github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #489] Firejail reports error 'parent is shutting down, bye' when trying to run ubuntu-clock-app.clock snap package on Ubuntu 16.04 #348

New issue

Closed

opened 2026-05-05 05:38:57 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 05:38:57 -06:00

Owner

Originally created by @igor2x on GitHub (Apr 29, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/489

Hi,
Ubuntu 16.04 now supports snap packages. If I understand correctly snap packages are installed in some kind of isolation. But it looks like applications installed using snap can NOT also be used with firejail. See bellow.

Install firejail from official repository
sudo apt-get install firejail
Check firejail version
firejail --version

Above command outputs: firejail version 0.9.38
Search the snap 'ubuntu clock' application
sudo snap find ubuntu-clock-app
Install 'ubuntu clock' application using snap
sudo snap install ubuntu-clock-app
Ubuntu snap packages are installed in /snap/<app_nam>// directory and can be executed from /snap/bin/<app_name>
cd /snap/bin/
ls -l

Note: We see application name is: ubuntu-clock-app.clock
Run application
/snap/bin/ubuntu-clock-app.clock

Note: Application starts-up without a problem and clock is displayed.
Close application using mouse.
Now try to firejail the application.
firejail /snap/bin/ubuntu-clock-app.clock

-------- Error message --------
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 3770, child pid 3771

Child process initialized
need to run as root or suid

parent is shutting down, bye...
-------- End of Error message --------
Try running as root as message instructs.
sudo firejail /snap/bin/ubuntu-clock-app.clock

-------- Error message --------
Reading profile /etc/firejail/server.profile
Reading profile /etc/firejail/disable-mgmt.inc

** Note: you can use --noprofile to disable server.profile **

Parent pid 3777, child pid 3778
The new log directory is /proc/3778/root/var/log

Child process initialized
Bad system call

parent is shutting down, bye...
-------- End of Error message --------

It looks some problem using firejail and snap applications.

It is going to be interesting how to jail applications using snap package. Mozilla has already announced that Firefox is going to be provided as snap package, see:
https://blog.mozilla.org/futurereleases/2016/04/21/firefox-default-browser-for-linux-users-ubuntu-new-snap-format-coming-soon/

Originally created by @igor2x on GitHub (Apr 29, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/489 Hi, Ubuntu 16.04 now supports snap packages. If I understand correctly snap packages are installed in some kind of isolation. But it looks like applications installed using snap can NOT also be used with firejail. See bellow. 1. Install firejail from official repository sudo apt-get install firejail 2. Check firejail version firejail --version Above command outputs: firejail version 0.9.38 3. Search the snap 'ubuntu clock' application sudo snap find ubuntu-clock-app 4. Install 'ubuntu clock' application using snap sudo snap install ubuntu-clock-app 5. Ubuntu snap packages are installed in /snap/<app_nam>/<version>/ directory and can be executed from /snap/bin/<app_name> cd /snap/bin/ ls -l Note: We see application name is: ubuntu-clock-app.clock 6. Run application /snap/bin/ubuntu-clock-app.clock Note: Application starts-up without a problem and clock is displayed. 7. Close application using mouse. 8. Now try to firejail the application. firejail /snap/bin/ubuntu-clock-app.clock -------- Error message -------- Reading profile /etc/firejail/generic.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc *\* Note: you can use --noprofile to disable generic.profile ** Parent pid 3770, child pid 3771 Child process initialized need to run as root or suid parent is shutting down, bye... -------- End of Error message -------- 9. Try running as root as message instructs. sudo firejail /snap/bin/ubuntu-clock-app.clock -------- Error message -------- Reading profile /etc/firejail/server.profile Reading profile /etc/firejail/disable-mgmt.inc *\* Note: you can use --noprofile to disable server.profile *\* Parent pid 3777, child pid 3778 The new log directory is /proc/3778/root/var/log Child process initialized Bad system call parent is shutting down, bye... -------- End of Error message -------- It looks some problem using firejail and snap applications. It is going to be interesting how to jail applications using snap package. Mozilla has already announced that Firefox is going to be provided as snap package, see: https://blog.mozilla.org/futurereleases/2016/04/21/firefox-default-browser-for-linux-users-ubuntu-new-snap-format-coming-soon/

gitea-mirror

2026-05-05 05:38:57 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 05:39:03 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 30, 2016):

I'll give it a try and let you know. "Bad system call" probably was generated because seccomp killed some process running inside the sandbox. I don't think it will work with the default profiles.

@netblue30 commented on GitHub (Apr 30, 2016): I'll give it a try and let you know. "Bad system call" probably was generated because seccomp killed some process running inside the sandbox. I don't think it will work with the default profiles.

gitea-mirror commented

2026-05-05 05:39:04 -06:00

Author

Owner

@netblue30 commented on GitHub (May 2, 2016):

For firejail version 0.9.38 use this profile:

################################
# Generic Ubuntu snap application profile
################################
include /etc/firejail/disable-mgmt.inc
include /etc/firejail/disable-secret.inc
include /etc/firejail/disable-common.inc

whitelist ~/snap
include /etc/firejail/whitelist-common.inc

caps.keep chown,sys_admin

Save it as snap.profile and start the application:

$ firejail --profile=snap.profile  /snap/bin/ubuntu-clock-app.clock

I also put a similar file in git on the master branch, it is installed in /etc/firejail/snap.profile

@netblue30 commented on GitHub (May 2, 2016): For firejail version 0.9.38 use this profile: ``` ################################ # Generic Ubuntu snap application profile ################################ include /etc/firejail/disable-mgmt.inc include /etc/firejail/disable-secret.inc include /etc/firejail/disable-common.inc whitelist ~/snap include /etc/firejail/whitelist-common.inc caps.keep chown,sys_admin ``` Save it as snap.profile and start the application: ``` $ firejail --profile=snap.profile /snap/bin/ubuntu-clock-app.clock ``` I also put a similar file in git on the master branch, it is installed in /etc/firejail/snap.profile

gitea-mirror commented

2026-05-05 05:39:07 -06:00

Author

Owner

@igor2x commented on GitHub (May 3, 2016):

I created file: ~/.config/firejail/ubuntu-clock-app.clock.profile and saved above settings.
Run command: firejail ubuntu-clock-app.clock
Application starts fine in jail.

Thanks. Problem fixed.

@igor2x commented on GitHub (May 3, 2016): 1. I created file: ~/.config/firejail/ubuntu-clock-app.clock.profile and saved above settings. 2. Run command: firejail ubuntu-clock-app.clock 3. Application starts fine in jail. Thanks. Problem fixed.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#348

No description provided.

Rows
Columns