github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #7062] xorg: Authorization required, but no authorization protocol specified #3473

New issue
Closed
opened 2026-05-05 10:01:09 -06:00 by gitea-mirror · 17 comments
gitea-mirror commented 2026-05-05 10:01:09 -06:00
Owner
Copy link

Originally created by @kmille on GitHub (Feb 15, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7062

Hey,

I'm using firejail-git version 0.9.78.r114.g88652cdb3-1 on Arch Linux (just built it a few seconds ago). I cannot start Thunderbird. I have the same problem with firefox:

kmille@spring:~# /usr/local/bin/thunderbird
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-proc.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.79

Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.own org.mozilla.thunderbird.*" and 4 other dbus-user filter rules.
Parent pid 436820, child pid 436821
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 164.47 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1001/gvfs
Base filesystem installed in 405.62 ms
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior.
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 741.52 ms
[41] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
Authorization required, but no authorization protocol specified

Error: cannot open display: :0

Parent is shutting down, bye...

Regarding the AppArmor thing (I'm running 6.17.13-hardened1-3-hardened):

kmille@spring:~# sudo aa-enforce firejail-default                   
[sudo] password for kmille: 
Setting /etc/apparmor.d/firejail-default to enforce mode.

ERROR: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.)
Warning: unable to find a suitable fs in /proc/mounts, is it mounted?
Use --subdomainfs to override.
Originally created by @kmille on GitHub (Feb 15, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7062 Hey, I'm using firejail-git version 0.9.78.r114.g88652cdb3-1 on Arch Linux (just built it a few seconds ago). I cannot start Thunderbird. I have the same problem with firefox: ``` kmille@spring:~# /usr/local/bin/thunderbird Reading profile /etc/firejail/thunderbird.profile Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-proc.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.79 Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.own org.mozilla.thunderbird.*" and 4 other dbus-user filter rules. Parent pid 436820, child pid 436821 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 164.47 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /run/user/1001/gvfs Base filesystem installed in 405.62 ms Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: Replacing profile instead of stacking it. It is a legacy behavior that can result in relaxation of the protection. It is here as a temporary measure to unbreak the software that has been broken by switching to the stacking behavior. Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 741.52 ms [41] Sandbox: CanCreateUserNamespace() clone() failure: EPERM Authorization required, but no authorization protocol specified Error: cannot open display: :0 Parent is shutting down, bye... ``` Regarding the AppArmor thing (I'm running `6.17.13-hardened1-3-hardened`): ``` kmille@spring:~# sudo aa-enforce firejail-default [sudo] password for kmille: Setting /etc/apparmor.d/firejail-default to enforce mode. ERROR: Cache read/write disabled: interface file missing. (Kernel needs AppArmor 2.4 compatibility patch.) Warning: unable to find a suitable fs in /proc/mounts, is it mounted? Use --subdomainfs to override. ```
gitea-mirror 2026-05-05 10:01:09 -06:00
gitea-mirror commented 2026-05-05 10:01:11 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 17, 2026):

Basic debugging information is missing; please follow the bug report template:

<!-- gh-comment-id:3912676036 --> @kmk3 commented on GitHub (Feb 17, 2026): Basic debugging information is missing; please follow the bug report template: * <https://github.com/netblue30/firejail/issues/new?template=bug_report.md>
gitea-mirror commented 2026-05-05 10:01:12 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Feb 17, 2026):

I have the same error on signal... I tried fixing it there but no luck....

logs 
kmille@spring:~# firejail signal-desktop                                                                                                                                                                                          09:39 [9/616]
Reading profile /home/kmille/.config/firejail/signal-desktop.profile
Reading profile /home/kmille/.config/firejail/globals.local
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/electron-common.profile
Reading profile /etc/firejail/blink-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/kmille/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
firejail version 0.9.79

Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow.
To enable DBus filtering, install the xdg-dbus-proxy program.
Ignoring "dbus-user.talk org.freedesktop.Notifications" and 2 other dbus-user filter rules.
Parent pid 804969, child pid 804970
Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged
Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged
Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged
Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 89.83 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 415.29 ms
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 711.36 ms
[28:0217/093940.299030:ERROR:dbus/bus.cc:408] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
NODE_ENV production
NODE_CONFIG_DIR /usr/lib/signal-desktop/resources/app.asar/config
NODE_CONFIG {}
ALLOW_CONFIG_MUTATIONS undefined
HOSTNAME cehokosuke
NODE_APP_INSTANCE undefined
SUPPRESS_NO_CONFIG_WARNING undefined
SIGNAL_ENABLE_HTTP undefined
userData: /home/kmille/.config/Signal
Authorization required, but no authorization protocol specified

[28:0217/093942.186166:ERROR:ui/ozone/platform/x11/ozone_platform_x11.cc:249] Missing X server or $DISPLAY
[28:0217/093942.186197:ERROR:ui/aura/env.cc:257] The platform failed to initialize.  Exiting.
[28:0217/093942.239402:ERROR:electron/shell/common/node_util.cc:64] CompileAndCall failed to evaluate electron script (electron/js2c/node_init): script execution has been terminated
FATAL ERROR: Error::ThrowAsJavaScriptException napi_throw
----- Native stack trace -----


----- JavaScript stack trace -----

1: func (node:electron/js2c/node_init:2:2617)
2: Module._extensions..node (node:internal/modules/cjs/loader:1874:18)
3: func (node:electron/js2c/node_init:2:2844)
4: Module.load (node:internal/modules/cjs/loader:1448:32)
5: Module._load (node:internal/modules/cjs/loader:1270:12)
6: c._load (node:electron/js2c/node_init:2:17993)
7: traceSync (node:diagnostics_channel:328:14)
8: wrapModuleLoad (node:internal/modules/cjs/loader:244:24)
9: Module.require (node:internal/modules/cjs/loader:1470:12)
10: require (node:internal/modules/helpers:147:16)

Parent is shutting down, bye...

Expected behavior

Also having Authorization required, but no authorization protocol specified. Signal window does not appear.

Behavior without a profile

logs

kmille@spring:~# firejail --noprofile signal-desktop
firejail version 0.9.79

Parent pid 806471, child pid 806472
Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged
Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged
Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged
Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged
Base filesystem installed in 0.12 ms
Child process initialized in 41.40 ms
NODE_ENV production
NODE_CONFIG_DIR /usr/lib/signal-desktop/resources/app.asar/config
NODE_CONFIG {}
ALLOW_CONFIG_MUTATIONS undefined
HOSTNAME somesishi
NODE_APP_INSTANCE undefined
SUPPRESS_NO_CONFIG_WARNING undefined
SIGNAL_ENABLE_HTTP undefined
userData: /home/kmille/.config/Signal
Authorization required, but no authorization protocol specified

[3:0217/094319.831299:ERROR:ui/ozone/platform/x11/ozone_platform_x11.cc:249] Missing X server or $DISPLAY
[3:0217/094319.831404:ERROR:ui/aura/env.cc:257] The platform failed to initialize. Exiting.
FATAL ERROR: v8::ToLocalChecked Empty MaybeLocal
----- Native stack trace -----

----- JavaScript stack trace -----

1: read (node:internal/modules/package_json_reader:116:33)
2: _readPackage (node:internal/modules/cjs/loader:475:55)
3: resolveExports (node:internal/modules/cjs/loader:653:15)
4: Module._findPath (node:internal/modules/cjs/loader:724:31)
5: Module._resolveFilename (node:internal/modules/cjs/loader:1376:27)
6: defaultResolveImpl (node:internal/modules/cjs/loader:1032:19)
7: resolveForCJSWithHooks (node:internal/modules/cjs/loader:1037:22)
8: Module._load (node:internal/modules/cjs/loader:1199:37)
9: c._load (node:electron/js2c/node_init:2:17993)
10: traceSync (node:diagnostics_channel:328:14)

Additional context

It works without firejail:

kmille@spring:~# /usr/bin/signal-desktop
NODE_ENV production
NODE_CONFIG_DIR /usr/lib/signal-desktop/resources/app.asar/config
NODE_CONFIG {}
ALLOW_CONFIG_MUTATIONS undefined
HOSTNAME spring
NODE_APP_INSTANCE undefined
SUPPRESS_NO_CONFIG_WARNING undefined
SIGNAL_ENABLE_HTTP undefined
userData: /home/kmille/.config/Signal
(node:806988) [DEP0180] DeprecationWarning: fs.Stats constructor is deprecated.
(Use `signal-desktop --trace-deprecation ...` to show where the warning was created)
[807053:0217/094415.808430:ERROR:media/gpu/vaapi/vaapi_wrapper.cc:1631] vaInitialize failed: unknown libva error
< window opens >

Any other detail that may help to understand/debug the problem

Environment

  • Name/version/arch of the Linux kernel (uname -srm): Linux 6.17.13-hardened1-3-hardened x86_64
  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch
  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"): signal-desktop 7.88.0-1
  • Version of Firejail (firejail --version): firejail-git 0.9.78.r114.g88652cdb3-1

Checklist

  • I am using firejail 0.9.78 or later
  • [x ] I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877) => also tried this
  • [x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)
<!-- gh-comment-id:3913134168 --> @kmille commented on GitHub (Feb 17, 2026): I have the same error on signal... I tried fixing it there but no luck.... <details> <summary>logs</summary> ``` kmille@spring:~# firejail signal-desktop 09:39 [9/616] Reading profile /home/kmille/.config/firejail/signal-desktop.profile Reading profile /home/kmille/.config/firejail/globals.local Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/electron-common.profile Reading profile /etc/firejail/blink-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /home/kmille/.config/firejail/disable-common.local Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.79 Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.talk org.freedesktop.Notifications" and 2 other dbus-user filter rules. Parent pid 804969, child pid 804970 Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Private /etc installed in 89.83 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 415.29 ms Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 711.36 ms [28:0217/093940.299030:ERROR:dbus/bus.cc:408] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied NODE_ENV production NODE_CONFIG_DIR /usr/lib/signal-desktop/resources/app.asar/config NODE_CONFIG {} ALLOW_CONFIG_MUTATIONS undefined HOSTNAME cehokosuke NODE_APP_INSTANCE undefined SUPPRESS_NO_CONFIG_WARNING undefined SIGNAL_ENABLE_HTTP undefined userData: /home/kmille/.config/Signal Authorization required, but no authorization protocol specified [28:0217/093942.186166:ERROR:ui/ozone/platform/x11/ozone_platform_x11.cc:249] Missing X server or $DISPLAY [28:0217/093942.186197:ERROR:ui/aura/env.cc:257] The platform failed to initialize. Exiting. [28:0217/093942.239402:ERROR:electron/shell/common/node_util.cc:64] CompileAndCall failed to evaluate electron script (electron/js2c/node_init): script execution has been terminated FATAL ERROR: Error::ThrowAsJavaScriptException napi_throw ----- Native stack trace ----- ----- JavaScript stack trace ----- 1: func (node:electron/js2c/node_init:2:2617) 2: Module._extensions..node (node:internal/modules/cjs/loader:1874:18) 3: func (node:electron/js2c/node_init:2:2844) 4: Module.load (node:internal/modules/cjs/loader:1448:32) 5: Module._load (node:internal/modules/cjs/loader:1270:12) 6: c._load (node:electron/js2c/node_init:2:17993) 7: traceSync (node:diagnostics_channel:328:14) 8: wrapModuleLoad (node:internal/modules/cjs/loader:244:24) 9: Module.require (node:internal/modules/cjs/loader:1470:12) 10: require (node:internal/modules/helpers:147:16) Parent is shutting down, bye... ``` </details> ### Expected behavior Also having `Authorization required, but no authorization protocol specified`. Signal window does not appear. ### Behavior without a profile <details> <summary>logs</summary> kmille@spring:~# firejail --noprofile signal-desktop firejail version 0.9.79 Parent pid 806471, child pid 806472 Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged Warning: not remounting /var/lib/docker/overlay2/10950d58944a0d72af6ce02aca10872ed2967202eb4ee4d85d1c56d3494bd7c3/merged Warning: not remounting /var/lib/docker/overlay2/da069ff799aaedf82f7e0882511f4a91b071044edae2604e19684bae4c07d215/merged Base filesystem installed in 0.12 ms Child process initialized in 41.40 ms NODE_ENV production NODE_CONFIG_DIR /usr/lib/signal-desktop/resources/app.asar/config NODE_CONFIG {} ALLOW_CONFIG_MUTATIONS undefined HOSTNAME somesishi NODE_APP_INSTANCE undefined SUPPRESS_NO_CONFIG_WARNING undefined SIGNAL_ENABLE_HTTP undefined userData: /home/kmille/.config/Signal Authorization required, but no authorization protocol specified [3:0217/094319.831299:ERROR:ui/ozone/platform/x11/ozone_platform_x11.cc:249] Missing X server or $DISPLAY [3:0217/094319.831404:ERROR:ui/aura/env.cc:257] The platform failed to initialize. Exiting. FATAL ERROR: v8::ToLocalChecked Empty MaybeLocal ----- Native stack trace ----- ----- JavaScript stack trace ----- 1: read (node:internal/modules/package_json_reader:116:33) 2: _readPackage (node:internal/modules/cjs/loader:475:55) 3: resolveExports (node:internal/modules/cjs/loader:653:15) 4: Module._findPath (node:internal/modules/cjs/loader:724:31) 5: Module._resolveFilename (node:internal/modules/cjs/loader:1376:27) 6: defaultResolveImpl (node:internal/modules/cjs/loader:1032:19) 7: resolveForCJSWithHooks (node:internal/modules/cjs/loader:1037:22) 8: Module._load (node:internal/modules/cjs/loader:1199:37) 9: c._load (node:electron/js2c/node_init:2:17993) 10: traceSync (node:diagnostics_channel:328:14) </details> ### Additional context It works without firejail: ``` kmille@spring:~# /usr/bin/signal-desktop NODE_ENV production NODE_CONFIG_DIR /usr/lib/signal-desktop/resources/app.asar/config NODE_CONFIG {} ALLOW_CONFIG_MUTATIONS undefined HOSTNAME spring NODE_APP_INSTANCE undefined SUPPRESS_NO_CONFIG_WARNING undefined SIGNAL_ENABLE_HTTP undefined userData: /home/kmille/.config/Signal (node:806988) [DEP0180] DeprecationWarning: fs.Stats constructor is deprecated. (Use `signal-desktop --trace-deprecation ...` to show where the warning was created) [807053:0217/094415.808430:ERROR:media/gpu/vaapi/vaapi_wrapper.cc:1631] vaInitialize failed: unknown libva error < window opens > ``` _Any other detail that may help to understand/debug the problem_ ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.17.13-hardened1-3-hardened x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): signal-desktop 7.88.0-1 - Version of Firejail (`firejail --version`): firejail-git 0.9.78.r114.g88652cdb3-1 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] I am using firejail [0.9.78 or later](https://github.com/netblue30/firejail/tree/master/SECURITY.md) - [x ] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) => also tried this - [x ] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [ ] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)
gitea-mirror commented 2026-05-05 10:01:12 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Feb 17, 2026):

Looks like it's a X11 issue. I also commented out the whole profile without luck. But that's probably the same like "--noprofile".

<!-- gh-comment-id:3913143275 --> @kmille commented on GitHub (Feb 17, 2026): Looks like it's a X11 issue. I also commented out the whole profile without luck. But that's probably the same like "--noprofile".
gitea-mirror commented 2026-05-05 10:01:13 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 17, 2026):

Looks like it's a X11 issue. I also commented out the whole profile without
luck. But that's probably the same like "--noprofile".

Are you using the standard xorg packages?

Which DE/WM?

What is the output of the following?

sudo Xorg -version

What happens with the following?

firejail --ignore=apparmor --profile=noprofile /usr/bin/firefox
<!-- gh-comment-id:3914269940 --> @kmk3 commented on GitHub (Feb 17, 2026): > Looks like it's a X11 issue. I also commented out the whole profile without > luck. But that's probably the same like "--noprofile". Are you using the standard xorg packages? Which DE/WM? What is the output of the following? ```sh sudo Xorg -version ``` What happens with the following? ```sh firejail --ignore=apparmor --profile=noprofile /usr/bin/firefox ```
gitea-mirror commented 2026-05-05 10:01:14 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 17, 2026):

When did this start happening?

Does it work if you disable apparmor completely and reboot?

<!-- gh-comment-id:3914302219 --> @kmk3 commented on GitHub (Feb 17, 2026): When did this start happening? Does it work if you disable apparmor completely and reboot?
gitea-mirror commented 2026-05-05 10:01:14 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Feb 17, 2026):


kmille@spring:~# pacman -Qqs xorg
xf86-input-libinput
xorg-fonts-encodings
xorg-server
xorg-server-common
xorg-setxkbmap
xorg-xauth
xorg-xbacklight
xorg-xdpyinfo
xorg-xev
xorg-xinit
xorg-xkbcomp
xorg-xlsfonts
xorg-xmodmap
xorg-xprop
xorg-xrandr
xorg-xrdb
xorg-xset
xorg-xsetroot
xorgproto

root        1904  0.9  0.6 1558572 108760 tty7   Ssl+ Feb12  69:12 /usr/lib/Xorg :0 -seat seat0 -auth /run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch       

I'm using lightdm and i3 window manager.


kmille@spring:~# sudo Xorg -version
[sudo] password for kmille: 

X.Org X Server 1.21.1.21
X Protocol Version 11, Revision 0
Current Operating System: Linux spring 6.17.13-hardened1-3-hardened #1 SMP PREEMPT_DYNAMIC Mon, 09 Feb 2026 20:25:34 +0000 x86_64
Kernel command line: pti=on page_alloc.shuffle=1 rw
 
Current version of pixman: 0.46.4
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.



kmille@spring:~# firejail --ignore=apparmor --profile=noprofile /usr/bin/firefox 
Reading profile /etc/firejail/noprofile.profile
firejail version 0.9.79

Parent pid 842482, child pid 842483
Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied
Base filesystem installed in 0.04 ms
Child process initialized in 40.90 ms
[3] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
Authorization required, but no authorization protocol specified

Error: cannot open display: :0

Parent is shutting down, bye...

When did this start happening?

recent days, maybe during last week.

Does it work if you disable apparmor completely and reboot?

Can try this later, am currently working.

<!-- gh-comment-id:3914462920 --> @kmille commented on GitHub (Feb 17, 2026): ``` kmille@spring:~# pacman -Qqs xorg xf86-input-libinput xorg-fonts-encodings xorg-server xorg-server-common xorg-setxkbmap xorg-xauth xorg-xbacklight xorg-xdpyinfo xorg-xev xorg-xinit xorg-xkbcomp xorg-xlsfonts xorg-xmodmap xorg-xprop xorg-xrandr xorg-xrdb xorg-xset xorg-xsetroot xorgproto root 1904 0.9 0.6 1558572 108760 tty7 Ssl+ Feb12 69:12 /usr/lib/Xorg :0 -seat seat0 -auth /run/lightdm/root/:0 -nolisten tcp vt7 -novtswitch I'm using lightdm and i3 window manager. kmille@spring:~# sudo Xorg -version [sudo] password for kmille: X.Org X Server 1.21.1.21 X Protocol Version 11, Revision 0 Current Operating System: Linux spring 6.17.13-hardened1-3-hardened #1 SMP PREEMPT_DYNAMIC Mon, 09 Feb 2026 20:25:34 +0000 x86_64 Kernel command line: pti=on page_alloc.shuffle=1 rw Current version of pixman: 0.46.4 Before reporting problems, check http://wiki.x.org to make sure that you have the latest version. kmille@spring:~# firejail --ignore=apparmor --profile=noprofile /usr/bin/firefox Reading profile /etc/firejail/noprofile.profile firejail version 0.9.79 Parent pid 842482, child pid 842483 Warning: cannot open source file /usr/lib/firejail/seccomp.debug32, file not copied Base filesystem installed in 0.04 ms Child process initialized in 40.90 ms [3] Sandbox: CanCreateUserNamespace() clone() failure: EPERM Authorization required, but no authorization protocol specified Error: cannot open display: :0 Parent is shutting down, bye... ``` > When did this start happening? recent days, maybe during last week. > Does it work if you disable apparmor completely and reboot? Can try this later, am currently working.
gitea-mirror commented 2026-05-05 10:01:15 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 18, 2026):

kmille@spring:~# /usr/local/bin/thunderbird
[...]
[41] Sandbox: CanCreateUserNamespace() clone() failure: EPERM
Authorization required, but no authorization protocol specified

What is the output of the following?

zgrep CONFIG_USER_NS /proc/config.gz
sysctl kernel.unprivileged_userns_clone

What happens if you enable it?

sudo sysctl -w kernel.unprivileged_userns_clone=1
<!-- gh-comment-id:3919414265 --> @kmk3 commented on GitHub (Feb 18, 2026): > ``` > kmille@spring:~# /usr/local/bin/thunderbird > [...] > [41] Sandbox: CanCreateUserNamespace() clone() failure: EPERM > Authorization required, but no authorization protocol specified > ``` What is the output of the following? ```sh zgrep CONFIG_USER_NS /proc/config.gz sysctl kernel.unprivileged_userns_clone ``` What happens if you enable it? ```sh sudo sysctl -w kernel.unprivileged_userns_clone=1 ```
gitea-mirror commented 2026-05-05 10:01:16 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 18, 2026):

I'm getting this error on Artix as well now.

It seems to happen for multiple programs on xorg but not on wayland (firefox
works on wayland).

Happens with both gtk-based and qt-based programs and even with
--profile=noprofile.

No idea what caused it, but it was probably a package upgrade.

In the pacman log, I don't see any upgrades for xorg-specific packages though.

<!-- gh-comment-id:3922148246 --> @kmk3 commented on GitHub (Feb 18, 2026): I'm getting this error on Artix as well now. It seems to happen for multiple programs on xorg but not on wayland (firefox works on wayland). Happens with both gtk-based and qt-based programs and even with `--profile=noprofile`. No idea what caused it, but it was probably a package upgrade. In the pacman log, I don't see any upgrades for xorg-specific packages though.
gitea-mirror commented 2026-05-05 10:01:16 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 18, 2026):

@kmk3 check $XAUTHORITY

<!-- gh-comment-id:3922203682 --> @rusty-snake commented on GitHub (Feb 18, 2026): @kmk3 check `$XAUTHORITY`
gitea-mirror commented 2026-05-05 10:01:17 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 18, 2026):

check $XAUTHORITY

What do you mean?

It points to ~/.Xauthority.

Same inside the sandbox.

<!-- gh-comment-id:3922235261 --> @kmk3 commented on GitHub (Feb 18, 2026): > check `$XAUTHORITY` What do you mean? It points to ~/.Xauthority. Same inside the sandbox.
gitea-mirror commented 2026-05-05 10:01:17 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 18, 2026):

Note that xterm still opens just fine, so I would guess that it's due to a
dependency that is shared by many GUI apps but that is not from xorg itself.

Edit: Nevermind, I was opening it outside of firejail.

xterm also breaks in firejail, so the problem might actually be inside an xorg
library or something close to it.

<!-- gh-comment-id:3922257390 --> @kmk3 commented on GitHub (Feb 18, 2026): ~~Note that xterm still opens just fine, so I would guess that it's due to a dependency that is shared by many GUI apps but that is not from xorg itself.~~ Edit: Nevermind, I was opening it outside of firejail. xterm also breaks in firejail, so the problem might actually be inside an xorg library or something close to it.
gitea-mirror commented 2026-05-05 10:01:18 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 18, 2026):

Every program seems to open just fine if I use --keep-hostname.

@kmille

Does that also fix it on Arch?

Cc: @netblue30

<!-- gh-comment-id:3922342069 --> @kmk3 commented on GitHub (Feb 18, 2026): Every program seems to open just fine if I use `--keep-hostname`. @kmille Does that also fix it on Arch? Cc: @netblue30
gitea-mirror commented 2026-05-05 10:01:18 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Feb 19, 2026):

confirm: --keep-hostname fixes the issue on Arch.

<!-- gh-comment-id:3925533937 --> @kmille commented on GitHub (Feb 19, 2026): confirm: `--keep-hostname` fixes the issue on Arch.
gitea-mirror commented 2026-05-05 10:01:18 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 19, 2026):

The issue does not happen with 0.9.78.

Bisected and found the problematic commit:

<!-- gh-comment-id:3926809971 --> @kmk3 commented on GitHub (Feb 19, 2026): The issue does not happen with 0.9.78. Bisected and found the problematic commit: * 6f164f415 ("--keep-hostname part 2 (#7048)", 2026-02-03)
gitea-mirror commented 2026-05-05 10:01:19 -06:00
Author
Owner
Copy link

@kmille commented on GitHub (Feb 19, 2026):

The are still the question how to fix this. And what's the underlying problem.

On February 19, 2026 1:00:09 PM GMT+01:00, "Kelvin M. Klann" @.***> wrote:

kmk3 left a comment (netblue30/firejail#7062)

The issue does not happen with 0.9.78.

Bisected and found the problematic commit:

--
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/7062#issuecomment-3926809971
You are receiving this because you were mentioned.

Message ID: @.***>

<!-- gh-comment-id:3927253951 --> @kmille commented on GitHub (Feb 19, 2026): The are still the question how to fix this. And what's the underlying problem. On February 19, 2026 1:00:09 PM GMT+01:00, "Kelvin M. Klann" ***@***.***> wrote: >kmk3 left a comment (netblue30/firejail#7062) > >The issue does not happen with 0.9.78. > >Bisected and found the problematic commit: > >* 6f164f415 ("--keep-hostname part 2 (#7048)", 2026-02-03) > > >-- >Reply to this email directly or view it on GitHub: >https://github.com/netblue30/firejail/issues/7062#issuecomment-3926809971 >You are receiving this because you were mentioned. > >Message ID: ***@***.***>
gitea-mirror commented 2026-05-05 10:01:19 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 20, 2026):

The are still the question how to fix this. And what's the underlying
problem.

Yes, but for now as a workaround you can add the following to
/etc/firejail/globals.local:

keep-hostname
<!-- gh-comment-id:3936464398 --> @kmk3 commented on GitHub (Feb 20, 2026): > The are still the question how to fix this. And what's the underlying > problem. Yes, but for now as a workaround you can add the following to /etc/firejail/globals.local: ``` keep-hostname ```
gitea-mirror commented 2026-05-05 10:01:20 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Feb 24, 2026):

The issue also happens when using --hostname= (both on 0.9.78 and on
ec36880659):

$ firejail --quiet --noprofile --private \
  --ignore=keep-hostname --hostname=foo /usr/bin/xterm
Authorization required, but no authorization protocol specified

xterm: Xt error: Can't open display: :0

xauth list shows the hostname, so it might be related:

$ xauth list
<hostname>/unix:0  MIT-MAGIC-COOKIE-1  <hexkey>

Networking

Without firejail:

$ cat /etc/hostname
realhost
$ cat /etc/hosts
# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1        realhost
127.0.0.1        localhost
::1              localhost
$ /usr/bin/ping -c 1 realhost | head -n 1
PING realhost (127.0.0.1) 56(84) bytes of data.

With firejail:

$ firejail --quiet --ignore=keep-hostname --hostname=foo cat /etc/hostname
foo
$ firejail --quiet --ignore=keep-hostname --hostname=foo cat /etc/hosts
# Static table lookup for hostnames.
# See hosts(5) for details.
127.0.0.1 foo
::1              localhost
$ firejail --quiet --ignore=keep-hostname --hostname=foo \
  /usr/bin/ping -c 1 realhost | head -n 1
/usr/bin/ping: realhost: Name or service not known

Note that the line of the real host is removed from /etc/hosts inside of the
sandbox (see also #7048).

Xorg

If changing the hostname in the sandbox, it might be necessary to allow that
new hostname to connect to the X server (such as by using xhost or xauth).

Though the sandbox might need to know the real hostname in order to find the
host and connect to the X server.

Which looks like it would defeat the purpose of using a separate hostname (or
at least of trying to hide the real hostname).

Also, the xauth list might be global regardless of user or sandbox, in which
case adding an ever-increasing amount of random hostnames by default would seem
counter-productive.

Testing

I tested adding the real hostname in /etc/hosts in the sandbox, in which case
pinging the real hostname works but connecting to the X server still fails. So
X might be checking the hostname specifically (such as with gethostname or by
reading /etc/hostname).

Diff for testing:

diff 

diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c
index 5adacb58b..be27923f7 100644
--- a/src/firejail/fs_hostname.c
+++ b/src/firejail/fs_hostname.c
@@ -61,6 +61,15 @@ void fs_hostname(void) {
                cfg.hostname = random_hostname();
        struct stat s;

+#define HOSTNAME_SZ 256
+       char *realhostname = malloc(HOSTNAME_SZ);
+       if (!realhostname)
+               errExit("malloc");
+
+       if (gethostname(realhostname, HOSTNAME_SZ - 1))
+               errExit("gethostname");
+       realhostname[HOSTNAME_SZ - 1] = '\0';
+
        // create a new /etc/hostname
        if (stat("/etc/hostname", &s) == 0) {
                if (arg_debug)
@@ -108,6 +117,7 @@ void fs_hostname(void) {
                        if (strstr(buf, "127.0.0.1") && done == 0) {
                                done = 1;
                                fprintf(fp2, "127.0.0.1 %s\n", cfg.hostname);
+                               fprintf(fp2, "127.0.0.1 %s\n", realhostname);
                        }
                        else
                                fprintf(fp2, "%s\n", buf);

<!-- gh-comment-id:3952610400 --> @kmk3 commented on GitHub (Feb 24, 2026): The issue also happens when using `--hostname=` (both on 0.9.78 and on ec36880659e2cc1c57df321043f0cee3f7d57e04): ```console $ firejail --quiet --noprofile --private \ --ignore=keep-hostname --hostname=foo /usr/bin/xterm Authorization required, but no authorization protocol specified xterm: Xt error: Can't open display: :0 ``` `xauth list` shows the hostname, so it might be related: ```console $ xauth list <hostname>/unix:0 MIT-MAGIC-COOKIE-1 <hexkey> ``` ### Networking Without firejail: ```console $ cat /etc/hostname realhost $ cat /etc/hosts # Static table lookup for hostnames. # See hosts(5) for details. 127.0.0.1 realhost 127.0.0.1 localhost ::1 localhost $ /usr/bin/ping -c 1 realhost | head -n 1 PING realhost (127.0.0.1) 56(84) bytes of data. ``` With firejail: ```console $ firejail --quiet --ignore=keep-hostname --hostname=foo cat /etc/hostname foo $ firejail --quiet --ignore=keep-hostname --hostname=foo cat /etc/hosts # Static table lookup for hostnames. # See hosts(5) for details. 127.0.0.1 foo ::1 localhost $ firejail --quiet --ignore=keep-hostname --hostname=foo \ /usr/bin/ping -c 1 realhost | head -n 1 /usr/bin/ping: realhost: Name or service not known ``` Note that the line of the real host is removed from /etc/hosts inside of the sandbox (see also #7048). ### Xorg If changing the hostname in the sandbox, it might be necessary to allow that new hostname to connect to the X server (such as by using `xhost` or `xauth`). Though the sandbox might need to know the real hostname in order to find the host and connect to the X server. Which looks like it would defeat the purpose of using a separate hostname (or at least of trying to hide the real hostname). Also, the xauth list might be global regardless of user or sandbox, in which case adding an ever-increasing amount of random hostnames by default would seem counter-productive. ### Testing I tested adding the real hostname in /etc/hosts in the sandbox, in which case pinging the real hostname works but connecting to the X server still fails. So X might be checking the hostname specifically (such as with `gethostname` or by reading /etc/hostname). Diff for testing: <details> <summary>diff</summary> <p> ```diff diff --git a/src/firejail/fs_hostname.c b/src/firejail/fs_hostname.c index 5adacb58b..be27923f7 100644 --- a/src/firejail/fs_hostname.c +++ b/src/firejail/fs_hostname.c @@ -61,6 +61,15 @@ void fs_hostname(void) { cfg.hostname = random_hostname(); struct stat s; +#define HOSTNAME_SZ 256 + char *realhostname = malloc(HOSTNAME_SZ); + if (!realhostname) + errExit("malloc"); + + if (gethostname(realhostname, HOSTNAME_SZ - 1)) + errExit("gethostname"); + realhostname[HOSTNAME_SZ - 1] = '\0'; + // create a new /etc/hostname if (stat("/etc/hostname", &s) == 0) { if (arg_debug) @@ -108,6 +117,7 @@ void fs_hostname(void) { if (strstr(buf, "127.0.0.1") && done == 0) { done = 1; fprintf(fp2, "127.0.0.1 %s\n", cfg.hostname); + fprintf(fp2, "127.0.0.1 %s\n", realhostname); } else fprintf(fp2, "%s\n", buf); ``` </p> </details>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3473
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?