github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #7116] vscode: no window shows up on wayland (hyprland/gentoo) #3490

New issue
Open
opened 2026-05-05 10:01:49 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 10:01:49 -06:00
Owner
Copy link

Originally created by @nuclear06 on GitHub (Mar 27, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7116

Description

I am using Gentoo with Hyprland and an NVIDIA GPU. VSCode gets stuck at startup and no window is shown when using the default code profile under Wayland.

Steps to Reproduce

I can launch VSCode successfully using XWayland with the following command:
firejail code --ozone-platform=x11

However, the following command gets stuck at startup and no window appears:
firejail code --ozone-platform=wayland --enable-features=UseOzonePlatform

If I bypass the device isolation by adding ignore private-dev, VSCode opens normally under Wayland:
firejail --ignore=private-dev code --ozone-platform=wayland --enable-features=UseOzonePlatform

Further debugging shows that the issue is specifically caused by the blocking of /dev/nvidiactl. If I ignore private-dev but manually blacklist /dev/nvidiactl, VSCode fails to open again:
firejail --ignore=private-dev --blacklist=/dev/nvidiactl code --ozone-platform=wayland --enable-features=UseOzonePlatform

Expected behavior

VSCode should open normally

Behavior without a profile

vscode opens normally

Environment

  • Name/version/arch of the Linux kernel (uname -srm):
    Linux 6.18.18-gentoo-dist x86_64

  • Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
    Gentoo

  • Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
    mesa 1:24.3.3-2"):
    vscode 1.112.0

  • Version of Firejail (firejail --version):

firejail version 0.9.76

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- IDS support is disabled
- Landlock support is enabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-lib support is disabled
- private-cache and tmpfs as user enabled
- sandbox check is enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

  • If you use a development version of firejail, also the commit from which it
    was compiled (git rev-parse HEAD):

Checklist

  • I am using firejail 0.9.80 or later
  • I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /usr/bin/code 


Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/electron-common.profile
Reading profile /etc/firejail/blink-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
firejail version 0.9.76

Parent pid 268537, child pid 268538
Warning: NVIDIA card detected, nogroups command ignored
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 71.40 ms
Warning: NVIDIA card detected, nogroups command ignored
Child process initialized in 110.97 ms

Output of % LC_ALL=C firejail --debug /usr/bin/code 

Looking for kernel processes
Found kthreadd process, we are not running in a sandbox
pid=269785: locking /run/firejail/firejail-run.lock ...
pid=269785: locked /run/firejail/firejail-run.lock
pid=269785: unlocking /run/firejail/firejail-run.lock ...
pid=269785: unlocked /run/firejail/firejail-run.lock
Building quoted command line: '/usr/bin/code' 
Command name #code#
Found code.profile profile in /etc/firejail directory
Reading profile /etc/firejail/code.profile
Found code.local profile in /home/saniter/.config/firejail directory
Cannot access .local file globals.local: No such file or directory, skipping...
Found allow-common-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/allow-common-devel.inc
Cannot access .local file allow-common-devel.local: No such file or directory, skipping...
Found electron-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/electron-common.profile
Found electron-common.local profile in /home/saniter/.config/firejail directory
Found blink-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/blink-common.profile
Cannot access .local file blink-common.local: No such file or directory, skipping...
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Cannot access .local file disable-common.local: No such file or directory, skipping...
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Cannot access .local file disable-programs.local: No such file or directory, skipping...
firejail version 0.9.76

pid=269785: locking /run/firejail/firejail-run.lock ...
pid=269785: locked /run/firejail/firejail-run.lock
DISPLAY=:0 parsed as 0
pid=269785: unlocking /run/firejail/firejail-run.lock ...
pid=269785: unlocked /run/firejail/firejail-run.lock
Using the local network stack
Parent pid 269785, child pid 269786
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
IBUS_ADDRESS=unix:path=/run/user/1000/bus,fcitx_random_string=47aedcf87b1e4ffd8ba70a845ebf5217
IBUS_DAEMON_PID=1756
Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0
Warning: NVIDIA card detected, nogroups command ignored
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
452 57 252:0 /etc /etc ro,noatime master:1 - ext4 /dev/mapper/vg0-root rw
mountid=452 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
453 452 252:0 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/vg0-root rw
mountid=453 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
454 57 252:0 /var /var ro,noatime master:1 - ext4 /dev/mapper/vg0-root rw
mountid=454 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
455 454 252:0 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/vg0-root rw
mountid=455 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
456 57 252:0 /usr /usr ro,noatime master:1 - ext4 /dev/mapper/vg0-root rw
mountid=456 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/saniter/.config/firejail
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
Globbing /run/firejail/mnt/dev/snd on /dev/snd (type=sound)
skipping /run/firejail/mnt/dev/snd on /dev/snd due to its type (type=sound)
Globbing /run/firejail/mnt/dev/dri on /dev/dri (type=3d)
mounting /run/firejail/mnt/dev/dri on /dev/dri (type=3d) directory
Globbing /run/firejail/mnt/dev/kfd on /dev/kfd (type=3d)
mounting /run/firejail/mnt/dev/kfd on /dev/kfd (type=3d) file
Globbing /run/firejail/mnt/dev/nvidia[0-9]* on /dev/nvidia[0-9]* (type=3d)
mounting /run/firejail/mnt/dev/nvidia0 on /dev/nvidia0 (type=3d) file
Globbing /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl (type=3d)
mounting /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl (type=3d) file
Globbing /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset (type=3d)
mounting /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset (type=3d) file
Globbing /run/firejail/mnt/dev/nvidia-uvm on /dev/nvidia-uvm (type=3d)
No match /run/firejail/mnt/dev/nvidia-uvm (type=3d)
Globbing /run/firejail/mnt/dev/video[0-9]* on /dev/video[0-9]* (type=video)
skipping /run/firejail/mnt/dev/video0 on /dev/video0 due to its type (type=video)
skipping /run/firejail/mnt/dev/video1 on /dev/video1 due to its type (type=video)
skipping /run/firejail/mnt/dev/video2 on /dev/video2 due to its type (type=video)
skipping /run/firejail/mnt/dev/video3 on /dev/video3 due to its type (type=video)
Globbing /run/firejail/mnt/dev/dvb on /dev/dvb (type=tv)
No match /run/firejail/mnt/dev/dvb (type=tv)
Globbing /run/firejail/mnt/dev/sr[0-9]* on /dev/sr[0-9]* (type=dvd)
skipping /run/firejail/mnt/dev/sr0 on /dev/sr0 due to its type (type=dvd)
Globbing /run/firejail/mnt/dev/tcm[0-9]* on /dev/tcm[0-9]* (type=tpm)
No match /run/firejail/mnt/dev/tcm[0-9]* (type=tpm)
Globbing /run/firejail/mnt/dev/tcmrm[0-9]* on /dev/tcmrm[0-9]* (type=tpm)
No match /run/firejail/mnt/dev/tcmrm[0-9]* (type=tpm)
Globbing /run/firejail/mnt/dev/tpm[0-9]* on /dev/tpm[0-9]* (type=tpm)
skipping /run/firejail/mnt/dev/tpm0 on /dev/tpm0 due to its type (type=tpm)
Globbing /run/firejail/mnt/dev/tpmrm[0-9]* on /dev/tpmrm[0-9]* (type=tpm)
skipping /run/firejail/mnt/dev/tpmrm0 on /dev/tpmrm0 due to its type (type=tpm)
Globbing /run/firejail/mnt/dev/hidraw[0-9]* on /dev/hidraw[0-9]* (type=u2f)
skipping /run/firejail/mnt/dev/hidraw0 on /dev/hidraw0 due to its type (type=u2f)
skipping /run/firejail/mnt/dev/hidraw1 on /dev/hidraw1 due to its type (type=u2f)
skipping /run/firejail/mnt/dev/hidraw2 on /dev/hidraw2 due to its type (type=u2f)
skipping /run/firejail/mnt/dev/hidraw3 on /dev/hidraw3 due to its type (type=u2f)
skipping /run/firejail/mnt/dev/hidraw4 on /dev/hidraw4 due to its type (type=u2f)
skipping /run/firejail/mnt/dev/hidraw5 on /dev/hidraw5 due to its type (type=u2f)
skipping /run/firejail/mnt/dev/hidraw6 on /dev/hidraw6 due to its type (type=u2f)
Globbing /run/firejail/mnt/dev/usb on /dev/usb (type=u2f)
skipping /run/firejail/mnt/dev/usb on /dev/usb due to its type (type=u2f)
Globbing /run/firejail/mnt/dev/input on /dev/input (type=input)
skipping /run/firejail/mnt/dev/input on /dev/input due to its type (type=input)
Globbing /run/firejail/mnt/dev/ntsync on /dev/ntsync (type=ntsync)
No match /run/firejail/mnt/dev/ntsync (type=ntsync)
Process /dev/shm directory
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Creating a new /etc/hostname file
Creating empty /run/firejail/mnt/hostname file
Creating a new /etc/hosts file
Loading user hosts file
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/src/linux-6.18.18-gentoo-dist (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 588: whitelist /tmp/.X11-unix
Debug 609: expanded: /tmp/.X11-unix
Debug 620: new_name: /tmp/.X11-unix
Debug 630: dir: /tmp
Adding whitelist top level directory /tmp
Debug 588: whitelist /tmp/sndio
Debug 609: expanded: /tmp/sndio
Debug 620: new_name: /tmp/sndio
Debug 630: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Debug 588: whitelist /sys/module/nvidia*
Debug 609: expanded: /sys/module/nvidia*
Debug 620: new_name: /sys/module/nvidia*
Debug 630: dir: /sys/module
Adding whitelist top level directory /sys/module
Removed path: whitelist /sys/module/nvidia*
	new_name: /sys/module/nvidia*
	realpath: (null)
	No such file or directory
Adding new profile command: whitelist /sys/module/nvidia_uvm
Adding new profile command: whitelist /sys/module/nvidia
Adding new profile command: whitelist /sys/module/nvidia_drm
Adding new profile command: whitelist /sys/module/nvidia_modeset
Debug 588: whitelist /sys/module/nvidia_uvm
Debug 609: expanded: /sys/module/nvidia_uvm
Debug 620: new_name: /sys/module/nvidia_uvm
Debug 630: dir: /sys/module
Debug 588: whitelist /sys/module/nvidia
Debug 609: expanded: /sys/module/nvidia
Debug 620: new_name: /sys/module/nvidia
Debug 630: dir: /sys/module
Debug 588: whitelist /sys/module/nvidia_drm
Debug 609: expanded: /sys/module/nvidia_drm
Debug 620: new_name: /sys/module/nvidia_drm
Debug 630: dir: /sys/module
Debug 588: whitelist /sys/module/nvidia_modeset
Debug 609: expanded: /sys/module/nvidia_modeset
Debug 620: new_name: /sys/module/nvidia_modeset
Debug 630: dir: /sys/module
Mounting tmpfs on /tmp, check owner: no
1769 443 0:106 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=1769 fsname=/ dir=/tmp fstype=tmpfs
Mounting tmpfs on /sys/module, check owner: no
1770 301 0:107 / /sys/module rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64
mountid=1770 fsname=/ dir=/sys/module fstype=tmpfs
Whitelisting /tmp/.X11-unix
1771 1769 0:35 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota
mountid=1771 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Whitelisting /sys/module/nvidia_uvm
1772 1770 0:23 /module/nvidia_uvm /sys/module/nvidia_uvm ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw
mountid=1772 fsname=/module/nvidia_uvm dir=/sys/module/nvidia_uvm fstype=sysfs
Whitelisting /sys/module/nvidia
1773 1770 0:23 /module/nvidia /sys/module/nvidia ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw
mountid=1773 fsname=/module/nvidia dir=/sys/module/nvidia fstype=sysfs
Whitelisting /sys/module/nvidia_drm
1774 1770 0:23 /module/nvidia_drm /sys/module/nvidia_drm ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw
mountid=1774 fsname=/module/nvidia_drm dir=/sys/module/nvidia_drm fstype=sysfs
Whitelisting /sys/module/nvidia_modeset
1775 1770 0:23 /module/nvidia_modeset /sys/module/nvidia_modeset ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw
mountid=1775 fsname=/module/nvidia_modeset dir=/sys/module/nvidia_modeset fstype=sysfs
Mounting noexec /tmp
1777 1776 0:35 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota
mountid=1777 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1778 1777 0:35 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota
mountid=1778 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /home/saniter/.local/share/Trash
Not blacklist /home/saniter/.python_history
Disable /home/saniter/.sqlite_history
Disable /home/saniter/.zsh_history
Disable /home/saniter/.bash_history
Disable /home/saniter/.node_repl_history
Disable /home/saniter/.lesshst
Disable /home/saniter/.local/share/nvim
Disable /home/saniter/.local/state/nvim
Not blacklist /home/saniter/.python-history
Not blacklist /home/saniter/.pythonhist
Disable /home/saniter/.viminfo
Disable /home/saniter/.config/autostart
Disable /etc/X11/xinit
Disable /etc/xdg/autostart
Disable /home/saniter/.local/share/gvfs-metadata
Mounting read-only /home/saniter/.config/dconf
1792 463 252:2 /saniter/.config/dconf /home/saniter/.config/dconf ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1792 fsname=/saniter/.config/dconf dir=/home/saniter/.config/dconf fstype=ext4
Disable /home/saniter/.config/systemd
Add path entry /home/saniter/.npm-global/bin
Add path entry /home/saniter/.local/bin
Add path entry /home/saniter/.bun/bin
Add path entry /home/saniter/go/bin
Add path entry /usr/local/sbin
Add path entry /usr/local/bin
Add path entry /usr/bin
Add path entry /opt/bin
Add path entry /usr/lib/llvm/21/bin
Add path entry /opt/android-sdk/cmdline-tools/latest/bin
Add path entry /etc/eselect/wine/bin
Add path entry /opt/cuda/bin
Number of path entries: 12
Disable /usr/bin/systemctl
Disable /usr/bin/systemd-run
Disable /usr/bin/systemd-mount
Disable /usr/bin/systemd-repart
Disable /usr/bin/systemd-delta
Disable /usr/bin/systemd-nspawn
Disable /usr/bin/systemd-vmspawn
Disable /usr/bin/systemd-mute-console
Disable /usr/bin/systemd-notify
Disable /usr/bin/systemd-creds
Disable /usr/bin/systemd-analyze
Disable /usr/bin/systemd-firstboot
Disable /usr/bin/systemd-ac-power
Disable /usr/bin/systemd-tmpfiles
Disable /usr/bin/systemd-sysext (requested /usr/bin/systemd-confext)
Disable /usr/bin/systemd-path
Disable /usr/bin/systemd-mount (requested /usr/bin/systemd-umount)
Disable /usr/bin/systemd-stdio-bridge
Disable /usr/bin/systemd-cgls
Disable /usr/bin/resolvectl (requested /usr/bin/systemd-resolve)
Disable /usr/bin/systemd-sysext
Disable /usr/bin/systemd-detect-virt
Disable /usr/bin/systemd-vpick
Disable /usr/bin/systemd-socket-activate
Disable /usr/bin/systemd-id128
Disable /usr/bin/systemd-hwdb
Disable /usr/bin/systemd-inhibit
Disable /usr/bin/systemd-sysusers
Disable /usr/bin/systemd-pty-forward
Disable /usr/bin/systemd-machine-id-setup
Disable /usr/bin/systemd-cgtop
Disable /usr/bin/systemd-tty-ask-password-agent
Disable /usr/bin/systemd-dissect
Disable /usr/bin/systemd-escape
Disable /usr/bin/systemd-ask-password
Disable /usr/bin/systemd-cat
Disable /run/user/1000/systemd
Disable /etc/credstore.encrypted
Disable /etc/credstore
Disable /etc/systemd/network
Disable /etc/systemd/system
Disable /run/credentials
Disable /var/lib/systemd
Disable /etc/init.d
Disable /etc/runlevels
Disable /run/user/1000/containers
Disable /run/user/1000/libpod
Disable /var/lib/upower
Disable /var/spool/mail (requested /var/mail)
Disable /var/spool/mail
Disable /etc/cron.daily
Disable /etc/default
Disable /etc/grub.d
Disable /etc/kernel
Disable /etc/logrotate.d
Disable /etc/modules-load.d
Mounting read-only /home/saniter/.bash_logout
1850 463 252:2 /saniter/.bash_logout /home/saniter/.bash_logout ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1850 fsname=/saniter/.bash_logout dir=/home/saniter/.bash_logout fstype=ext4
Mounting read-only /home/saniter/.bash_profile
1851 463 252:2 /saniter/.bash_profile /home/saniter/.bash_profile ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1851 fsname=/saniter/.bash_profile dir=/home/saniter/.bash_profile fstype=ext4
Mounting read-only /home/saniter/.bashrc
1852 463 252:2 /saniter/.bashrc /home/saniter/.bashrc ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1852 fsname=/saniter/.bashrc dir=/home/saniter/.bashrc fstype=ext4
Mounting read-only /home/saniter/.oh-my-zsh
1853 463 252:2 /saniter/.oh-my-zsh /home/saniter/.oh-my-zsh ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1853 fsname=/saniter/.oh-my-zsh dir=/home/saniter/.oh-my-zsh fstype=ext4
Mounting read-only /home/saniter/.zshenv
1854 463 252:2 /saniter/.zshenv /home/saniter/.zshenv ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1854 fsname=/saniter/.zshenv dir=/home/saniter/.zshenv fstype=ext4
Mounting read-only /home/saniter/.zshrc
1855 463 252:2 /saniter/.zshrc /home/saniter/.zshrc ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1855 fsname=/saniter/.zshrc dir=/home/saniter/.zshrc fstype=ext4
Mounting read-only /home/saniter/.config/mpv
1856 463 252:2 /saniter/.config/mpv /home/saniter/.config/mpv ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1856 fsname=/saniter/.config/mpv dir=/home/saniter/.config/mpv fstype=ext4
Mounting read-only /home/saniter/.config/nvim
1857 463 252:2 /saniter/.config/nvim /home/saniter/.config/nvim ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1857 fsname=/saniter/.config/nvim dir=/home/saniter/.config/nvim fstype=ext4
Mounting read-only /home/saniter/.gnupg/gpg.conf
1858 463 252:2 /saniter/.gnupg/gpg.conf /home/saniter/.gnupg/gpg.conf ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1858 fsname=/saniter/.gnupg/gpg.conf dir=/home/saniter/.gnupg/gpg.conf fstype=ext4
Mounting read-only /home/saniter/.mozilla/firefox/profiles.ini
1859 463 252:2 /saniter/.mozilla/firefox/profiles.ini /home/saniter/.mozilla/firefox/profiles.ini ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1859 fsname=/saniter/.mozilla/firefox/profiles.ini dir=/home/saniter/.mozilla/firefox/profiles.ini fstype=ext4
Mounting read-only /home/saniter/.npmrc
1860 463 252:2 /saniter/.npmrc /home/saniter/.npmrc ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1860 fsname=/saniter/.npmrc dir=/home/saniter/.npmrc fstype=ext4
Mounting read-only /home/saniter/.ssh/config
1861 463 252:2 /saniter/.ssh/config /home/saniter/.ssh/config ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1861 fsname=/saniter/.ssh/config dir=/home/saniter/.ssh/config fstype=ext4
Mounting read-only /home/saniter/.vim
1862 463 252:2 /saniter/.vim /home/saniter/.vim ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1862 fsname=/saniter/.vim dir=/home/saniter/.vim fstype=ext4
Mounting read-only /home/saniter/.w3m
1863 463 252:2 /saniter/.w3m /home/saniter/.w3m ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1863 fsname=/saniter/.w3m dir=/home/saniter/.w3m fstype=ext4
Mounting read-only /home/saniter/.local/bin
1864 463 252:2 /saniter/.local/bin /home/saniter/.local/bin ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1864 fsname=/saniter/.local/bin dir=/home/saniter/.local/bin fstype=ext4
Mounting read-only /home/saniter/.config/menus
1865 463 252:2 /saniter/.config/menus /home/saniter/.config/menus ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1865 fsname=/saniter/.config/menus dir=/home/saniter/.config/menus fstype=ext4
Mounting read-only /home/saniter/.local/share/applications
1866 463 252:2 /saniter/.local/share/applications /home/saniter/.local/share/applications ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1866 fsname=/saniter/.local/share/applications dir=/home/saniter/.local/share/applications fstype=ext4
Mounting read-only /home/saniter/.config/mimeapps.list
1867 463 252:2 /saniter/.config/mimeapps.list /home/saniter/.config/mimeapps.list ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1867 fsname=/saniter/.config/mimeapps.list dir=/home/saniter/.config/mimeapps.list fstype=ext4
Mounting read-only /home/saniter/.config/user-dirs.dirs
1868 463 252:2 /saniter/.config/user-dirs.dirs /home/saniter/.config/user-dirs.dirs ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1868 fsname=/saniter/.config/user-dirs.dirs dir=/home/saniter/.config/user-dirs.dirs fstype=ext4
Mounting read-only /home/saniter/.config/user-dirs.locale
1869 463 252:2 /saniter/.config/user-dirs.locale /home/saniter/.config/user-dirs.locale ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1869 fsname=/saniter/.config/user-dirs.locale dir=/home/saniter/.config/user-dirs.locale fstype=ext4
Mounting read-only /home/saniter/.local/share/mime
1870 463 252:2 /saniter/.local/share/mime /home/saniter/.local/share/mime ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw
mountid=1870 fsname=/saniter/.local/share/mime dir=/home/saniter/.local/share/mime fstype=ext4
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /etc/sudo.conf
Disable /etc/sudo_logsrvd.conf
Disable /etc/sudoers
Disable /etc/sudoers.dist
Not blacklist /home/saniter/.git-credentials
Disable /home/saniter/.gnupg
Disable /home/saniter/.local/share/keyrings
Disable /home/saniter/.local/share/pki
Disable /home/saniter/.pki
Disable /home/saniter/.ssh
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/evtest
Disable /usr/bin/expiry
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount3
Disable /usr/bin/gpasswd
Disable /usr/bin/groupmems
Disable /usr/bin/hostname
Disable /usr/bin/ksu
Disable /usr/bin/mount
Disable /usr/bin/systemd-dissect (requested /usr/bin/mount.ddi)
Disable /usr/bin/mount.fuse3
Disable /usr/bin/mount.fuse
Disable /usr/bin/rclone (requested /usr/bin/mount.rclone)
Disable /usr/bin/ntfs-3g (requested /usr/bin/mount.ntfs-3g)
Disable /usr/bin/lowntfs-3g (requested /usr/bin/mount.lowntfs-3g)
Disable /usr/bin/ntfs-3g (requested /usr/bin/mount.ntfs)
Disable /usr/bin/mountpoint
Disable /usr/bin/nc
Disable /usr/bin/netstat
Disable /usr/bin/networkctl
Disable /usr/bin/newgidmap
Disable /usr/bin/newgrp
Disable /usr/bin/newuidmap
Disable /usr/bin/nm-online
Disable /usr/bin/nmap
Disable /usr/bin/nmcli
Disable /usr/bin/nmtui
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-connect)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-edit)
Disable /usr/bin/nmtui (requested /usr/bin/nmtui-hostname)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/passwd
Disable /usr/bin/pkexec
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/ss
Disable /usr/bin/strace
Disable /usr/bin/su
Disable /usr/bin/sudo
Disable /usr/bin/tcpdump
Disable /usr/bin/umount
Disable /usr/bin/unix_chkpwd
Disable /usr/libexec/eselect-java/run-java-tool.bash (requested /usr/bin/apt)
Disable /usr/bin/efibootdump
Disable /usr/bin/efibootmgr
Disable /usr/bin/proxy
Disable /usr/bin/dbus-cleanup-sockets
Disable /usr/bin/dbus-send
Disable /usr/bin/dbus-monitor
Disable /usr/bin/dbus-binding-tool
Disable /usr/bin/dbus-run-session
Disable /usr/bin/dbus-daemon
Disable /usr/bin/dbus-launch
Disable /usr/bin/dbus-uuidgen
Disable /usr/bin/dbus-update-activation-environment
Disable /usr/bin/dbus-test-tool
Disable /usr/bin/grub-reboot
Disable /usr/bin/grub-mknetdir
Disable /usr/bin/grub-menulst2cfg
Disable /usr/bin/grub-script-check
Disable /usr/bin/grub-file
Disable /usr/bin/grub-sparc64-setup
Disable /usr/bin/grub-macbless
Disable /usr/bin/grub-mkstandalone
Disable /usr/bin/grub-mkimage
Disable /usr/bin/grub-mount
Disable /usr/bin/grub-probe
Disable /usr/bin/grub-glue-efi
Disable /usr/bin/grub-kbdcomp
Disable /usr/bin/grub-mkrescue
Disable /usr/bin/grub-bios-setup
Disable /usr/bin/grub-mkfont
Disable /usr/bin/grub-mkconfig
Disable /usr/bin/grub-editenv
Disable /usr/bin/grub-mklayout
Disable /usr/bin/grub-fstest
Disable /usr/bin/grub-install
Disable /usr/bin/grub-syslinux2cfg
Disable /usr/bin/grub-mkrelpath
Disable /usr/bin/grub-mkpasswd-pbkdf2
Disable /usr/bin/grub-set-default
Disable /usr/bin/grub-render-label
Disable /usr/bin/grub-ofpathname
Disable /usr/bin/kernel-install
Disable /usr/bin/firemon
Disable /usr/bin/firecfg
Disable /usr/bin/jailcheck
Disable /home/saniter/.cache/flatpak
Disable /home/saniter/.local/share/flatpak/repo
Disable /home/saniter/.local/share/flatpak/db
Disable /home/saniter/.local/share/flatpak/.changed
Disable /home/saniter/.var
Disable /usr/bin/bwrap
Warning (blacklisting): cannot stat /run/user/1000/doc: Permission denied
Disable /usr/share/flatpak
Disable /var/lib/flatpak/.removed
Not blacklist /var/lib/flatpak/exports
Disable /var/lib/flatpak/runtime
Disable /var/lib/flatpak/app
Disable /var/lib/flatpak/.changed
Disable /var/lib/flatpak/repo
Disable /proc/config.gz
Disable /usr/bin/delv
Disable /usr/bin/dig
Disable /usr/bin/dnssec-verify
Disable /usr/bin/dnssec-dsfromkey
Disable /usr/bin/dnssec-settime
Disable /usr/bin/dnssec-revoke
Disable /usr/bin/dnssec-importkey
Disable /usr/bin/dnssec-cds
Disable /usr/bin/dnssec-keygen
Disable /usr/bin/dnssec-signzone
Disable /usr/bin/dnssec-keyfromlabel
Disable /usr/bin/mdig
Disable /usr/bin/host
Disable /usr/bin/nslookup
Disable /usr/bin/nsupdate
Disable /usr/bin/nstat
Disable /usr/bin/resolvectl
Disable /usr/bin/ssh-keyscan
Disable /usr/bin/ssh-keygen
Disable /usr/bin/sshd
Disable /usr/bin/ssh-copy-id
Disable /usr/bin/ssh
Disable /usr/bin/ssh-agent
Disable /usr/bin/ssh-add
Disable /run/user/1000/wayland-1.lock
Disable /run/user/1000/pipewire-0-manager.lock
Disable /run/user/1000/pipewire-0.lock
Not blacklist /home/saniter/.ammonite
Disable /home/saniter/.android
Not blacklist /home/saniter/.arduino15
Not blacklist /home/saniter/.bundle
Disable /home/saniter/.cache/babl
Disable /home/saniter/.cache/chromium
Disable /home/saniter/.cache/gegl-0.4
Disable /home/saniter/.cache/gimp
Disable /home/saniter/.cache/google-chrome
Disable /home/saniter/.cache/mozilla
Disable /home/saniter/.cache/nvim
Disable /home/saniter/.cache/pip
Disable /home/saniter/.cache/qBittorrent
Disable /home/saniter/.cache/rclone
Disable /home/saniter/.cache/spotify
Disable /home/saniter/.cache/thunderbird
Disable /home/saniter/.cache/ungoogled-chromium
Not blacklist /home/saniter/.cargo
Not blacklist /home/saniter/.config/Code
Not blacklist /home/saniter/.config/Code - OSS
Not blacklist /home/saniter/.config/Electron
Disable /home/saniter/.config/Epic
Disable /home/saniter/.config/GIMP
Disable /home/saniter/.config/Kingsoft
Disable /home/saniter/.config/ModTheSpire
Disable /home/saniter/.config/QQ
Disable /home/saniter/Hyprland-Dots/config/Thunar (requested /home/saniter/.config/Thunar)
Disable /home/saniter/.config/chromium
Not blacklist /home/saniter/.config/electron*-flag*.conf
Disable /home/saniter/.config/gh
Not blacklist /home/saniter/.config/git
Disable /home/saniter/.config/google-chrome
Not blacklist /home/saniter/.config/jgit
Disable /home/saniter/.config/libreoffice
Disable /home/saniter/.config/mpv
Disable /home/saniter/.config/nvim
Disable /home/saniter/.config/obs-studio
Disable /home/saniter/.config/pavucontrol.ini
Disable /home/saniter/.config/qBittorrent
Disable /home/saniter/.config/rclone
Disable /home/saniter/.config/spotify
Disable /home/saniter/.config/ungoogled-chromium
Disable /home/saniter/Hyprland-Dots/config/vlc (requested /home/saniter/.config/vlc)
Disable /home/saniter/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
Disable /home/saniter/.config/zathura
Disable /home/saniter/.fltk
Not blacklist /home/saniter/.g8
Not blacklist /home/saniter/.gitconfig
Not blacklist /home/saniter/.gradle
Not blacklist /home/saniter/.ivy2
Not blacklist /home/saniter/.java
Disable /home/saniter/.local/share/Kingsoft
Disable /home/saniter/.local/share/Steam
Disable /home/saniter/.local/share/man
Disable /home/saniter/.local/share/qBittorrent
Disable /home/saniter/.local/share/spotify
Disable /home/saniter/.local/share/vlc
Disable /home/saniter/.local/share/vulkan
Disable /home/saniter/.local/share/zathura
Disable /home/saniter/.local/state/mpv
Disable /home/saniter/.mozilla
Not blacklist /home/saniter/.node-gyp
Not blacklist /home/saniter/.npm
Not blacklist /home/saniter/.npmrc
Disable /home/saniter/.nv
Not blacklist /home/saniter/.nvm
Not blacklist /home/saniter/.platformio
Not blacklist /home/saniter/.pylint.d
Not blacklist /home/saniter/.rustup
Not blacklist /home/saniter/.sbt
Disable /home/saniter/.steam
Disable /home/saniter/.thunderbird
Disable /home/saniter/.vim
Not blacklist /home/saniter/.vscode
Not blacklist /home/saniter/.vscode-oss
Disable /home/saniter/.w3m
Disable /home/saniter/.wget-hsts
Disable /home/saniter/.wine
Not blacklist /home/saniter/.yarn
Not blacklist /home/saniter/.yarn-config
Not blacklist /home/saniter/.yarncache
Not blacklist /home/saniter/.yarnrc
Not blacklist /home/saniter/Arduino
Mounting tmpfs on /home/saniter/.cache, check owner: yes
2070 463 0:108 / /home/saniter/.cache rw,nosuid,nodev,noatime - tmpfs tmpfs rw,mode=755,uid=1000,gid=1000,inode64
mountid=2070 fsname=/ dir=/home/saniter/.cache fstype=tmpfs
Mounting read-only /tmp/.X11-unix
2071 1778 0:35 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota
mountid=2071 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Base filesystem installed in 73.36 ms
disable pulseaudio
blacklist /home/saniter/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse
disable pipewire
blacklist /run/user/1000/pipewire-0-manager.lock
blacklist /run/user/1000/pipewire-0.lock
blacklist /run/user/1000/pipewire-0-manager
blacklist /run/user/1000/pipewire-0
blacklist /run/user/1000/pipewire-0-manager.lock
blacklist /run/user/1000/pipewire-0.lock
blacklist /run/user/1000/pipewire-0-manager
blacklist /run/user/1000/pipewire-0
Globbing /dev/snd (type=sound skip_symlinks=0)
No match /dev/snd (type=sound)
Globbing /dev/shm/jack* (type=sound skip_symlinks=1)
No match /dev/shm/jack* (type=sound)
Globbing /dev/dvb (type=tv skip_symlinks=0)
No match /dev/dvb (type=tv)
Globbing /dev/sr[0-9]* (type=dvd skip_symlinks=0)
No match /dev/sr[0-9]* (type=dvd)
Globbing /dev/tcm[0-9]* (type=tpm skip_symlinks=0)
No match /dev/tcm[0-9]* (type=tpm)
Globbing /dev/tcmrm[0-9]* (type=tpm skip_symlinks=0)
No match /dev/tcmrm[0-9]* (type=tpm)
Globbing /dev/tpm[0-9]* (type=tpm skip_symlinks=0)
No match /dev/tpm[0-9]* (type=tpm)
Globbing /dev/tpmrm[0-9]* (type=tpm skip_symlinks=0)
No match /dev/tpmrm[0-9]* (type=tpm)
Globbing /dev/hidraw[0-9]* (type=u2f skip_symlinks=0)
No match /dev/hidraw[0-9]* (type=u2f)
Globbing /dev/usb (type=u2f skip_symlinks=0)
No match /dev/usb (type=u2f)
Globbing /dev/video[0-9]* (type=video skip_symlinks=0)
No match /dev/video[0-9]* (type=video)
Globbing /dev/input (type=input skip_symlinks=0)
No match /dev/input (type=input)
Globbing /dev/ntsync (type=ntsync skip_symlinks=0)
No match /dev/ntsync (type=ntsync)
Current directory: /home/saniter/.local/share/applications
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
2084 449 0:50 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=2084 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             260 ..
-rw-r--r-- saniter  saniter          640 seccomp
-rw-r--r-- saniter  saniter          432 seccomp.32
-rw-r--r-- saniter  saniter            0 seccomp.postexec
-rw-r--r-- saniter  saniter            0 seccomp.postexec32
No active seccomp files
Set caps filter 240000
pid=269785: unlocking /run/firejail/firejail-network.lock ...
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
pid=269785: already unlocked /run/firejail/firejail-network.lock
Warning: NVIDIA card detected, nogroups command ignored
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
Not enforcing Landlock (see landlock.enforce)
execvp argument 0: /usr/bin/code
Child process initialized in 118.31 ms
monitoring pid 3

Sandbox monitor: waitpid 3 retval 3 status 0
Sandbox monitor: monitoring 21
monitoring pid 21

Originally created by @nuclear06 on GitHub (Mar 27, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7116 ### Description I am using Gentoo with Hyprland and an NVIDIA GPU. VSCode gets stuck at startup and no window is shown when using the default code profile under Wayland. ### Steps to Reproduce I can launch VSCode successfully using XWayland with the following command: `firejail code --ozone-platform=x11` However, the following command gets stuck at startup and no window appears: `firejail code --ozone-platform=wayland --enable-features=UseOzonePlatform` If I bypass the device isolation by adding ignore private-dev, VSCode opens normally under Wayland: `firejail --ignore=private-dev code --ozone-platform=wayland --enable-features=UseOzonePlatform` Further debugging shows that the issue is specifically caused by the blocking of /dev/nvidiactl. If I ignore private-dev but manually blacklist /dev/nvidiactl, VSCode fails to open again: `firejail --ignore=private-dev --blacklist=/dev/nvidiactl code --ozone-platform=wayland --enable-features=UseOzonePlatform` ### Expected behavior VSCode should open normally ### Behavior without a profile vscode opens normally ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 6.18.18-gentoo-dist x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Gentoo - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): vscode 1.112.0 - Version of Firejail (`firejail --version`): firejail version 0.9.76 Compile time support: - always force nonewprivs support is disabled - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - IDS support is disabled - Landlock support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-lib support is disabled - private-cache and tmpfs as user enabled - sandbox check is enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [ ] I am using firejail [0.9.80 or later](https://github.com/netblue30/firejail/tree/master/SECURITY.md) - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /usr/bin/code </code></summary> <p> ``` Reading profile /etc/firejail/code.profile Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/electron-common.profile Reading profile /etc/firejail/blink-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc firejail version 0.9.76 Parent pid 268537, child pid 268538 Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 71.40 ms Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 110.97 ms ``` </p> </details> <details> <summary>Output of <code> % LC_ALL=C firejail --debug /usr/bin/code</code></summary> <p> <!-- If the output is too long, save it to a file (e.g. "fjdebug.txt") and attach it to the comment: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files If that does not work, create a secret gist at https://gist.github.com/ and link it here. --> ``` Looking for kernel processes Found kthreadd process, we are not running in a sandbox pid=269785: locking /run/firejail/firejail-run.lock ... pid=269785: locked /run/firejail/firejail-run.lock pid=269785: unlocking /run/firejail/firejail-run.lock ... pid=269785: unlocked /run/firejail/firejail-run.lock Building quoted command line: '/usr/bin/code' Command name #code# Found code.profile profile in /etc/firejail directory Reading profile /etc/firejail/code.profile Found code.local profile in /home/saniter/.config/firejail directory Cannot access .local file globals.local: No such file or directory, skipping... Found allow-common-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/allow-common-devel.inc Cannot access .local file allow-common-devel.local: No such file or directory, skipping... Found electron-common.profile profile in /etc/firejail directory Reading profile /etc/firejail/electron-common.profile Found electron-common.local profile in /home/saniter/.config/firejail directory Found blink-common.profile profile in /etc/firejail directory Reading profile /etc/firejail/blink-common.profile Cannot access .local file blink-common.local: No such file or directory, skipping... Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Cannot access .local file disable-common.local: No such file or directory, skipping... Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Cannot access .local file disable-programs.local: No such file or directory, skipping... firejail version 0.9.76 pid=269785: locking /run/firejail/firejail-run.lock ... pid=269785: locked /run/firejail/firejail-run.lock DISPLAY=:0 parsed as 0 pid=269785: unlocking /run/firejail/firejail-run.lock ... pid=269785: unlocked /run/firejail/firejail-run.lock Using the local network stack Parent pid 269785, child pid 269786 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file IBUS_ADDRESS=unix:path=/run/user/1000/bus,fcitx_random_string=47aedcf87b1e4ffd8ba70a845ebf5217 IBUS_DAEMON_PID=1756 Drop privileges: pid 2, uid 1000, gid 1000, force_nogroups 0 Warning: NVIDIA card detected, nogroups command ignored Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 452 57 252:0 /etc /etc ro,noatime master:1 - ext4 /dev/mapper/vg0-root rw mountid=452 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 453 452 252:0 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/vg0-root rw mountid=453 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 454 57 252:0 /var /var ro,noatime master:1 - ext4 /dev/mapper/vg0-root rw mountid=454 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 455 454 252:0 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/mapper/vg0-root rw mountid=455 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 456 57 252:0 /usr /usr ro,noatime master:1 - ext4 /dev/mapper/vg0-root rw mountid=456 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/saniter/.config/firejail Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev Globbing /run/firejail/mnt/dev/snd on /dev/snd (type=sound) skipping /run/firejail/mnt/dev/snd on /dev/snd due to its type (type=sound) Globbing /run/firejail/mnt/dev/dri on /dev/dri (type=3d) mounting /run/firejail/mnt/dev/dri on /dev/dri (type=3d) directory Globbing /run/firejail/mnt/dev/kfd on /dev/kfd (type=3d) mounting /run/firejail/mnt/dev/kfd on /dev/kfd (type=3d) file Globbing /run/firejail/mnt/dev/nvidia[0-9]* on /dev/nvidia[0-9]* (type=3d) mounting /run/firejail/mnt/dev/nvidia0 on /dev/nvidia0 (type=3d) file Globbing /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl (type=3d) mounting /run/firejail/mnt/dev/nvidiactl on /dev/nvidiactl (type=3d) file Globbing /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset (type=3d) mounting /run/firejail/mnt/dev/nvidia-modeset on /dev/nvidia-modeset (type=3d) file Globbing /run/firejail/mnt/dev/nvidia-uvm on /dev/nvidia-uvm (type=3d) No match /run/firejail/mnt/dev/nvidia-uvm (type=3d) Globbing /run/firejail/mnt/dev/video[0-9]* on /dev/video[0-9]* (type=video) skipping /run/firejail/mnt/dev/video0 on /dev/video0 due to its type (type=video) skipping /run/firejail/mnt/dev/video1 on /dev/video1 due to its type (type=video) skipping /run/firejail/mnt/dev/video2 on /dev/video2 due to its type (type=video) skipping /run/firejail/mnt/dev/video3 on /dev/video3 due to its type (type=video) Globbing /run/firejail/mnt/dev/dvb on /dev/dvb (type=tv) No match /run/firejail/mnt/dev/dvb (type=tv) Globbing /run/firejail/mnt/dev/sr[0-9]* on /dev/sr[0-9]* (type=dvd) skipping /run/firejail/mnt/dev/sr0 on /dev/sr0 due to its type (type=dvd) Globbing /run/firejail/mnt/dev/tcm[0-9]* on /dev/tcm[0-9]* (type=tpm) No match /run/firejail/mnt/dev/tcm[0-9]* (type=tpm) Globbing /run/firejail/mnt/dev/tcmrm[0-9]* on /dev/tcmrm[0-9]* (type=tpm) No match /run/firejail/mnt/dev/tcmrm[0-9]* (type=tpm) Globbing /run/firejail/mnt/dev/tpm[0-9]* on /dev/tpm[0-9]* (type=tpm) skipping /run/firejail/mnt/dev/tpm0 on /dev/tpm0 due to its type (type=tpm) Globbing /run/firejail/mnt/dev/tpmrm[0-9]* on /dev/tpmrm[0-9]* (type=tpm) skipping /run/firejail/mnt/dev/tpmrm0 on /dev/tpmrm0 due to its type (type=tpm) Globbing /run/firejail/mnt/dev/hidraw[0-9]* on /dev/hidraw[0-9]* (type=u2f) skipping /run/firejail/mnt/dev/hidraw0 on /dev/hidraw0 due to its type (type=u2f) skipping /run/firejail/mnt/dev/hidraw1 on /dev/hidraw1 due to its type (type=u2f) skipping /run/firejail/mnt/dev/hidraw2 on /dev/hidraw2 due to its type (type=u2f) skipping /run/firejail/mnt/dev/hidraw3 on /dev/hidraw3 due to its type (type=u2f) skipping /run/firejail/mnt/dev/hidraw4 on /dev/hidraw4 due to its type (type=u2f) skipping /run/firejail/mnt/dev/hidraw5 on /dev/hidraw5 due to its type (type=u2f) skipping /run/firejail/mnt/dev/hidraw6 on /dev/hidraw6 due to its type (type=u2f) Globbing /run/firejail/mnt/dev/usb on /dev/usb (type=u2f) skipping /run/firejail/mnt/dev/usb on /dev/usb due to its type (type=u2f) Globbing /run/firejail/mnt/dev/input on /dev/input (type=input) skipping /run/firejail/mnt/dev/input on /dev/input due to its type (type=input) Globbing /run/firejail/mnt/dev/ntsync on /dev/ntsync (type=ntsync) No match /run/firejail/mnt/dev/ntsync (type=ntsync) Process /dev/shm directory Generate private-tmp whitelist commands blacklist /run/firejail/dbus Creating a new /etc/hostname file Creating empty /run/firejail/mnt/hostname file Creating a new /etc/hosts file Loading user hosts file Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/src/linux-6.18.18-gentoo-dist (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 588: whitelist /tmp/.X11-unix Debug 609: expanded: /tmp/.X11-unix Debug 620: new_name: /tmp/.X11-unix Debug 630: dir: /tmp Adding whitelist top level directory /tmp Debug 588: whitelist /tmp/sndio Debug 609: expanded: /tmp/sndio Debug 620: new_name: /tmp/sndio Debug 630: dir: /tmp Removed path: whitelist /tmp/sndio new_name: /tmp/sndio realpath: (null) No such file or directory Debug 588: whitelist /sys/module/nvidia* Debug 609: expanded: /sys/module/nvidia* Debug 620: new_name: /sys/module/nvidia* Debug 630: dir: /sys/module Adding whitelist top level directory /sys/module Removed path: whitelist /sys/module/nvidia* new_name: /sys/module/nvidia* realpath: (null) No such file or directory Adding new profile command: whitelist /sys/module/nvidia_uvm Adding new profile command: whitelist /sys/module/nvidia Adding new profile command: whitelist /sys/module/nvidia_drm Adding new profile command: whitelist /sys/module/nvidia_modeset Debug 588: whitelist /sys/module/nvidia_uvm Debug 609: expanded: /sys/module/nvidia_uvm Debug 620: new_name: /sys/module/nvidia_uvm Debug 630: dir: /sys/module Debug 588: whitelist /sys/module/nvidia Debug 609: expanded: /sys/module/nvidia Debug 620: new_name: /sys/module/nvidia Debug 630: dir: /sys/module Debug 588: whitelist /sys/module/nvidia_drm Debug 609: expanded: /sys/module/nvidia_drm Debug 620: new_name: /sys/module/nvidia_drm Debug 630: dir: /sys/module Debug 588: whitelist /sys/module/nvidia_modeset Debug 609: expanded: /sys/module/nvidia_modeset Debug 620: new_name: /sys/module/nvidia_modeset Debug 630: dir: /sys/module Mounting tmpfs on /tmp, check owner: no 1769 443 0:106 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64 mountid=1769 fsname=/ dir=/tmp fstype=tmpfs Mounting tmpfs on /sys/module, check owner: no 1770 301 0:107 / /sys/module rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64 mountid=1770 fsname=/ dir=/sys/module fstype=tmpfs Whitelisting /tmp/.X11-unix 1771 1769 0:35 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota mountid=1771 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Whitelisting /sys/module/nvidia_uvm 1772 1770 0:23 /module/nvidia_uvm /sys/module/nvidia_uvm ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw mountid=1772 fsname=/module/nvidia_uvm dir=/sys/module/nvidia_uvm fstype=sysfs Whitelisting /sys/module/nvidia 1773 1770 0:23 /module/nvidia /sys/module/nvidia ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw mountid=1773 fsname=/module/nvidia dir=/sys/module/nvidia fstype=sysfs Whitelisting /sys/module/nvidia_drm 1774 1770 0:23 /module/nvidia_drm /sys/module/nvidia_drm ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw mountid=1774 fsname=/module/nvidia_drm dir=/sys/module/nvidia_drm fstype=sysfs Whitelisting /sys/module/nvidia_modeset 1775 1770 0:23 /module/nvidia_modeset /sys/module/nvidia_modeset ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw mountid=1775 fsname=/module/nvidia_modeset dir=/sys/module/nvidia_modeset fstype=sysfs Mounting noexec /tmp 1777 1776 0:35 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota mountid=1777 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 1778 1777 0:35 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota mountid=1778 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /home/saniter/.local/share/Trash Not blacklist /home/saniter/.python_history Disable /home/saniter/.sqlite_history Disable /home/saniter/.zsh_history Disable /home/saniter/.bash_history Disable /home/saniter/.node_repl_history Disable /home/saniter/.lesshst Disable /home/saniter/.local/share/nvim Disable /home/saniter/.local/state/nvim Not blacklist /home/saniter/.python-history Not blacklist /home/saniter/.pythonhist Disable /home/saniter/.viminfo Disable /home/saniter/.config/autostart Disable /etc/X11/xinit Disable /etc/xdg/autostart Disable /home/saniter/.local/share/gvfs-metadata Mounting read-only /home/saniter/.config/dconf 1792 463 252:2 /saniter/.config/dconf /home/saniter/.config/dconf ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1792 fsname=/saniter/.config/dconf dir=/home/saniter/.config/dconf fstype=ext4 Disable /home/saniter/.config/systemd Add path entry /home/saniter/.npm-global/bin Add path entry /home/saniter/.local/bin Add path entry /home/saniter/.bun/bin Add path entry /home/saniter/go/bin Add path entry /usr/local/sbin Add path entry /usr/local/bin Add path entry /usr/bin Add path entry /opt/bin Add path entry /usr/lib/llvm/21/bin Add path entry /opt/android-sdk/cmdline-tools/latest/bin Add path entry /etc/eselect/wine/bin Add path entry /opt/cuda/bin Number of path entries: 12 Disable /usr/bin/systemctl Disable /usr/bin/systemd-run Disable /usr/bin/systemd-mount Disable /usr/bin/systemd-repart Disable /usr/bin/systemd-delta Disable /usr/bin/systemd-nspawn Disable /usr/bin/systemd-vmspawn Disable /usr/bin/systemd-mute-console Disable /usr/bin/systemd-notify Disable /usr/bin/systemd-creds Disable /usr/bin/systemd-analyze Disable /usr/bin/systemd-firstboot Disable /usr/bin/systemd-ac-power Disable /usr/bin/systemd-tmpfiles Disable /usr/bin/systemd-sysext (requested /usr/bin/systemd-confext) Disable /usr/bin/systemd-path Disable /usr/bin/systemd-mount (requested /usr/bin/systemd-umount) Disable /usr/bin/systemd-stdio-bridge Disable /usr/bin/systemd-cgls Disable /usr/bin/resolvectl (requested /usr/bin/systemd-resolve) Disable /usr/bin/systemd-sysext Disable /usr/bin/systemd-detect-virt Disable /usr/bin/systemd-vpick Disable /usr/bin/systemd-socket-activate Disable /usr/bin/systemd-id128 Disable /usr/bin/systemd-hwdb Disable /usr/bin/systemd-inhibit Disable /usr/bin/systemd-sysusers Disable /usr/bin/systemd-pty-forward Disable /usr/bin/systemd-machine-id-setup Disable /usr/bin/systemd-cgtop Disable /usr/bin/systemd-tty-ask-password-agent Disable /usr/bin/systemd-dissect Disable /usr/bin/systemd-escape Disable /usr/bin/systemd-ask-password Disable /usr/bin/systemd-cat Disable /run/user/1000/systemd Disable /etc/credstore.encrypted Disable /etc/credstore Disable /etc/systemd/network Disable /etc/systemd/system Disable /run/credentials Disable /var/lib/systemd Disable /etc/init.d Disable /etc/runlevels Disable /run/user/1000/containers Disable /run/user/1000/libpod Disable /var/lib/upower Disable /var/spool/mail (requested /var/mail) Disable /var/spool/mail Disable /etc/cron.daily Disable /etc/default Disable /etc/grub.d Disable /etc/kernel Disable /etc/logrotate.d Disable /etc/modules-load.d Mounting read-only /home/saniter/.bash_logout 1850 463 252:2 /saniter/.bash_logout /home/saniter/.bash_logout ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1850 fsname=/saniter/.bash_logout dir=/home/saniter/.bash_logout fstype=ext4 Mounting read-only /home/saniter/.bash_profile 1851 463 252:2 /saniter/.bash_profile /home/saniter/.bash_profile ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1851 fsname=/saniter/.bash_profile dir=/home/saniter/.bash_profile fstype=ext4 Mounting read-only /home/saniter/.bashrc 1852 463 252:2 /saniter/.bashrc /home/saniter/.bashrc ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1852 fsname=/saniter/.bashrc dir=/home/saniter/.bashrc fstype=ext4 Mounting read-only /home/saniter/.oh-my-zsh 1853 463 252:2 /saniter/.oh-my-zsh /home/saniter/.oh-my-zsh ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1853 fsname=/saniter/.oh-my-zsh dir=/home/saniter/.oh-my-zsh fstype=ext4 Mounting read-only /home/saniter/.zshenv 1854 463 252:2 /saniter/.zshenv /home/saniter/.zshenv ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1854 fsname=/saniter/.zshenv dir=/home/saniter/.zshenv fstype=ext4 Mounting read-only /home/saniter/.zshrc 1855 463 252:2 /saniter/.zshrc /home/saniter/.zshrc ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1855 fsname=/saniter/.zshrc dir=/home/saniter/.zshrc fstype=ext4 Mounting read-only /home/saniter/.config/mpv 1856 463 252:2 /saniter/.config/mpv /home/saniter/.config/mpv ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1856 fsname=/saniter/.config/mpv dir=/home/saniter/.config/mpv fstype=ext4 Mounting read-only /home/saniter/.config/nvim 1857 463 252:2 /saniter/.config/nvim /home/saniter/.config/nvim ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1857 fsname=/saniter/.config/nvim dir=/home/saniter/.config/nvim fstype=ext4 Mounting read-only /home/saniter/.gnupg/gpg.conf 1858 463 252:2 /saniter/.gnupg/gpg.conf /home/saniter/.gnupg/gpg.conf ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1858 fsname=/saniter/.gnupg/gpg.conf dir=/home/saniter/.gnupg/gpg.conf fstype=ext4 Mounting read-only /home/saniter/.mozilla/firefox/profiles.ini 1859 463 252:2 /saniter/.mozilla/firefox/profiles.ini /home/saniter/.mozilla/firefox/profiles.ini ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1859 fsname=/saniter/.mozilla/firefox/profiles.ini dir=/home/saniter/.mozilla/firefox/profiles.ini fstype=ext4 Mounting read-only /home/saniter/.npmrc 1860 463 252:2 /saniter/.npmrc /home/saniter/.npmrc ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1860 fsname=/saniter/.npmrc dir=/home/saniter/.npmrc fstype=ext4 Mounting read-only /home/saniter/.ssh/config 1861 463 252:2 /saniter/.ssh/config /home/saniter/.ssh/config ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1861 fsname=/saniter/.ssh/config dir=/home/saniter/.ssh/config fstype=ext4 Mounting read-only /home/saniter/.vim 1862 463 252:2 /saniter/.vim /home/saniter/.vim ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1862 fsname=/saniter/.vim dir=/home/saniter/.vim fstype=ext4 Mounting read-only /home/saniter/.w3m 1863 463 252:2 /saniter/.w3m /home/saniter/.w3m ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1863 fsname=/saniter/.w3m dir=/home/saniter/.w3m fstype=ext4 Mounting read-only /home/saniter/.local/bin 1864 463 252:2 /saniter/.local/bin /home/saniter/.local/bin ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1864 fsname=/saniter/.local/bin dir=/home/saniter/.local/bin fstype=ext4 Mounting read-only /home/saniter/.config/menus 1865 463 252:2 /saniter/.config/menus /home/saniter/.config/menus ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1865 fsname=/saniter/.config/menus dir=/home/saniter/.config/menus fstype=ext4 Mounting read-only /home/saniter/.local/share/applications 1866 463 252:2 /saniter/.local/share/applications /home/saniter/.local/share/applications ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1866 fsname=/saniter/.local/share/applications dir=/home/saniter/.local/share/applications fstype=ext4 Mounting read-only /home/saniter/.config/mimeapps.list 1867 463 252:2 /saniter/.config/mimeapps.list /home/saniter/.config/mimeapps.list ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1867 fsname=/saniter/.config/mimeapps.list dir=/home/saniter/.config/mimeapps.list fstype=ext4 Mounting read-only /home/saniter/.config/user-dirs.dirs 1868 463 252:2 /saniter/.config/user-dirs.dirs /home/saniter/.config/user-dirs.dirs ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1868 fsname=/saniter/.config/user-dirs.dirs dir=/home/saniter/.config/user-dirs.dirs fstype=ext4 Mounting read-only /home/saniter/.config/user-dirs.locale 1869 463 252:2 /saniter/.config/user-dirs.locale /home/saniter/.config/user-dirs.locale ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1869 fsname=/saniter/.config/user-dirs.locale dir=/home/saniter/.config/user-dirs.locale fstype=ext4 Mounting read-only /home/saniter/.local/share/mime 1870 463 252:2 /saniter/.local/share/mime /home/saniter/.local/share/mime ro,noatime master:180 - ext4 /dev/mapper/vg0-home rw mountid=1870 fsname=/saniter/.local/share/mime dir=/home/saniter/.local/share/mime fstype=ext4 Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /etc/sudo.conf Disable /etc/sudo_logsrvd.conf Disable /etc/sudoers Disable /etc/sudoers.dist Not blacklist /home/saniter/.git-credentials Disable /home/saniter/.gnupg Disable /home/saniter/.local/share/keyrings Disable /home/saniter/.local/share/pki Disable /home/saniter/.pki Disable /home/saniter/.ssh Warning: /sbin directory link was not blacklisted Disable /usr/local/sbin Warning: /usr/sbin directory link was not blacklisted Disable /usr/bin/chage Disable /usr/bin/chfn Disable /usr/bin/chsh Disable /usr/bin/evtest Disable /usr/bin/expiry Disable /usr/bin/fusermount Disable /usr/bin/fusermount3 Disable /usr/bin/gpasswd Disable /usr/bin/groupmems Disable /usr/bin/hostname Disable /usr/bin/ksu Disable /usr/bin/mount Disable /usr/bin/systemd-dissect (requested /usr/bin/mount.ddi) Disable /usr/bin/mount.fuse3 Disable /usr/bin/mount.fuse Disable /usr/bin/rclone (requested /usr/bin/mount.rclone) Disable /usr/bin/ntfs-3g (requested /usr/bin/mount.ntfs-3g) Disable /usr/bin/lowntfs-3g (requested /usr/bin/mount.lowntfs-3g) Disable /usr/bin/ntfs-3g (requested /usr/bin/mount.ntfs) Disable /usr/bin/mountpoint Disable /usr/bin/nc Disable /usr/bin/netstat Disable /usr/bin/networkctl Disable /usr/bin/newgidmap Disable /usr/bin/newgrp Disable /usr/bin/newuidmap Disable /usr/bin/nm-online Disable /usr/bin/nmap Disable /usr/bin/nmcli Disable /usr/bin/nmtui Disable /usr/bin/nmtui (requested /usr/bin/nmtui-connect) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-edit) Disable /usr/bin/nmtui (requested /usr/bin/nmtui-hostname) Disable /usr/bin/ntfs-3g Disable /usr/bin/passwd Disable /usr/bin/pkexec Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/ss Disable /usr/bin/strace Disable /usr/bin/su Disable /usr/bin/sudo Disable /usr/bin/tcpdump Disable /usr/bin/umount Disable /usr/bin/unix_chkpwd Disable /usr/libexec/eselect-java/run-java-tool.bash (requested /usr/bin/apt) Disable /usr/bin/efibootdump Disable /usr/bin/efibootmgr Disable /usr/bin/proxy Disable /usr/bin/dbus-cleanup-sockets Disable /usr/bin/dbus-send Disable /usr/bin/dbus-monitor Disable /usr/bin/dbus-binding-tool Disable /usr/bin/dbus-run-session Disable /usr/bin/dbus-daemon Disable /usr/bin/dbus-launch Disable /usr/bin/dbus-uuidgen Disable /usr/bin/dbus-update-activation-environment Disable /usr/bin/dbus-test-tool Disable /usr/bin/grub-reboot Disable /usr/bin/grub-mknetdir Disable /usr/bin/grub-menulst2cfg Disable /usr/bin/grub-script-check Disable /usr/bin/grub-file Disable /usr/bin/grub-sparc64-setup Disable /usr/bin/grub-macbless Disable /usr/bin/grub-mkstandalone Disable /usr/bin/grub-mkimage Disable /usr/bin/grub-mount Disable /usr/bin/grub-probe Disable /usr/bin/grub-glue-efi Disable /usr/bin/grub-kbdcomp Disable /usr/bin/grub-mkrescue Disable /usr/bin/grub-bios-setup Disable /usr/bin/grub-mkfont Disable /usr/bin/grub-mkconfig Disable /usr/bin/grub-editenv Disable /usr/bin/grub-mklayout Disable /usr/bin/grub-fstest Disable /usr/bin/grub-install Disable /usr/bin/grub-syslinux2cfg Disable /usr/bin/grub-mkrelpath Disable /usr/bin/grub-mkpasswd-pbkdf2 Disable /usr/bin/grub-set-default Disable /usr/bin/grub-render-label Disable /usr/bin/grub-ofpathname Disable /usr/bin/kernel-install Disable /usr/bin/firemon Disable /usr/bin/firecfg Disable /usr/bin/jailcheck Disable /home/saniter/.cache/flatpak Disable /home/saniter/.local/share/flatpak/repo Disable /home/saniter/.local/share/flatpak/db Disable /home/saniter/.local/share/flatpak/.changed Disable /home/saniter/.var Disable /usr/bin/bwrap Warning (blacklisting): cannot stat /run/user/1000/doc: Permission denied Disable /usr/share/flatpak Disable /var/lib/flatpak/.removed Not blacklist /var/lib/flatpak/exports Disable /var/lib/flatpak/runtime Disable /var/lib/flatpak/app Disable /var/lib/flatpak/.changed Disable /var/lib/flatpak/repo Disable /proc/config.gz Disable /usr/bin/delv Disable /usr/bin/dig Disable /usr/bin/dnssec-verify Disable /usr/bin/dnssec-dsfromkey Disable /usr/bin/dnssec-settime Disable /usr/bin/dnssec-revoke Disable /usr/bin/dnssec-importkey Disable /usr/bin/dnssec-cds Disable /usr/bin/dnssec-keygen Disable /usr/bin/dnssec-signzone Disable /usr/bin/dnssec-keyfromlabel Disable /usr/bin/mdig Disable /usr/bin/host Disable /usr/bin/nslookup Disable /usr/bin/nsupdate Disable /usr/bin/nstat Disable /usr/bin/resolvectl Disable /usr/bin/ssh-keyscan Disable /usr/bin/ssh-keygen Disable /usr/bin/sshd Disable /usr/bin/ssh-copy-id Disable /usr/bin/ssh Disable /usr/bin/ssh-agent Disable /usr/bin/ssh-add Disable /run/user/1000/wayland-1.lock Disable /run/user/1000/pipewire-0-manager.lock Disable /run/user/1000/pipewire-0.lock Not blacklist /home/saniter/.ammonite Disable /home/saniter/.android Not blacklist /home/saniter/.arduino15 Not blacklist /home/saniter/.bundle Disable /home/saniter/.cache/babl Disable /home/saniter/.cache/chromium Disable /home/saniter/.cache/gegl-0.4 Disable /home/saniter/.cache/gimp Disable /home/saniter/.cache/google-chrome Disable /home/saniter/.cache/mozilla Disable /home/saniter/.cache/nvim Disable /home/saniter/.cache/pip Disable /home/saniter/.cache/qBittorrent Disable /home/saniter/.cache/rclone Disable /home/saniter/.cache/spotify Disable /home/saniter/.cache/thunderbird Disable /home/saniter/.cache/ungoogled-chromium Not blacklist /home/saniter/.cargo Not blacklist /home/saniter/.config/Code Not blacklist /home/saniter/.config/Code - OSS Not blacklist /home/saniter/.config/Electron Disable /home/saniter/.config/Epic Disable /home/saniter/.config/GIMP Disable /home/saniter/.config/Kingsoft Disable /home/saniter/.config/ModTheSpire Disable /home/saniter/.config/QQ Disable /home/saniter/Hyprland-Dots/config/Thunar (requested /home/saniter/.config/Thunar) Disable /home/saniter/.config/chromium Not blacklist /home/saniter/.config/electron*-flag*.conf Disable /home/saniter/.config/gh Not blacklist /home/saniter/.config/git Disable /home/saniter/.config/google-chrome Not blacklist /home/saniter/.config/jgit Disable /home/saniter/.config/libreoffice Disable /home/saniter/.config/mpv Disable /home/saniter/.config/nvim Disable /home/saniter/.config/obs-studio Disable /home/saniter/.config/pavucontrol.ini Disable /home/saniter/.config/qBittorrent Disable /home/saniter/.config/rclone Disable /home/saniter/.config/spotify Disable /home/saniter/.config/ungoogled-chromium Disable /home/saniter/Hyprland-Dots/config/vlc (requested /home/saniter/.config/vlc) Disable /home/saniter/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml Disable /home/saniter/.config/zathura Disable /home/saniter/.fltk Not blacklist /home/saniter/.g8 Not blacklist /home/saniter/.gitconfig Not blacklist /home/saniter/.gradle Not blacklist /home/saniter/.ivy2 Not blacklist /home/saniter/.java Disable /home/saniter/.local/share/Kingsoft Disable /home/saniter/.local/share/Steam Disable /home/saniter/.local/share/man Disable /home/saniter/.local/share/qBittorrent Disable /home/saniter/.local/share/spotify Disable /home/saniter/.local/share/vlc Disable /home/saniter/.local/share/vulkan Disable /home/saniter/.local/share/zathura Disable /home/saniter/.local/state/mpv Disable /home/saniter/.mozilla Not blacklist /home/saniter/.node-gyp Not blacklist /home/saniter/.npm Not blacklist /home/saniter/.npmrc Disable /home/saniter/.nv Not blacklist /home/saniter/.nvm Not blacklist /home/saniter/.platformio Not blacklist /home/saniter/.pylint.d Not blacklist /home/saniter/.rustup Not blacklist /home/saniter/.sbt Disable /home/saniter/.steam Disable /home/saniter/.thunderbird Disable /home/saniter/.vim Not blacklist /home/saniter/.vscode Not blacklist /home/saniter/.vscode-oss Disable /home/saniter/.w3m Disable /home/saniter/.wget-hsts Disable /home/saniter/.wine Not blacklist /home/saniter/.yarn Not blacklist /home/saniter/.yarn-config Not blacklist /home/saniter/.yarncache Not blacklist /home/saniter/.yarnrc Not blacklist /home/saniter/Arduino Mounting tmpfs on /home/saniter/.cache, check owner: yes 2070 463 0:108 / /home/saniter/.cache rw,nosuid,nodev,noatime - tmpfs tmpfs rw,mode=755,uid=1000,gid=1000,inode64 mountid=2070 fsname=/ dir=/home/saniter/.cache fstype=tmpfs Mounting read-only /tmp/.X11-unix 2071 1778 0:35 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:48 - tmpfs tmpfs rw,nr_inodes=1048576,inode64,usrquota mountid=2071 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /sys/fs Base filesystem installed in 73.36 ms disable pulseaudio blacklist /home/saniter/.config/pulse blacklist /run/user/1000/pulse/native blacklist /run/user/1000/pulse disable pipewire blacklist /run/user/1000/pipewire-0-manager.lock blacklist /run/user/1000/pipewire-0.lock blacklist /run/user/1000/pipewire-0-manager blacklist /run/user/1000/pipewire-0 blacklist /run/user/1000/pipewire-0-manager.lock blacklist /run/user/1000/pipewire-0.lock blacklist /run/user/1000/pipewire-0-manager blacklist /run/user/1000/pipewire-0 Globbing /dev/snd (type=sound skip_symlinks=0) No match /dev/snd (type=sound) Globbing /dev/shm/jack* (type=sound skip_symlinks=1) No match /dev/shm/jack* (type=sound) Globbing /dev/dvb (type=tv skip_symlinks=0) No match /dev/dvb (type=tv) Globbing /dev/sr[0-9]* (type=dvd skip_symlinks=0) No match /dev/sr[0-9]* (type=dvd) Globbing /dev/tcm[0-9]* (type=tpm skip_symlinks=0) No match /dev/tcm[0-9]* (type=tpm) Globbing /dev/tcmrm[0-9]* (type=tpm skip_symlinks=0) No match /dev/tcmrm[0-9]* (type=tpm) Globbing /dev/tpm[0-9]* (type=tpm skip_symlinks=0) No match /dev/tpm[0-9]* (type=tpm) Globbing /dev/tpmrm[0-9]* (type=tpm skip_symlinks=0) No match /dev/tpmrm[0-9]* (type=tpm) Globbing /dev/hidraw[0-9]* (type=u2f skip_symlinks=0) No match /dev/hidraw[0-9]* (type=u2f) Globbing /dev/usb (type=u2f skip_symlinks=0) No match /dev/usb (type=u2f) Globbing /dev/video[0-9]* (type=video skip_symlinks=0) No match /dev/video[0-9]* (type=video) Globbing /dev/input (type=input skip_symlinks=0) No match /dev/input (type=input) Globbing /dev/ntsync (type=ntsync skip_symlinks=0) No match /dev/ntsync (type=ntsync) Current directory: /home/saniter/.local/share/applications DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp 2084 449 0:50 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=2084 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 260 .. -rw-r--r-- saniter saniter 640 seccomp -rw-r--r-- saniter saniter 432 seccomp.32 -rw-r--r-- saniter saniter 0 seccomp.postexec -rw-r--r-- saniter saniter 0 seccomp.postexec32 No active seccomp files Set caps filter 240000 pid=269785: unlocking /run/firejail/firejail-network.lock ... Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 pid=269785: already unlocked /run/firejail/firejail-network.lock Warning: NVIDIA card detected, nogroups command ignored Closing non-standard file descriptors Starting application LD_PRELOAD=(null) Not enforcing Landlock (see landlock.enforce) execvp argument 0: /usr/bin/code Child process initialized in 118.31 ms monitoring pid 3 Sandbox monitor: waitpid 3 retval 3 status 0 Sandbox monitor: monitoring 21 monitoring pid 21 ``` </p> </details>
gitea-mirror added the
needinfo
 label 2026-05-05 10:01:49 -06:00
gitea-mirror commented 2026-05-05 10:01:51 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Mar 27, 2026):

firejail version 0.9.76

Note that we do not maintain that version of firejail:

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

What happens with the latest released version?

<!-- gh-comment-id:4142970905 --> @kmk3 commented on GitHub (Mar 27, 2026): > firejail version 0.9.76 Note that we do not maintain that version of firejail: * <https://github.com/netblue30/firejail/blob/master/SECURITY.md> Versions other than the latest usually have outdated profiles and may contain bugs and security vulnerabilities that were fixed in later versions. See also: * <https://github.com/netblue30/firejail#installing> What happens with the latest released version?
gitea-mirror commented 2026-05-05 10:01:52 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Mar 27, 2026):

  • I am using the full program path (e.g. firejail /usr/bin/vlc instead
    of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)

firejail code

That is not the case.

What changes when using /usr/bin/code in all commands?

I am using Gentoo with Hyprland and an NVIDIA GPU. VSCode gets stuck at
startup and no window is shown when using the default code profile under
Wayland.

Does it work with sway or another compositor?

If I bypass the device isolation by adding ignore private-dev, VSCode opens
normally under Wayland: firejail --ignore=private-dev code --ozone-platform=wayland --enable-features=UseOzonePlatform

Further debugging shows that the issue is specifically caused by the blocking
of /dev/nvidiactl. If I ignore private-dev but manually blacklist
/dev/nvidiactl, VSCode fails to open again: firejail --ignore=private-dev --blacklist=/dev/nvidiactl code --ozone-platform=wayland --enable-features=UseOzonePlatform

/dev/nvidiactl should appear in the sandbox with private-dev unless no3d
is used.

Does it work with the following?

firejail --ignore=no3d /usr/bin/code

What is the output of the following?

firejail --private-dev ls -l /dev/nvidia*
firejail --private-dev --no3d ls -l /dev/nvidia*
<!-- gh-comment-id:4142975901 --> @kmk3 commented on GitHub (Mar 27, 2026): > - [x] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead > of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) > `firejail code` That is not the case. What changes when using `/usr/bin/code` in all commands? > I am using Gentoo with Hyprland and an NVIDIA GPU. VSCode gets stuck at > startup and no window is shown when using the default code profile under > Wayland. Does it work with sway or another compositor? > If I bypass the device isolation by adding ignore private-dev, VSCode opens > normally under Wayland: `firejail --ignore=private-dev code > --ozone-platform=wayland --enable-features=UseOzonePlatform` > Further debugging shows that the issue is specifically caused by the blocking > of /dev/nvidiactl. If I ignore private-dev but manually blacklist > /dev/nvidiactl, VSCode fails to open again: `firejail --ignore=private-dev > --blacklist=/dev/nvidiactl code --ozone-platform=wayland > --enable-features=UseOzonePlatform` `/dev/nvidiactl` should appear in the sandbox with `private-dev` unless `no3d` is used. Does it work with the following? ```sh firejail --ignore=no3d /usr/bin/code ``` What is the output of the following? ```sh firejail --private-dev ls -l /dev/nvidia* firejail --private-dev --no3d ls -l /dev/nvidia* ```
gitea-mirror commented 2026-05-05 10:01:54 -06:00
Author
Owner
Copy link

@nuclear06 commented on GitHub (Mar 27, 2026):

What happens with the latest released version?

I upgraded to 0.9.80, but the behavior remains exactly the same.

What changes when using /usr/bin/code in all commands?

I tried the following command and it works:

firejail --ignore=private-dev /usr/bin/code \
  --ozone-platform=wayland --enable-features=UseOzonePlatform

This still does not work:

firejail --ignore=private-dev --blacklist=/dev/nvidiactl /usr/bin/code \
  --ozone-platform=wayland --enable-features=UseOzonePlatform

Does it work with the following?
firejail --ignore=no3d /usr/bin/code

no it also gets stuck

What is the output of the following?

$ firejail --private-dev ls -l /dev/nvidia*
crw-rw---- 1 nobody nobody 195,   0 Mar 27 16:07 /dev/nvidia0
crw-rw---- 1 nobody nobody 195, 255 Mar 27 16:07 /dev/nvidiactl
crw-rw---- 1 nobody nobody 195, 254 Mar 27 16:56 /dev/nvidia-modeset

$ firejail --private-dev --no3d ls -l /dev/nvidia*
ls: cannot access '/dev/nvidia0': No such file or directory
ls: cannot access '/dev/nvidiactl': No such file or directory
ls: cannot access '/dev/nvidia-modeset': No such file or directory

Additionally, I can confirm that /dev/nvidiactl does show up when using the code profile. I don't know how to explain my previous test results 😐:

$ firejail --profile=code ls -l /dev/nvidia*
crw-rw---- 1 root video 195,   0 Mar 27 16:07 /dev/nvidia0
crw-rw---- 1 root video 195, 255 Mar 27 16:07 /dev/nvidiactl
crw-rw---- 1 root video 195, 254 Mar 27 16:56 /dev/nvidia-modeset
<!-- gh-comment-id:4143470102 --> @nuclear06 commented on GitHub (Mar 27, 2026): > What happens with the latest released version? I upgraded to `0.9.80`, but the behavior remains exactly the same. > What changes when using /usr/bin/code in all commands? I tried the following command and it works: ```sh firejail --ignore=private-dev /usr/bin/code \ --ozone-platform=wayland --enable-features=UseOzonePlatform ``` This still does not work: ```sh firejail --ignore=private-dev --blacklist=/dev/nvidiactl /usr/bin/code \ --ozone-platform=wayland --enable-features=UseOzonePlatform ``` > Does it work with the following? > firejail --ignore=no3d /usr/bin/code no it also gets stuck > What is the output of the following? ```console $ firejail --private-dev ls -l /dev/nvidia* crw-rw---- 1 nobody nobody 195, 0 Mar 27 16:07 /dev/nvidia0 crw-rw---- 1 nobody nobody 195, 255 Mar 27 16:07 /dev/nvidiactl crw-rw---- 1 nobody nobody 195, 254 Mar 27 16:56 /dev/nvidia-modeset ``` ```console $ firejail --private-dev --no3d ls -l /dev/nvidia* ls: cannot access '/dev/nvidia0': No such file or directory ls: cannot access '/dev/nvidiactl': No such file or directory ls: cannot access '/dev/nvidia-modeset': No such file or directory ``` Additionally, I can confirm that `/dev/nvidiactl` **does** show up when using the `code` profile. I don't know how to explain my previous test results 😐: ```console $ firejail --profile=code ls -l /dev/nvidia* crw-rw---- 1 root video 195, 0 Mar 27 16:07 /dev/nvidia0 crw-rw---- 1 root video 195, 255 Mar 27 16:07 /dev/nvidiactl crw-rw---- 1 root video 195, 254 Mar 27 16:56 /dev/nvidia-modeset ```
gitea-mirror commented 2026-05-05 10:01:54 -06:00
Author
Owner
Copy link

@nuclear06 commented on GitHub (Mar 27, 2026):

Does it work with sway or another compositor?

I tried sway and it works normally, so does this relate to Hyprland?

<!-- gh-comment-id:4143539487 --> @nuclear06 commented on GitHub (Mar 27, 2026): > Does it work with sway or another compositor? I tried sway and it works normally, so does this relate to Hyprland?
gitea-mirror commented 2026-05-05 10:01:55 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Mar 27, 2026):

Additionally, I can confirm that /dev/nvidiactl does show up when using
the code profile. I don't know how to explain my previous test results 😐:

$ firejail --profile=code ls -l /dev/nvidia*
crw-rw---- 1 root video 195,   0 Mar 27 16:07 /dev/nvidia0
crw-rw---- 1 root video 195, 255 Mar 27 16:07 /dev/nvidiactl
crw-rw---- 1 root video 195, 254 Mar 27 16:56 /dev/nvidia-modeset

Does it work with sway or another compositor?

I tried sway and it works normally, so does this relate to Hyprland?

In here gfx devices seem to be owned by root:video, which is unusual.

Usually gfx devices are owned by root:render and webcam devices by
root:video.

These groups are used when implementing no3d and novideo, respectively.

Does it work with the following?

firejail --ignore=novideo /usr/bin/code

Using root:video instead of root:render could be a quirk of gentoo (such as
patches in udev rules) or hyprland.

What is the output of the following?

grep -E 'render|video|nvidia' /usr/lib/udev/rules.d/*.rules

What is the output of the following on hyprland and on sway?

ls -l /dev/nvidia*
<!-- gh-comment-id:4143740972 --> @kmk3 commented on GitHub (Mar 27, 2026): > Additionally, I can confirm that `/dev/nvidiactl` **does** show up when using > the `code` profile. I don't know how to explain my previous test results 😐: > > ``` > $ firejail --profile=code ls -l /dev/nvidia* > crw-rw---- 1 root video 195, 0 Mar 27 16:07 /dev/nvidia0 > crw-rw---- 1 root video 195, 255 Mar 27 16:07 /dev/nvidiactl > crw-rw---- 1 root video 195, 254 Mar 27 16:56 /dev/nvidia-modeset > ``` > > Does it work with sway or another compositor? > > I tried sway and it works normally, so does this relate to Hyprland? In here gfx devices seem to be owned by `root:video`, which is unusual. Usually gfx devices are owned by `root:render` and webcam devices by `root:video`. These groups are used when implementing `no3d` and `novideo`, respectively. Does it work with the following? ```sh firejail --ignore=novideo /usr/bin/code ``` Using `root:video` instead of `root:render` could be a quirk of gentoo (such as patches in udev rules) or hyprland. What is the output of the following? ```sh grep -E 'render|video|nvidia' /usr/lib/udev/rules.d/*.rules ``` What is the output of the following on hyprland and on sway? ```sh ls -l /dev/nvidia* ```
gitea-mirror commented 2026-05-05 10:01:55 -06:00
Author
Owner
Copy link

@nuclear06 commented on GitHub (Mar 27, 2026):

Does it work with the following?
firejail --ignore=novideo /usr/bin/code

Sadly no

grep -E 'render|video|nvidia' /usr/lib/udev/rules.d/*.rules

It might be caused by the following rules:

/usr/lib/udev/rules.d/50-udev-default.rules:SUBSYSTEM=="graphics", GROUP="video"
/usr/lib/udev/rules.d/50-udev-default.rules:SUBSYSTEM=="drm", KERNEL!="renderD*", GROUP="video"
/usr/lib/udev/rules.d/50-udev-default.rules:SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="0666"

What is the output of the following on hyprland and on sway?
ls -l /dev/nvidia*

On Hyprland:

crw-rw---- 1 root video 195,   0 Mar 28 01:42 /dev/nvidia0
crw-rw---- 1 root video 195, 255 Mar 28 01:42 /dev/nvidiactl
crw-rw---- 1 root video 508,   0 Mar 28 01:49 /dev/nvidia-uvm
crw-rw---- 1 root video 508,   1 Mar 28 01:49 /dev/nvidia-uvm-tools

/dev/nvidia-caps:
total 0
cr-------- 1 root root 511, 1 Mar 28 01:49 nvidia-cap1
cr--r--r-- 1 root root 511, 2 Mar 28 01:49 nvidia-cap2

On Sway:

crw-rw---- 1 root video 195,   0 Mar 28 01:42 /dev/nvidia0
crw-rw---- 1 root video 195, 255 Mar 28 01:42 /dev/nvidiactl
crw-rw---- 1 root video 508,   0 Mar 28 01:49 /dev/nvidia-uvm
crw-rw---- 1 root video 508,   1 Mar 28 01:49 /dev/nvidia-uvm-tools

/dev/nvidia-caps:
total 0
cr-------- 1 root root 511, 1 Mar 28 01:49 nvidia-cap1
cr--r--r-- 1 root root 511, 2 Mar 28 01:49 nvidia-cap2
<!-- gh-comment-id:4144473711 --> @nuclear06 commented on GitHub (Mar 27, 2026): > Does it work with the following? > firejail --ignore=novideo /usr/bin/code Sadly no > grep -E 'render|video|nvidia' /usr/lib/udev/rules.d/*.rules It might be caused by the following rules: ```text /usr/lib/udev/rules.d/50-udev-default.rules:SUBSYSTEM=="graphics", GROUP="video" /usr/lib/udev/rules.d/50-udev-default.rules:SUBSYSTEM=="drm", KERNEL!="renderD*", GROUP="video" /usr/lib/udev/rules.d/50-udev-default.rules:SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="render", MODE="0666" ``` > What is the output of the following on hyprland and on sway? > ls -l /dev/nvidia* On Hyprland: ``` crw-rw---- 1 root video 195, 0 Mar 28 01:42 /dev/nvidia0 crw-rw---- 1 root video 195, 255 Mar 28 01:42 /dev/nvidiactl crw-rw---- 1 root video 508, 0 Mar 28 01:49 /dev/nvidia-uvm crw-rw---- 1 root video 508, 1 Mar 28 01:49 /dev/nvidia-uvm-tools /dev/nvidia-caps: total 0 cr-------- 1 root root 511, 1 Mar 28 01:49 nvidia-cap1 cr--r--r-- 1 root root 511, 2 Mar 28 01:49 nvidia-cap2 ``` On Sway: ``` crw-rw---- 1 root video 195, 0 Mar 28 01:42 /dev/nvidia0 crw-rw---- 1 root video 195, 255 Mar 28 01:42 /dev/nvidiactl crw-rw---- 1 root video 508, 0 Mar 28 01:49 /dev/nvidia-uvm crw-rw---- 1 root video 508, 1 Mar 28 01:49 /dev/nvidia-uvm-tools /dev/nvidia-caps: total 0 cr-------- 1 root root 511, 1 Mar 28 01:49 nvidia-cap1 cr--r--r-- 1 root root 511, 2 Mar 28 01:49 nvidia-cap2 ```
gitea-mirror commented 2026-05-05 10:01:55 -06:00
Author
Owner
Copy link

@nuclear06 commented on GitHub (Mar 30, 2026):

After further testing, I found that the issue seems to be caused by the lack of /dev/char.

firejail --profile=code ls /dev/char

ls: cannot access '/dev/char': No such file or directory

Stuck:
firejail --ignore=private-dev --blacklist=/dev/char --profile=code /usr/bin/code

Not stuck:
firejail --noprofile --blacklist=/dev/char /usr/bin/code

Do you have any ideas?

<!-- gh-comment-id:4153458032 --> @nuclear06 commented on GitHub (Mar 30, 2026): After further testing, I found that the issue seems to be caused by the lack of `/dev/char`. `firejail --profile=code ls /dev/char` ``` ls: cannot access '/dev/char': No such file or directory ``` Stuck: `firejail --ignore=private-dev --blacklist=/dev/char --profile=code /usr/bin/code` Not stuck: `firejail --noprofile --blacklist=/dev/char /usr/bin/code` Do you have any ideas?
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3490
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?