
	realpath: (null)
	No such file or directory
Adding new profile command: whitelist /run/user/1000/pipewire-0-manager.lock
Adding new profile command: whitelist /run/user/1000/pipewire-0.lock
Adding new profile command: whitelist /run/user/1000/pipewire-0-manager
Adding new profile command: whitelist /run/user/1000/pipewire-0
Debug 588: whitelist ${RUNUSER}/wayland-*
Debug 609: expanded: /run/user/1000/wayland-*
Debug 620: new_name: /run/user/1000/wayland-*
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/wayland-*
	new_name: /run/user/1000/wayland-*
	realpath: (null)
	No such file or directory
Adding new profile command: whitelist /run/user/1000/wayland-1-swww-daemon..sock
Adding new profile command: whitelist /run/user/1000/wayland-1
Adding new profile command: whitelist /run/user/1000/wayland-1.lock
Debug 588: whitelist ${RUNUSER}/xauth_*
Debug 609: expanded: /run/user/1000/xauth_*
Debug 620: new_name: /run/user/1000/xauth_*
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/xauth_*
	new_name: /run/user/1000/xauth_*
	realpath: (null)
	No such file or directory
Debug 588: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
Debug 609: expanded: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
Debug 620: new_name: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
Debug 630: dir: /run/user/1000
Removed path: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
	new_name: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]
	realpath: (null)
	File name too long
Debug 588: whitelist /usr/share/alsa
Debug 609: expanded: /usr/share/alsa
Debug 620: new_name: /usr/share/alsa
Debug 630: dir: /usr/share
Adding whitelist top level directory /usr/share
Debug 588: whitelist /usr/share/applications
Debug 609: expanded: /usr/share/applications
Debug 620: new_name: /usr/share/applications
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/ca-certificates
Debug 609: expanded: /usr/share/ca-certificates
Debug 620: new_name: /usr/share/ca-certificates
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/crypto-policies
Debug 609: expanded: /usr/share/crypto-policies
Debug 620: new_name: /usr/share/crypto-policies
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/crypto-policies
	new_name: /usr/share/crypto-policies
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/cursors
Debug 609: expanded: /usr/share/cursors
Debug 620: new_name: /usr/share/cursors
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/cursors
	new_name: /usr/share/cursors
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/dconf
Debug 609: expanded: /usr/share/dconf
Debug 620: new_name: /usr/share/dconf
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/dconf
	new_name: /usr/share/dconf
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/distro-info
Debug 609: expanded: /usr/share/distro-info
Debug 620: new_name: /usr/share/distro-info
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/distro-info
	new_name: /usr/share/distro-info
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/drirc.d
Debug 609: expanded: /usr/share/drirc.d
Debug 620: new_name: /usr/share/drirc.d
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/egl
Debug 609: expanded: /usr/share/egl
Debug 620: new_name: /usr/share/egl
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/enchant
Debug 609: expanded: /usr/share/enchant
Debug 620: new_name: /usr/share/enchant
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/enchant
	new_name: /usr/share/enchant
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/enchant-2
Debug 609: expanded: /usr/share/enchant-2
Debug 620: new_name: /usr/share/enchant-2
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/file
Debug 609: expanded: /usr/share/file
Debug 620: new_name: /usr/share/file
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/fontconfig
Debug 609: expanded: /usr/share/fontconfig
Debug 620: new_name: /usr/share/fontconfig
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/fonts
Debug 609: expanded: /usr/share/fonts
Debug 620: new_name: /usr/share/fonts
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/fonts-config
Debug 609: expanded: /usr/share/fonts-config
Debug 620: new_name: /usr/share/fonts-config
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/fonts-config
	new_name: /usr/share/fonts-config
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/gir-1.0
Debug 609: expanded: /usr/share/gir-1.0
Debug 620: new_name: /usr/share/gir-1.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gjs-1.0
Debug 609: expanded: /usr/share/gjs-1.0
Debug 620: new_name: /usr/share/gjs-1.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/glib-2.0
Debug 609: expanded: /usr/share/glib-2.0
Debug 620: new_name: /usr/share/glib-2.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/glvnd
Debug 609: expanded: /usr/share/glvnd
Debug 620: new_name: /usr/share/glvnd
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/glycin-loaders
Debug 609: expanded: /usr/share/glycin-loaders
Debug 620: new_name: /usr/share/glycin-loaders
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/glycin-loaders
	new_name: /usr/share/glycin-loaders
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/gtk-2.0
Debug 609: expanded: /usr/share/gtk-2.0
Debug 620: new_name: /usr/share/gtk-2.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gtk-3.0
Debug 609: expanded: /usr/share/gtk-3.0
Debug 620: new_name: /usr/share/gtk-3.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gtk-4.0
Debug 609: expanded: /usr/share/gtk-4.0
Debug 620: new_name: /usr/share/gtk-4.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gtk-engines
Debug 609: expanded: /usr/share/gtk-engines
Debug 620: new_name: /usr/share/gtk-engines
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gtksourceview-3.0
Debug 609: expanded: /usr/share/gtksourceview-3.0
Debug 620: new_name: /usr/share/gtksourceview-3.0
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gtksourceview-4
Debug 609: expanded: /usr/share/gtksourceview-4
Debug 620: new_name: /usr/share/gtksourceview-4
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/gtksourceview-5
Debug 609: expanded: /usr/share/gtksourceview-5
Debug 620: new_name: /usr/share/gtksourceview-5
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/hunspell
Debug 609: expanded: /usr/share/hunspell
Debug 620: new_name: /usr/share/hunspell
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/hyphen
Debug 609: expanded: /usr/share/hyphen
Debug 620: new_name: /usr/share/hyphen
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/hyphen
	new_name: /usr/share/hyphen
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/hwdata
Debug 609: expanded: /usr/share/hwdata
Debug 620: new_name: /usr/share/hwdata
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/icons
Debug 609: expanded: /usr/share/icons
Debug 620: new_name: /usr/share/icons
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/icu
Debug 609: expanded: /usr/share/icu
Debug 620: new_name: /usr/share/icu
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/knotifications5
Debug 609: expanded: /usr/share/knotifications5
Debug 620: new_name: /usr/share/knotifications5
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/knotifications5
	new_name: /usr/share/knotifications5
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/kservices5
Debug 609: expanded: /usr/share/kservices5
Debug 620: new_name: /usr/share/kservices5
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/kservices5
	new_name: /usr/share/kservices5
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/Kvantum
Debug 609: expanded: /usr/share/Kvantum
Debug 620: new_name: /usr/share/Kvantum
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/Kvantum
	new_name: /usr/share/Kvantum
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/kxmlgui5
Debug 609: expanded: /usr/share/kxmlgui5
Debug 620: new_name: /usr/share/kxmlgui5
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/libdrm
Debug 609: expanded: /usr/share/libdrm
Debug 620: new_name: /usr/share/libdrm
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/libthai
Debug 609: expanded: /usr/share/libthai
Debug 620: new_name: /usr/share/libthai
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/locale
Debug 609: expanded: /usr/share/locale
Debug 620: new_name: /usr/share/locale
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/locale-langpack
Debug 609: expanded: /usr/share/locale-langpack
Debug 620: new_name: /usr/share/locale-langpack
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/locale-langpack
	new_name: /usr/share/locale-langpack
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/mime
Debug 609: expanded: /usr/share/mime
Debug 620: new_name: /usr/share/mime
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/misc
Debug 609: expanded: /usr/share/misc
Debug 620: new_name: /usr/share/misc
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/Modules
Debug 609: expanded: /usr/share/Modules
Debug 620: new_name: /usr/share/Modules
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/Modules
	new_name: /usr/share/Modules
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/myspell
Debug 609: expanded: /usr/share/myspell
Debug 620: new_name: /usr/share/myspell
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/p11-kit
Debug 609: expanded: /usr/share/p11-kit
Debug 620: new_name: /usr/share/p11-kit
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/perl
Debug 609: expanded: /usr/share/perl
Debug 620: new_name: /usr/share/perl
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/perl
	new_name: /usr/share/perl
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/perl5
Debug 609: expanded: /usr/share/perl5
Debug 620: new_name: /usr/share/perl5
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/pipewire
Debug 609: expanded: /usr/share/pipewire
Debug 620: new_name: /usr/share/pipewire
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/pixmaps
Debug 609: expanded: /usr/share/pixmaps
Debug 620: new_name: /usr/share/pixmaps
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/pki
Debug 609: expanded: /usr/share/pki
Debug 620: new_name: /usr/share/pki
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/pki
	new_name: /usr/share/pki
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/plasma
Debug 609: expanded: /usr/share/plasma
Debug 620: new_name: /usr/share/plasma
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/plasma
	new_name: /usr/share/plasma
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/publicsuffix
Debug 609: expanded: /usr/share/publicsuffix
Debug 620: new_name: /usr/share/publicsuffix
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/publicsuffix
	new_name: /usr/share/publicsuffix
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/qt
Debug 609: expanded: /usr/share/qt
Debug 620: new_name: /usr/share/qt
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/qt4
Debug 609: expanded: /usr/share/qt4
Debug 620: new_name: /usr/share/qt4
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/qt4
	new_name: /usr/share/qt4
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/qt5
Debug 609: expanded: /usr/share/qt5
Debug 620: new_name: /usr/share/qt5
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/qt5
	new_name: /usr/share/qt5
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/qt5ct
Debug 609: expanded: /usr/share/qt5ct
Debug 620: new_name: /usr/share/qt5ct
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/qt5ct
	new_name: /usr/share/qt5ct
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/qt6
Debug 609: expanded: /usr/share/qt6
Debug 620: new_name: /usr/share/qt6
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/qt6ct
Debug 609: expanded: /usr/share/qt6ct
Debug 620: new_name: /usr/share/qt6ct
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/qt6ct
	new_name: /usr/share/qt6ct
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/sounds
Debug 609: expanded: /usr/share/sounds
Debug 620: new_name: /usr/share/sounds
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/tcl8.6
Debug 609: expanded: /usr/share/tcl8.6
Debug 620: new_name: /usr/share/tcl8.6
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/tcl8.6
	new_name: /usr/share/tcl8.6
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/tcltk
Debug 609: expanded: /usr/share/tcltk
Debug 620: new_name: /usr/share/tcltk
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/tcltk
	new_name: /usr/share/tcltk
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/terminfo
Debug 609: expanded: /usr/share/terminfo
Debug 620: new_name: /usr/share/terminfo
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/texlive
Debug 609: expanded: /usr/share/texlive
Debug 620: new_name: /usr/share/texlive
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/texlive
	new_name: /usr/share/texlive
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/texmf
Debug 609: expanded: /usr/share/texmf
Debug 620: new_name: /usr/share/texmf
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/themes
Debug 609: expanded: /usr/share/themes
Debug 620: new_name: /usr/share/themes
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/thumbnail.so
Debug 609: expanded: /usr/share/thumbnail.so
Debug 620: new_name: /usr/share/thumbnail.so
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/thumbnail.so
	new_name: /usr/share/thumbnail.so
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/uim
Debug 609: expanded: /usr/share/uim
Debug 620: new_name: /usr/share/uim
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/uim
	new_name: /usr/share/uim
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/vulkan
Debug 609: expanded: /usr/share/vulkan
Debug 620: new_name: /usr/share/vulkan
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/X11
Debug 609: expanded: /usr/share/X11
Debug 620: new_name: /usr/share/X11
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/xkeyboard-config-2
Debug 609: expanded: /usr/share/xkeyboard-config-2
Debug 620: new_name: /usr/share/xkeyboard-config-2
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/xml
Debug 609: expanded: /usr/share/xml
Debug 620: new_name: /usr/share/xml
Debug 630: dir: /usr/share
Debug 588: whitelist /usr/share/zenity
Debug 609: expanded: /usr/share/zenity
Debug 620: new_name: /usr/share/zenity
Debug 630: dir: /usr/share
Removed path: whitelist /usr/share/zenity
	new_name: /usr/share/zenity
	realpath: (null)
	No such file or directory
Debug 588: whitelist /usr/share/zoneinfo
Debug 609: expanded: /usr/share/zoneinfo
Debug 620: new_name: /usr/share/zoneinfo
Debug 630: dir: /usr/share
Debug 588: whitelist /run/user/1000/pipewire-0-manager.lock
Debug 609: expanded: /run/user/1000/pipewire-0-manager.lock
Debug 620: new_name: /run/user/1000/pipewire-0-manager.lock
Debug 630: dir: /run/user/1000
Debug 588: whitelist /run/user/1000/pipewire-0.lock
Debug 609: expanded: /run/user/1000/pipewire-0.lock
Debug 620: new_name: /run/user/1000/pipewire-0.lock
Debug 630: dir: /run/user/1000
Debug 588: whitelist /run/user/1000/pipewire-0-manager
Debug 609: expanded: /run/user/1000/pipewire-0-manager
Debug 620: new_name: /run/user/1000/pipewire-0-manager
Debug 630: dir: /run/user/1000
Debug 588: whitelist /run/user/1000/pipewire-0
Debug 609: expanded: /run/user/1000/pipewire-0
Debug 620: new_name: /run/user/1000/pipewire-0
Debug 630: dir: /run/user/1000
Debug 588: whitelist /run/user/1000/wayland-1-swww-daemon..sock
Debug 609: expanded: /run/user/1000/wayland-1-swww-daemon..sock
Debug 620: new_name: /run/user/1000/wayland-1-swww-daemon..sock
Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock
Error: proc 129125 cannot sync with peer: unexpected EOF
Peer 129126 unexpectedly exited with status 1

Originally created by @Dieterbe on GitHub (Jan 20, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7037 ### Description The firejail code explicitly forbids '..' here https://github.com/netblue30/firejail/blob/master/src/firejail/fs_whitelist.c#L622 Various checks against ".." have been part of the codebase for at least 10 years.. i suppose in some cases because the ".." can mean parent dir; but there are legitimate cases where filenames contain ".." (literally, no symbolism) and those break in firejail ### Steps to Reproduce _Steps to reproduce the behavior_ 1. run swww-daemon with default options. it creates a file `/run/user/1000/wayland-1-swww-daemon..sock` which looks a bit weird, but is legal, and apparently deliberate. 2. run ssh: ``` LC_ALL=C firejail /usr/bin/ssh Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock Error: proc 124939 cannot sync with peer: unexpected EOF Peer 124940 unexpectedly exited with status 1 ``` 3. optional, it seems the same error can be reproduced by running other apps, e.g.: ``` LC_ALL=C firejail /usr/bin/flameshot Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock Error: proc 125594 cannot sync with peer: unexpected EOF Peer 125595 unexpectedly exited with status 1 ``` ### Expected behavior don't error and run ssh (or flameshot) as expected ### Actual behavior errors, see above ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Works fine: ``` ~ ❯❯❯ LC_ALL=C firejail --noprofile /usr/bin/ssh firejail version 0.9.78 Parent pid 126418, child pid 126419 Base filesystem installed in 1.27 ms Child process initialized in 16.86 ms usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address] [-c cipher_spec] [-D [bind_address:]port] [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-J destination] [-L address] [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]] destination [command [argument ...]] ssh [-Q query_option] Parent is shutting down, bye... ``` ``` ~ ❯❯❯ LC_ALL=C firejail --noprofile /usr/bin/flameshot firejail version 0.9.78 Parent pid 126557, child pid 126558 Base filesystem installed in 0.39 ms Child process initialized in 5.96 ms Detected locale "C" with character encoding "ANSI_X3.4-1968", which is not UTF-8. Qt depends on a UTF-8 locale, and has switched to "C.UTF-8" instead. If this causes problems, reconfigure your locale. See the locale(1) manual for more information. "No Flameshot translation found for C" "No Qt translation found for C" "No Flameshot translation found for C" "No Qt translation found for C" ^C Parent received signal 2, shutting down the child process... Child received signal 2, shutting down the sandbox... Parent is shutting down, bye... ``` ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment ``` Linux 6.18.5-arch1-1 x86_64 Arch Linux (btw) flameshot 13.3.0-2 firejail 0.9.78-1 ``` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] I am using firejail [0.9.78 or later](https://github.com/netblue30/firejail/tree/master/SECURITY.md) - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock Error: proc 128723 cannot sync with peer: unexpected EOF Peer 128724 unexpectedly exited with status 1 ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` Looking for kernel processes Found kthreadd process, we are not running in a sandbox pid=129125: locking /run/firejail/firejail-run.lock ... pid=129125: locked /run/firejail/firejail-run.lock pid=129125: unlocking /run/firejail/firejail-run.lock ... pid=129125: unlocked /run/firejail/firejail-run.lock Building quoted command line: '/usr/bin/ssh' Command name #ssh# Found ssh.profile profile in /etc/firejail directory Reading profile /etc/firejail/ssh.profile Found ssh.local profile in /home/dieter/.config/firejail directory Reading profile /home/dieter/.config/firejail/ssh.local Cannot access .local file globals.local: No such file or directory, skipping... Found allow-ssh.inc profile in /etc/firejail directory Reading profile /etc/firejail/allow-ssh.inc Cannot access .local file allow-ssh.local: No such file or directory, skipping... Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Cannot access .local file disable-common.local: No such file or directory, skipping... Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Cannot access .local file disable-exec.local: No such file or directory, skipping... Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Cannot access .local file disable-programs.local: No such file or directory, skipping... Found whitelist-runuser-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-runuser-common.inc Cannot access .local file whitelist-runuser-common.local: No such file or directory, skipping... Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-usr-share-common.inc Cannot access .local file whitelist-usr-share-common.local: No such file or directory, skipping... [profile] combined protocol list: "unix,inet,inet6" firejail version 0.9.78 pid=129125: locking /run/firejail/firejail-run.lock ... pid=129125: locked /run/firejail/firejail-run.lock DISPLAY=:1 parsed as 1 pid=129125: unlocking /run/firejail/firejail-run.lock ... pid=129125: unlocked /run/firejail/firejail-run.lock Enabling IPC namespace Using the local network stack Parent pid 129125, child pid 129126 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 1 No supplementary groups Drop privileges: pid 3, uid 1000, gid 1000, force_nogroups 0 nogroups command not ignored No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 3560 3524 0:28 /@/etc /etc ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@ mountid=3560 fsname=/@/etc dir=/etc fstype=btrfs Mounting noexec /etc 3561 3560 0:28 /@/etc /etc ro,nosuid,nodev,noexec,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@ mountid=3561 fsname=/@/etc dir=/etc fstype=btrfs Mounting read-only /var 3564 3562 0:28 /@log /var/log rw,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log mountid=3564 fsname=/@log dir=/var/log fstype=btrfs Mounting read-only /var/cache/pacman/pkg 3565 3563 0:28 /@pkg /var/cache/pacman/pkg ro,relatime master:161 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/@pkg mountid=3565 fsname=/@pkg dir=/var/cache/pacman/pkg fstype=btrfs Mounting read-only /var/log 3566 3564 0:28 /@log /var/log ro,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log mountid=3566 fsname=/@log dir=/var/log fstype=btrfs Mounting noexec /var 3571 3570 0:28 /@log /var/log ro,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log mountid=3571 fsname=/@log dir=/var/log fstype=btrfs Mounting noexec /var/cache/pacman/pkg 3572 3569 0:28 /@pkg /var/cache/pacman/pkg ro,nosuid,nodev,noexec,relatime master:161 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=259,subvol=/@pkg mountid=3572 fsname=/@pkg dir=/var/cache/pacman/pkg fstype=btrfs Mounting noexec /var/log 3573 3571 0:28 /@log /var/log ro,nosuid,nodev,noexec,relatime master:166 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=258,subvol=/@log mountid=3573 fsname=/@log dir=/var/log fstype=btrfs Mounting read-only /usr 3574 3524 0:28 /@/usr /usr ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,discard=async,space_cache=v2,subvolid=256,subvol=/@ mountid=3574 fsname=/@/usr dir=/usr fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/cache/lighttpd Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/dieter/.config/firejail Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev Globbing /run/firejail/mnt/dev/snd on /dev/snd (type=sound) skipping /run/firejail/mnt/dev/snd on /dev/snd due to its type (type=sound) Globbing /run/firejail/mnt/dev/dri on /dev/dri (type=3d) skipping /run/firejail/mnt/dev/dri on /dev/dri due to its type (type=3d) Globbing /run/firejail/mnt/dev/kfd on /dev/kfd (type=3d) No match /run/firejail/mnt/dev/kfd (type=3d) Globbing /run/firejail/mnt/dev/nvidia[0-9]* on /dev/nvidia[0-9]* (type=3d) skipping /run/firejail/mnt/dev/nvidia0 on /dev/nvidia0 due to its type (type=3d) Globbing /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl (type=3d) skipping /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl due to its type (type=3d) Globbing /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset (type=3d) skipping /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset due to its type (type=3d) Globbing /run/firejail/mnt/dev/nvidia-uvm on /dev/nvidia-uvm (type=3d) skipping /run/firejail/mnt/dev/nvidia-uvm on /dev/nvidia-uvm due to its type (type=3d) Globbing /run/firejail/mnt/dev/video[0-9]* on /dev/video[0-9]* (type=video) skipping /run/firejail/mnt/dev/video0 on /dev/video0 due to its type (type=video) skipping /run/firejail/mnt/dev/video1 on /dev/video1 due to its type (type=video) skipping /run/firejail/mnt/dev/video2 on /dev/video2 due to its type (type=video) skipping /run/firejail/mnt/dev/video3 on /dev/video3 due to its type (type=video) Globbing /run/firejail/mnt/dev/dvb on /dev/dvb (type=tv) No match /run/firejail/mnt/dev/dvb (type=tv) Globbing /run/firejail/mnt/dev/sr[0-9]* on /dev/sr[0-9]* (type=dvd) No match /run/firejail/mnt/dev/sr[0-9]* (type=dvd) Globbing /run/firejail/mnt/dev/tcm[0-9]* on /dev/tcm[0-9]* (type=tpm) No match /run/firejail/mnt/dev/tcm[0-9]* (type=tpm) Globbing /run/firejail/mnt/dev/tcmrm[0-9]* on /dev/tcmrm[0-9]* (type=tpm) No match /run/firejail/mnt/dev/tcmrm[0-9]* (type=tpm) Globbing /run/firejail/mnt/dev/tpm[0-9]* on /dev/tpm[0-9]* (type=tpm) mounting /run/firejail/mnt/dev/tpm0 on /dev/tpm0 (type=tpm) file Globbing /run/firejail/mnt/dev/tpmrm[0-9]* on /dev/tpmrm[0-9]* (type=tpm) mounting /run/firejail/mnt/dev/tpmrm0 on /dev/tpmrm0 (type=tpm) file Globbing /run/firejail/mnt/dev/hidraw[0-9]* on /dev/hidraw[0-9]* (type=u2f) mounting /run/firejail/mnt/dev/hidraw0 on /dev/hidraw0 (type=u2f) file mounting /run/firejail/mnt/dev/hidraw1 on /dev/hidraw1 (type=u2f) file Globbing /run/firejail/mnt/dev/usb on /dev/usb (type=u2f) No match /run/firejail/mnt/dev/usb (type=u2f) Globbing /run/firejail/mnt/dev/input on /dev/input (type=input) skipping /run/firejail/mnt/dev/input on /dev/input due to its type (type=input) Globbing /run/firejail/mnt/dev/ntsync on /dev/ntsync (type=ntsync) No match /run/firejail/mnt/dev/ntsync (type=ntsync) Process /dev/shm directory Creating empty /run/firejail/mnt/dbus directory Creating empty /run/firejail/mnt/dbus/user file blacklist /run/user/1000/bus Creating empty /run/firejail/mnt/dbus/system file blacklist /run/dbus/system_bus_socket blacklist /run/firejail/dbus Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Creating a new /etc/hostname file Creating empty /run/firejail/mnt/hostname file Creating a new /etc/hosts file Loading user hosts file Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules/6.18.5-arch1-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /proc/kmsg Debug 588: whitelist ${RUNUSER}/ssh-agent.socket Debug 609: expanded: /run/user/1000/ssh-agent.socket Debug 620: new_name: /run/user/1000/ssh-agent.socket Debug 630: dir: /run/user/1000 Adding whitelist top level directory /run/user/1000 Debug 588: whitelist ${RUNUSER}/gcr/ssh Debug 609: expanded: /run/user/1000/gcr/ssh Debug 620: new_name: /run/user/1000/gcr/ssh Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh Debug 609: expanded: /run/user/1000/gnupg/*/S.gpg-agent.ssh Debug 620: new_name: /run/user/1000/gnupg/*/S.gpg-agent.ssh Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/gnupg/*/S.gpg-agent.ssh new_name: /run/user/1000/gnupg/*/S.gpg-agent.ssh realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/gnupg/S.gpg-agent.ssh Debug 609: expanded: /run/user/1000/gnupg/S.gpg-agent.ssh Debug 620: new_name: /run/user/1000/gnupg/S.gpg-agent.ssh Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/gvfsd-sftp Debug 609: expanded: /run/user/1000/gvfsd-sftp Debug 620: new_name: /run/user/1000/gvfsd-sftp Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/gvfsd-sftp new_name: /run/user/1000/gvfsd-sftp realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/keyring/ssh Debug 609: expanded: /run/user/1000/keyring/ssh Debug 620: new_name: /run/user/1000/keyring/ssh Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/keyring/ssh new_name: /run/user/1000/keyring/ssh realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/bus Debug 609: expanded: /run/user/1000/bus Debug 620: new_name: /run/user/1000/bus Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/dconf Debug 609: expanded: /run/user/1000/dconf Debug 620: new_name: /run/user/1000/dconf Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/gdm/Xauthority Debug 609: expanded: /run/user/1000/gdm/Xauthority Debug 620: new_name: /run/user/1000/gdm/Xauthority Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/gdm/Xauthority new_name: /run/user/1000/gdm/Xauthority realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/ICEauthority Debug 609: expanded: /run/user/1000/ICEauthority Debug 620: new_name: /run/user/1000/ICEauthority Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/ICEauthority new_name: /run/user/1000/ICEauthority realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/.mutter-Xwaylandauth.* Debug 609: expanded: /run/user/1000/.mutter-Xwaylandauth.* Debug 620: new_name: /run/user/1000/.mutter-Xwaylandauth.* Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/.mutter-Xwaylandauth.* new_name: /run/user/1000/.mutter-Xwaylandauth.* realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/pulse/native Debug 609: expanded: /run/user/1000/pulse/native Debug 620: new_name: /run/user/1000/pulse/native Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/pipewire-* Debug 609: expanded: /run/user/1000/pipewire-* Debug 620: new_name: /run/user/1000/pipewire-* Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/pipewire-* new_name: /run/user/1000/pipewire-* realpath: (null) No such file or directory Adding new profile command: whitelist /run/user/1000/pipewire-0-manager.lock Adding new profile command: whitelist /run/user/1000/pipewire-0.lock Adding new profile command: whitelist /run/user/1000/pipewire-0-manager Adding new profile command: whitelist /run/user/1000/pipewire-0 Debug 588: whitelist ${RUNUSER}/wayland-* Debug 609: expanded: /run/user/1000/wayland-* Debug 620: new_name: /run/user/1000/wayland-* Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/wayland-* new_name: /run/user/1000/wayland-* realpath: (null) No such file or directory Adding new profile command: whitelist /run/user/1000/wayland-1-swww-daemon..sock Adding new profile command: whitelist /run/user/1000/wayland-1 Adding new profile command: whitelist /run/user/1000/wayland-1.lock Debug 588: whitelist ${RUNUSER}/xauth_* Debug 609: expanded: /run/user/1000/xauth_* Debug 620: new_name: /run/user/1000/xauth_* Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/xauth_* new_name: /run/user/1000/xauth_* realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 609: expanded: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 620: new_name: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] new_name: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] realpath: (null) File name too long Debug 588: whitelist /usr/share/alsa Debug 609: expanded: /usr/share/alsa Debug 620: new_name: /usr/share/alsa Debug 630: dir: /usr/share Adding whitelist top level directory /usr/share Debug 588: whitelist /usr/share/applications Debug 609: expanded: /usr/share/applications Debug 620: new_name: /usr/share/applications Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/ca-certificates Debug 609: expanded: /usr/share/ca-certificates Debug 620: new_name: /usr/share/ca-certificates Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/crypto-policies Debug 609: expanded: /usr/share/crypto-policies Debug 620: new_name: /usr/share/crypto-policies Debug 630: dir: /usr/share Removed path: whitelist /usr/share/crypto-policies new_name: /usr/share/crypto-policies realpath: (null) No such file or directory Debug 588: whitelist /usr/share/cursors Debug 609: expanded: /usr/share/cursors Debug 620: new_name: /usr/share/cursors Debug 630: dir: /usr/share Removed path: whitelist /usr/share/cursors new_name: /usr/share/cursors realpath: (null) No such file or directory Debug 588: whitelist /usr/share/dconf Debug 609: expanded: /usr/share/dconf Debug 620: new_name: /usr/share/dconf Debug 630: dir: /usr/share Removed path: whitelist /usr/share/dconf new_name: /usr/share/dconf realpath: (null) No such file or directory Debug 588: whitelist /usr/share/distro-info Debug 609: expanded: /usr/share/distro-info Debug 620: new_name: /usr/share/distro-info Debug 630: dir: /usr/share Removed path: whitelist /usr/share/distro-info new_name: /usr/share/distro-info realpath: (null) No such file or directory Debug 588: whitelist /usr/share/drirc.d Debug 609: expanded: /usr/share/drirc.d Debug 620: new_name: /usr/share/drirc.d Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/egl Debug 609: expanded: /usr/share/egl Debug 620: new_name: /usr/share/egl Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/enchant Debug 609: expanded: /usr/share/enchant Debug 620: new_name: /usr/share/enchant Debug 630: dir: /usr/share Removed path: whitelist /usr/share/enchant new_name: /usr/share/enchant realpath: (null) No such file or directory Debug 588: whitelist /usr/share/enchant-2 Debug 609: expanded: /usr/share/enchant-2 Debug 620: new_name: /usr/share/enchant-2 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/file Debug 609: expanded: /usr/share/file Debug 620: new_name: /usr/share/file Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/fontconfig Debug 609: expanded: /usr/share/fontconfig Debug 620: new_name: /usr/share/fontconfig Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/fonts Debug 609: expanded: /usr/share/fonts Debug 620: new_name: /usr/share/fonts Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/fonts-config Debug 609: expanded: /usr/share/fonts-config Debug 620: new_name: /usr/share/fonts-config Debug 630: dir: /usr/share Removed path: whitelist /usr/share/fonts-config new_name: /usr/share/fonts-config realpath: (null) No such file or directory Debug 588: whitelist /usr/share/gir-1.0 Debug 609: expanded: /usr/share/gir-1.0 Debug 620: new_name: /usr/share/gir-1.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gjs-1.0 Debug 609: expanded: /usr/share/gjs-1.0 Debug 620: new_name: /usr/share/gjs-1.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/glib-2.0 Debug 609: expanded: /usr/share/glib-2.0 Debug 620: new_name: /usr/share/glib-2.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/glvnd Debug 609: expanded: /usr/share/glvnd Debug 620: new_name: /usr/share/glvnd Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/glycin-loaders Debug 609: expanded: /usr/share/glycin-loaders Debug 620: new_name: /usr/share/glycin-loaders Debug 630: dir: /usr/share Removed path: whitelist /usr/share/glycin-loaders new_name: /usr/share/glycin-loaders realpath: (null) No such file or directory Debug 588: whitelist /usr/share/gtk-2.0 Debug 609: expanded: /usr/share/gtk-2.0 Debug 620: new_name: /usr/share/gtk-2.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtk-3.0 Debug 609: expanded: /usr/share/gtk-3.0 Debug 620: new_name: /usr/share/gtk-3.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtk-4.0 Debug 609: expanded: /usr/share/gtk-4.0 Debug 620: new_name: /usr/share/gtk-4.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtk-engines Debug 609: expanded: /usr/share/gtk-engines Debug 620: new_name: /usr/share/gtk-engines Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtksourceview-3.0 Debug 609: expanded: /usr/share/gtksourceview-3.0 Debug 620: new_name: /usr/share/gtksourceview-3.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtksourceview-4 Debug 609: expanded: /usr/share/gtksourceview-4 Debug 620: new_name: /usr/share/gtksourceview-4 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtksourceview-5 Debug 609: expanded: /usr/share/gtksourceview-5 Debug 620: new_name: /usr/share/gtksourceview-5 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/hunspell Debug 609: expanded: /usr/share/hunspell Debug 620: new_name: /usr/share/hunspell Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/hyphen Debug 609: expanded: /usr/share/hyphen Debug 620: new_name: /usr/share/hyphen Debug 630: dir: /usr/share Removed path: whitelist /usr/share/hyphen new_name: /usr/share/hyphen realpath: (null) No such file or directory Debug 588: whitelist /usr/share/hwdata Debug 609: expanded: /usr/share/hwdata Debug 620: new_name: /usr/share/hwdata Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/icons Debug 609: expanded: /usr/share/icons Debug 620: new_name: /usr/share/icons Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/icu Debug 609: expanded: /usr/share/icu Debug 620: new_name: /usr/share/icu Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/knotifications5 Debug 609: expanded: /usr/share/knotifications5 Debug 620: new_name: /usr/share/knotifications5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/knotifications5 new_name: /usr/share/knotifications5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/kservices5 Debug 609: expanded: /usr/share/kservices5 Debug 620: new_name: /usr/share/kservices5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/kservices5 new_name: /usr/share/kservices5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/Kvantum Debug 609: expanded: /usr/share/Kvantum Debug 620: new_name: /usr/share/Kvantum Debug 630: dir: /usr/share Removed path: whitelist /usr/share/Kvantum new_name: /usr/share/Kvantum realpath: (null) No such file or directory Debug 588: whitelist /usr/share/kxmlgui5 Debug 609: expanded: /usr/share/kxmlgui5 Debug 620: new_name: /usr/share/kxmlgui5 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/libdrm Debug 609: expanded: /usr/share/libdrm Debug 620: new_name: /usr/share/libdrm Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/libthai Debug 609: expanded: /usr/share/libthai Debug 620: new_name: /usr/share/libthai Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/locale Debug 609: expanded: /usr/share/locale Debug 620: new_name: /usr/share/locale Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/locale-langpack Debug 609: expanded: /usr/share/locale-langpack Debug 620: new_name: /usr/share/locale-langpack Debug 630: dir: /usr/share Removed path: whitelist /usr/share/locale-langpack new_name: /usr/share/locale-langpack realpath: (null) No such file or directory Debug 588: whitelist /usr/share/mime Debug 609: expanded: /usr/share/mime Debug 620: new_name: /usr/share/mime Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/misc Debug 609: expanded: /usr/share/misc Debug 620: new_name: /usr/share/misc Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/Modules Debug 609: expanded: /usr/share/Modules Debug 620: new_name: /usr/share/Modules Debug 630: dir: /usr/share Removed path: whitelist /usr/share/Modules new_name: /usr/share/Modules realpath: (null) No such file or directory Debug 588: whitelist /usr/share/myspell Debug 609: expanded: /usr/share/myspell Debug 620: new_name: /usr/share/myspell Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/p11-kit Debug 609: expanded: /usr/share/p11-kit Debug 620: new_name: /usr/share/p11-kit Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/perl Debug 609: expanded: /usr/share/perl Debug 620: new_name: /usr/share/perl Debug 630: dir: /usr/share Removed path: whitelist /usr/share/perl new_name: /usr/share/perl realpath: (null) No such file or directory Debug 588: whitelist /usr/share/perl5 Debug 609: expanded: /usr/share/perl5 Debug 620: new_name: /usr/share/perl5 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/pipewire Debug 609: expanded: /usr/share/pipewire Debug 620: new_name: /usr/share/pipewire Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/pixmaps Debug 609: expanded: /usr/share/pixmaps Debug 620: new_name: /usr/share/pixmaps Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/pki Debug 609: expanded: /usr/share/pki Debug 620: new_name: /usr/share/pki Debug 630: dir: /usr/share Removed path: whitelist /usr/share/pki new_name: /usr/share/pki realpath: (null) No such file or directory Debug 588: whitelist /usr/share/plasma Debug 609: expanded: /usr/share/plasma Debug 620: new_name: /usr/share/plasma Debug 630: dir: /usr/share Removed path: whitelist /usr/share/plasma new_name: /usr/share/plasma realpath: (null) No such file or directory Debug 588: whitelist /usr/share/publicsuffix Debug 609: expanded: /usr/share/publicsuffix Debug 620: new_name: /usr/share/publicsuffix Debug 630: dir: /usr/share Removed path: whitelist /usr/share/publicsuffix new_name: /usr/share/publicsuffix realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt Debug 609: expanded: /usr/share/qt Debug 620: new_name: /usr/share/qt Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/qt4 Debug 609: expanded: /usr/share/qt4 Debug 620: new_name: /usr/share/qt4 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt4 new_name: /usr/share/qt4 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt5 Debug 609: expanded: /usr/share/qt5 Debug 620: new_name: /usr/share/qt5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt5 new_name: /usr/share/qt5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt5ct Debug 609: expanded: /usr/share/qt5ct Debug 620: new_name: /usr/share/qt5ct Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt5ct new_name: /usr/share/qt5ct realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt6 Debug 609: expanded: /usr/share/qt6 Debug 620: new_name: /usr/share/qt6 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/qt6ct Debug 609: expanded: /usr/share/qt6ct Debug 620: new_name: /usr/share/qt6ct Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt6ct new_name: /usr/share/qt6ct realpath: (null) No such file or directory Debug 588: whitelist /usr/share/sounds Debug 609: expanded: /usr/share/sounds Debug 620: new_name: /usr/share/sounds Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/tcl8.6 Debug 609: expanded: /usr/share/tcl8.6 Debug 620: new_name: /usr/share/tcl8.6 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/tcl8.6 new_name: /usr/share/tcl8.6 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/tcltk Debug 609: expanded: /usr/share/tcltk Debug 620: new_name: /usr/share/tcltk Debug 630: dir: /usr/share Removed path: whitelist /usr/share/tcltk new_name: /usr/share/tcltk realpath: (null) No such file or directory Debug 588: whitelist /usr/share/terminfo Debug 609: expanded: /usr/share/terminfo Debug 620: new_name: /usr/share/terminfo Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/texlive Debug 609: expanded: /usr/share/texlive Debug 620: new_name: /usr/share/texlive Debug 630: dir: /usr/share Removed path: whitelist /usr/share/texlive new_name: /usr/share/texlive realpath: (null) No such file or directory Debug 588: whitelist /usr/share/texmf Debug 609: expanded: /usr/share/texmf Debug 620: new_name: /usr/share/texmf Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/themes Debug 609: expanded: /usr/share/themes Debug 620: new_name: /usr/share/themes Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/thumbnail.so Debug 609: expanded: /usr/share/thumbnail.so Debug 620: new_name: /usr/share/thumbnail.so Debug 630: dir: /usr/share Removed path: whitelist /usr/share/thumbnail.so new_name: /usr/share/thumbnail.so realpath: (null) No such file or directory Debug 588: whitelist /usr/share/uim Debug 609: expanded: /usr/share/uim Debug 620: new_name: /usr/share/uim Debug 630: dir: /usr/share Removed path: whitelist /usr/share/uim new_name: /usr/share/uim realpath: (null) No such file or directory Debug 588: whitelist /usr/share/vulkan Debug 609: expanded: /usr/share/vulkan Debug 620: new_name: /usr/share/vulkan Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/X11 Debug 609: expanded: /usr/share/X11 Debug 620: new_name: /usr/share/X11 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/xkeyboard-config-2 Debug 609: expanded: /usr/share/xkeyboard-config-2 Debug 620: new_name: /usr/share/xkeyboard-config-2 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/xml Debug 609: expanded: /usr/share/xml Debug 620: new_name: /usr/share/xml Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/zenity Debug 609: expanded: /usr/share/zenity Debug 620: new_name: /usr/share/zenity Debug 630: dir: /usr/share Removed path: whitelist /usr/share/zenity new_name: /usr/share/zenity realpath: (null) No such file or directory Debug 588: whitelist /usr/share/zoneinfo Debug 609: expanded: /usr/share/zoneinfo Debug 620: new_name: /usr/share/zoneinfo Debug 630: dir: /usr/share Debug 588: whitelist /run/user/1000/pipewire-0-manager.lock Debug 609: expanded: /run/user/1000/pipewire-0-manager.lock Debug 620: new_name: /run/user/1000/pipewire-0-manager.lock Debug 630: dir: /run/user/1000 Debug 588: whitelist /run/user/1000/pipewire-0.lock Debug 609: expanded: /run/user/1000/pipewire-0.lock Debug 620: new_name: /run/user/1000/pipewire-0.lock Debug 630: dir: /run/user/1000 Debug 588: whitelist /run/user/1000/pipewire-0-manager Debug 609: expanded: /run/user/1000/pipewire-0-manager Debug 620: new_name: /run/user/1000/pipewire-0-manager Debug 630: dir: /run/user/1000 Debug 588: whitelist /run/user/1000/pipewire-0 Debug 609: expanded: /run/user/1000/pipewire-0 Debug 620: new_name: /run/user/1000/pipewire-0 Debug 630: dir: /run/user/1000 Debug 588: whitelist /run/user/1000/wayland-1-swww-daemon..sock Debug 609: expanded: /run/user/1000/wayland-1-swww-daemon..sock Debug 620: new_name: /run/user/1000/wayland-1-swww-daemon..sock Error: invalid whitelist path /run/user/1000/wayland-1-swww-daemon..sock Error: proc 129125 cannot sync with peer: unexpected EOF Peer 129126 unexpectedly exited with status 1 ``` </p> </details>
gitea-mirror 2026-05-05 10:00:45 -06:00
  • closed this issue
  • added the
    duplicate
         label
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3462
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?