[GH-ISSUE #7128] chromium: browsers crash on launch #3494

New issue

Open

opened 2026-05-05 10:01:56 -06:00 by gitea-mirror · 10 comments

gitea-mirror commented 2026-05-05 10:01:56 -06:00

Owner

Copy link

Originally created by @winningTheWho on GitHub (Apr 8, 2026).
Original GitHub issue: https://github.com/netblue30/firejail/issues/7128

Description

Describe the bug

Steps to Reproduce

Steps to reproduce the behavior

1. Debian 13 installation, brand new using Brave installed from the Brave official repo, using Debian maintained Firejail (0.9.74)
2. Run Firecfg to enable firejail for Brave and other applications.
3. Launch Brave from Terminal with firejail intercepting the link
4. Verify Firejail is at fault by bypassing firejail, running this from terminal "/usr/bin/brave-browser"

Expected behavior

Brave Browser Launches

Actual behavior

The following shows in the terminal, Brave does not launch:

Reading profile /etc/firejail/brave-browser.profile
Reading profile /home/citizenone/.config/firejail/brave.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/blink-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
firejail version 0.9.74

Parent pid 30644, child pid 30645
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in 102.67 ms
Child process initialized in 225.55 ms
[11:11:0407/184244.457911:FATAL:sandbox/linux/services/credentials.cc:131] Check failed: . : Permission denied (13)
[0407/184244.458164:ERROR:third_party/crashpad/crashpad/util/linux/scoped_ptrace_attach.cc:27] ptrace: Permission denied (13)
[0407/184244.458314:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13)
[0407/184244.458344:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13)
/usr/bin/brave-browser: line 40:    11 Trace/breakpoint trap   (core dumped) "$HERE/brave" "$@"

Parent is shutting down, bye...

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Additional context

Any other detail that may help to understand/debug the problem

Environment

• Name/version/arch of the Linux kernel (uname -srm):
• Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"):
• Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
  mesa 1:24.3.3-2"):
• Version of Firejail (firejail --version):
• If you use a development version of firejail, also the commit from which it
  was compiled (git rev-parse HEAD):

Checklist

• I am using firejail 0.9.80 or later
• I am using the full program path (e.g. firejail /usr/bin/vlc instead of firejail vlc; see https://github.com/netblue30/firejail/issues/2877)
• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

LC_ALL=C firejail --noprofile /usr/bin/brave-browser
firejail version 0.9.74

Parent pid 31002, child pid 31003
Warning: cannot find /var/run/utmp
Base filesystem installed in 0.10 ms
Child process initialized in 7.67 ms
Opening in existing browser session.

Parent is shutting down, bye...

Program seems to launch escaped from Firejail.

Output of LC_ALL=C firejail --debug /path/to/program

log.txt

Originally created by @winningTheWho on GitHub (Apr 8, 2026). Original GitHub issue: https://github.com/netblue30/firejail/issues/7128 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description _Describe the bug_ ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Debian 13 installation, brand new using Brave installed from the Brave official repo, using Debian maintained Firejail (0.9.74) 2. Run Firecfg to enable firejail for Brave and other applications. 3. Launch Brave from Terminal with firejail intercepting the link 4. Verify Firejail is at fault by bypassing firejail, running this from terminal "/usr/bin/brave-browser" ### Expected behavior Brave Browser Launches ### Actual behavior The following shows in the terminal, Brave does not launch: ``` Reading profile /etc/firejail/brave-browser.profile Reading profile /home/citizenone/.config/firejail/brave.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/blink-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file firejail version 0.9.74 Parent pid 30644, child pid 30645 Warning: cannot find /var/run/utmp Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Base filesystem installed in 102.67 ms Child process initialized in 225.55 ms [11:11:0407/184244.457911:FATAL:sandbox/linux/services/credentials.cc:131] Check failed: . : Permission denied (13) [0407/184244.458164:ERROR:third_party/crashpad/crashpad/util/linux/scoped_ptrace_attach.cc:27] ptrace: Permission denied (13) [0407/184244.458314:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13) [0407/184244.458344:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13) /usr/bin/brave-browser: line 40: 11 Trace/breakpoint trap (core dumped) "$HERE/brave" "$@" Parent is shutting down, bye... ``` ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): - Version of Firejail (`firejail --version`): - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [ ] I am using firejail [0.9.80 or later](https://github.com/netblue30/firejail/tree/master/SECURITY.md) - [ ] I am using the full program path (e.g. `firejail /usr/bin/vlc` instead of `firejail vlc`; see `https://github.com/netblue30/firejail/issues/2877`) - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` LC_ALL=C firejail --noprofile /usr/bin/brave-browser firejail version 0.9.74 Parent pid 31002, child pid 31003 Warning: cannot find /var/run/utmp Base filesystem installed in 0.10 ms Child process initialized in 7.67 ms Opening in existing browser session. Parent is shutting down, bye... ``` Program seems to launch escaped from Firejail. </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> <!-- If the output is too long, save it to a file (e.g. "fjdebug.txt") and attach it to the comment: https://docs.github.com/en/get-started/writing-on-github/working-with-advanced-formatting/attaching-files If that does not work, create a secret gist at https://gist.github.com/ and link it here. --> [log.txt](https://github.com/user-attachments/files/26556364/log.txt) </p> </details>

gitea-mirror commented 2026-05-05 10:01:57 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Apr 8, 2026):

firejail version 0.9.74

Note that we do not maintain that version of firejail:

• https://github.com/netblue30/firejail/blob/master/SECURITY.md

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

• https://github.com/netblue30/firejail#installing

What happens with the latest released version?

<!-- gh-comment-id:4206942937 --> @kmk3 commented on GitHub (Apr 8, 2026): > firejail version 0.9.74 Note that we do not maintain that version of firejail: * <https://github.com/netblue30/firejail/blob/master/SECURITY.md> Versions other than the latest usually have outdated profiles and may contain bugs and security vulnerabilities that were fixed in later versions. See also: * <https://github.com/netblue30/firejail#installing> What happens with the latest released version?

gitea-mirror commented 2026-05-05 10:01:58 -06:00

Author

Owner

Copy link

@winningTheWho commented on GitHub (Apr 9, 2026):

I upgraded to the 0.9.80.1 version with no noticeable change in behavior.

I have realized that the Chromium browser is also not working either. So the issue is almost common between them, Chromium is installed form Apt so its the Debian stable release.

These profiles have not changed in years, and I double checked and they don't have any differences that I can identify (from those installed and those in the repo).

<!-- gh-comment-id:4210817354 --> @winningTheWho commented on GitHub (Apr 9, 2026): I upgraded to the 0.9.80.1 version with no noticeable change in behavior. I have realized that the Chromium browser is also not working either. So the issue is almost common between them, Chromium is installed form Apt so its the Debian stable release. These profiles have not changed in years, and I double checked and they don't have any differences that I can identify (from those installed and those in the repo).

gitea-mirror commented 2026-05-05 10:01:58 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Apr 10, 2026):

I upgraded to the 0.9.80.1 version with no noticeable change in behavior.

I have realized that the Chromium browser is also not working either. So the
issue is almost common between them, Chromium is installed form Apt so its
the Debian stable release.

For debugging, you can comment lines in the profiles until it works to find out
which lines are causing problems.

Relevant profiles:

• brave.profile
• chromium-common.profile
• blink-common.profile

These profiles have not changed in years, and I double checked and they don't
have any differences that I can identify (from those installed and those in
the repo).

See also the profiles that they include (and so on), especially the redirect
profiles.

<!-- gh-comment-id:4225555330 --> @kmk3 commented on GitHub (Apr 10, 2026): > I upgraded to the 0.9.80.1 version with no noticeable change in behavior. > > I have realized that the Chromium browser is also not working either. So the > issue is almost common between them, Chromium is installed form Apt so its > the Debian stable release. For debugging, you can comment lines in the profiles until it works to find out which lines are causing problems. Relevant profiles: * brave.profile * chromium-common.profile * blink-common.profile > These profiles have not changed in years, and I double checked and they don't > have any differences that I can identify (from those installed and those in > the repo). See also the profiles that they include (and so on), especially the redirect profiles.

gitea-mirror commented 2026-05-05 10:01:58 -06:00

Author

Owner

Copy link

@cobratbq commented on GitHub (Apr 10, 2026):

You might get more precise info if you try these again from a freshly started operating system. One of your log-lines says 'Opening in existing browser session', so whether working browser or unterminated process, it finds another instance.

Also, in case of segfaults or sudden errors/crashes, try checking last lines of dmesg (use -T for human-readable timestamps) output. audit: lines may indicate forcefully aborted actions that the operating system refused.

Chromium should work without issue, but I have also tweaked configuration, so I'm not exactly sure what issue you might run into. I have no experience with Brave.

<!-- gh-comment-id:4225761256 --> @cobratbq commented on GitHub (Apr 10, 2026): You might get more precise info if you try these again from a freshly started operating system. One of your log-lines says 'Opening in existing browser session', so whether working browser or unterminated process, it finds another instance. Also, in case of segfaults or sudden errors/crashes, try checking last lines of `dmesg` (use `-T` for human-readable timestamps) output. `audit:` lines may indicate forcefully aborted actions that the operating system refused. Chromium should work without issue, but I have also tweaked configuration, so I'm not exactly sure what issue you might run into. I have no experience with Brave.

gitea-mirror commented 2026-05-05 10:01:59 -06:00

Author

Owner

Copy link

@winningTheWho commented on GitHub (Apr 14, 2026):

You might get more precise info if you try these again from a freshly started operating system. One of your log-lines says 'Opening in existing browser session', so whether working browser or unterminated process, it finds another instance.

Also, in case of segfaults or sudden errors/crashes, try checking last lines of dmesg (use -T for human-readable timestamps) output. audit: lines may indicate forcefully aborted actions that the operating system refused.

Chromium should work without issue, but I have also tweaked configuration, so I'm not exactly sure what issue you might run into. I have no experience with Brave.

Just before posting this, I have completely wiped and reinstalled Debian 13. The previous install was very new, but I had made modifications that could interfere. This time I am blank slate trying to figure out this issue.

First thing I did was install the Debian released version of Chromium and Firejail, which leads to the previously reported behavior of preventing Chromium from launching. At time of writing I have not upgraded to the latest Firejail version.

With dmesg -T, I get the following output relating to apparmor.

[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:146): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=6665 comm="chromium" requested="userns_create" denied="userns_create"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:147): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="trace" denied_mask="trace" peer="chromium//&firejail-default"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:148): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="tracedby" denied_mask="tracedby" peer="chromium//&firejail-default"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:149): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:150): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default

I remove chromium from the firecfg.config, run firecfg --clean, then firecfg to reapply to all but Chromium. Chromium launches.

I did find this in dmesg running chromium without firejail.

[Mon Apr 13 22:23:13 2026] audit: type=1400 audit(1776144193.389:151): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="firejail-default" pid=6750 comm="apparmor_parser"
[Mon Apr 13 22:23:13 2026] audit: type=1400 audit(1776144193.389:152): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="firejail-default" pid=6751 comm="apparmor_parser"

<!-- gh-comment-id:4241479095 --> @winningTheWho commented on GitHub (Apr 14, 2026): > You might get more precise info if you try these again from a freshly started operating system. One of your log-lines says 'Opening in existing browser session', so whether working browser or unterminated process, it finds another instance. > > Also, in case of segfaults or sudden errors/crashes, try checking last lines of `dmesg` (use `-T` for human-readable timestamps) output. `audit:` lines may indicate forcefully aborted actions that the operating system refused. > > Chromium should work without issue, but I have also tweaked configuration, so I'm not exactly sure what issue you might run into. I have no experience with Brave. Just before posting this, I have completely wiped and reinstalled Debian 13. The previous install was very new, but I had made modifications that could interfere. This time I am blank slate trying to figure out this issue. First thing I did was install the Debian released version of Chromium and Firejail, which leads to the previously reported behavior of preventing Chromium from launching. At time of writing I have not upgraded to the latest Firejail version. With dmesg -T, I get the following output relating to apparmor. ``` [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:146): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=6665 comm="chromium" requested="userns_create" denied="userns_create" [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:147): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="trace" denied_mask="trace" peer="chromium//&firejail-default" [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:148): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="tracedby" denied_mask="tracedby" peer="chromium//&firejail-default" [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:149): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default" [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:150): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default ``` I remove chromium from the firecfg.config, run firecfg --clean, then firecfg to reapply to all but Chromium. Chromium launches. I did find this in dmesg running chromium without firejail. ``` [Mon Apr 13 22:23:13 2026] audit: type=1400 audit(1776144193.389:151): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="firejail-default" pid=6750 comm="apparmor_parser" [Mon Apr 13 22:23:13 2026] audit: type=1400 audit(1776144193.389:152): apparmor="STATUS" operation="profile_replace" info="same as current profile, skipping" profile="unconfined" name="firejail-default" pid=6751 comm="apparmor_parser" ```

gitea-mirror commented 2026-05-05 10:01:59 -06:00

Author

Owner

Copy link

@winningTheWho commented on GitHub (Apr 14, 2026):

I have found that disabling the apparmor feature in blink-common.profile allows chromium to launch. So there seems to be some kind of issue with apparmor's Chromium ruleset.

With this off, Brave Browser also launches just fine.

# Firejail profile for blink-common
# Description: Common profile for Blink-based applications
# This file is overwritten after every install/update
# Persistent local customizations
include blink-common.local
# Persistent global definitions
# added by caller profile
#include globals.local

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

whitelist ${DOWNLOADS}
include whitelist-common.inc
#include whitelist-run-common.inc
include whitelist-runuser-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

# If your kernel allows the creation of user namespaces by unprivileged users
# (for example, if running `unshare -U echo enabled` prints "enabled"), you
# can add the next line to your blink-common.local.
#include blink-common-hardened.inc.profile

#apparmor
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
notv

disable-mnt
private-cache

dbus-system none

Obviously this starts to leave firejail territory, but I am less familiar with apparmor but can see it set to allow userns for chromium and is explicitly showing its meant to allow everything, so I am unsure how to interpret the earlier errors.

sudo cat /etc/apparmor.d/chromium 
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

@{chromium} = {,ungoogled-}chromium{,-browser}

profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/chromium>
}

<!-- gh-comment-id:4241526110 --> @winningTheWho commented on GitHub (Apr 14, 2026): I have found that disabling the apparmor feature in blink-common.profile allows chromium to launch. So there seems to be some kind of issue with apparmor's Chromium ruleset. With this off, Brave Browser also launches just fine. ``` # Firejail profile for blink-common # Description: Common profile for Blink-based applications # This file is overwritten after every install/update # Persistent local customizations include blink-common.local # Persistent global definitions # added by caller profile #include globals.local include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc whitelist ${DOWNLOADS} include whitelist-common.inc #include whitelist-run-common.inc include whitelist-runuser-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc # If your kernel allows the creation of user namespaces by unprivileged users # (for example, if running `unshare -U echo enabled` prints "enabled"), you # can add the next line to your blink-common.local. #include blink-common-hardened.inc.profile #apparmor caps.keep sys_admin,sys_chroot netfilter nodvd nogroups noinput notv disable-mnt private-cache dbus-system none ``` Obviously this starts to leave firejail territory, but I am less familiar with apparmor but can see it set to allow userns for chromium and is explicitly showing its meant to allow everything, so I am unsure how to interpret the earlier errors. ``` sudo cat /etc/apparmor.d/chromium # This profile allows everything and only exists to give the # application a name instead of having the label "unconfined" abi <abi/4.0>, include <tunables/global> @{chromium} = {,ungoogled-}chromium{,-browser} profile chromium /usr/lib/@{chromium}/@{chromium} flags=(unconfined) { userns, # Site-specific additions and overrides. See local/README for details. include if exists <local/chromium> } ```

gitea-mirror commented 2026-05-05 10:02:00 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Apr 14, 2026):

With dmesg -T, I get the following output relating to apparmor.

[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:146): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=6665 comm="chromium" requested="userns_create" denied="userns_create"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:147): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="trace" denied_mask="trace" peer="chromium//&firejail-default"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:148): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="tracedby" denied_mask="tracedby" peer="chromium//&firejail-default"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:149): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default"
[Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:150): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default

I have found that disabling the apparmor feature in blink-common.profile
allows chromium to launch. So there seems to be some kind of issue with
apparmor's Chromium ruleset.

Seems related to:

• #7080

<!-- gh-comment-id:4245375959 --> @kmk3 commented on GitHub (Apr 14, 2026): > With dmesg -T, I get the following output relating to apparmor. > > ``` > [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:146): apparmor="DENIED" operation="userns_create" class="namespace" profile="firejail-default" pid=6665 comm="chromium" requested="userns_create" denied="userns_create" > [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:147): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="trace" denied_mask="trace" peer="chromium//&firejail-default" > [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:148): apparmor="DENIED" operation="ptrace" class="ptrace" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="tracedby" denied_mask="tracedby" peer="chromium//&firejail-default" > [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:149): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default" > [Mon Apr 13 22:20:17 2026] audit: type=1400 audit(1776144017.822:150): apparmor="DENIED" operation="signal" class="signal" profile="firejail-default" pid=6681 comm="chrome_crashpad" requested_mask="send" denied_mask="send" signal=cont peer="chromium//&firejail-default > ``` > I have found that disabling the apparmor feature in blink-common.profile > allows chromium to launch. So there seems to be some kind of issue with > apparmor's Chromium ruleset. Seems related to: * #7080

gitea-mirror commented 2026-05-05 10:02:00 -06:00

Author

Owner

Copy link

@MiltosKoutsokeras commented on GitHub (Apr 16, 2026):

The issue is still active in Debian 13, Chromium 147.0.7727.55 built on Debian GNU/Linux 13 (trixie) and firejail version 0.9.74. All installed via apt. The standard output is the following:

$ chromium 
Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/blink-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
firejail version 0.9.74

Parent pid 4653, child pid 4654
Warning: cannot find /var/run/utmp
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Base filesystem installed in 99.93 ms
Child process initialized in 153.85 ms
/usr/bin/chromium: 9: [: 7748571136: unexpected operator
[7:7:0416/114000.710984:FATAL:sandbox/linux/services/credentials.cc:137] Check failed: . : Permission denied (13)
[0416/114000.711187:ERROR:third_party/crashpad/crashpad/util/linux/scoped_ptrace_attach.cc:27] ptrace: Permission denied (13)
[0416/114000.711309:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13)
[0416/114000.711340:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13)

Parent is shutting down, bye...

Is there any workaround I can apply in firejail local configuration?

<!-- gh-comment-id:4258651484 --> @MiltosKoutsokeras commented on GitHub (Apr 16, 2026): The issue is still active in Debian 13, Chromium 147.0.7727.55 built on Debian GNU/Linux 13 (trixie) and firejail version 0.9.74. All installed via apt. The standard output is the following: ``` $ chromium Reading profile /etc/firejail/chromium.profile Reading profile /etc/firejail/chromium-common.profile Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/blink-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file firejail version 0.9.74 Parent pid 4653, child pid 4654 Warning: cannot find /var/run/utmp Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Base filesystem installed in 99.93 ms Child process initialized in 153.85 ms /usr/bin/chromium: 9: [: 7748571136: unexpected operator [7:7:0416/114000.710984:FATAL:sandbox/linux/services/credentials.cc:137] Check failed: . : Permission denied (13) [0416/114000.711187:ERROR:third_party/crashpad/crashpad/util/linux/scoped_ptrace_attach.cc:27] ptrace: Permission denied (13) [0416/114000.711309:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13) [0416/114000.711340:ERROR:third_party/crashpad/crashpad/handler/linux/exception_handler_server.cc:142] tgkill: Permission denied (13) Parent is shutting down, bye... ``` Is there any workaround I can apply in firejail local configuration?

gitea-mirror commented 2026-05-05 10:02:01 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Apr 16, 2026):

firejail version 0.9.74

Note that we do not maintain that version of firejail:

• https://github.com/netblue30/firejail/blob/master/SECURITY.md

Versions other than the latest usually have outdated profiles and may contain
bugs and security vulnerabilities that were fixed in later versions.

See also:

• https://github.com/netblue30/firejail#installing

Is there any workaround I can apply in firejail local configuration?

You can try adding the following to ~/.config/firejail/blink-common.local (or
globals.local):

ignore apparmor

<!-- gh-comment-id:4258735740 --> @kmk3 commented on GitHub (Apr 16, 2026): > firejail version 0.9.74 Note that we do not maintain that version of firejail: * <https://github.com/netblue30/firejail/blob/master/SECURITY.md> Versions other than the latest usually have outdated profiles and may contain bugs and security vulnerabilities that were fixed in later versions. See also: * <https://github.com/netblue30/firejail#installing> > Is there any workaround I can apply in firejail local configuration? You can try adding the following to ~/.config/firejail/blink-common.local (or globals.local): ``` ignore apparmor ```

gitea-mirror commented 2026-05-05 10:02:01 -06:00

Author

Owner

Copy link

@kmk3 commented on GitHub (Apr 16, 2026):

Might be related to:

• #3586
• #6681

From https://github.com/netblue30/firejail/issues/6681#issuecomment-2723682562:

@winningTheWho

What is the output of the following?

sysctl kernel.unprivileged_userns_clone

Does it work with the following?

sudo sysctl kernel.unprivileged_userns_clone=1

<!-- gh-comment-id:4258919030 --> @kmk3 commented on GitHub (Apr 16, 2026): Might be related to: * #3586 * #6681 From <https://github.com/netblue30/firejail/issues/6681#issuecomment-2723682562>: @winningTheWho What is the output of the following? ```sh sysctl kernel.unprivileged_userns_clone ``` Does it work with the following? ```sh sudo sysctl kernel.unprivileged_userns_clone=1 ```

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3494

No description provided.