github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #618] "Seccomp.keep chroot" exits with error #431

New issue

Closed

opened 2026-05-05 05:50:49 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 05:50:49 -06:00

Owner

Originally created by @Fred-Barclay on GitHub (Jul 6, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/618

I'm probably doing this wrong but whenever I try to use the seccomp filter but keep chroot, firejail exits with a warning. This is for profiles as well as starting a shell from the terminal:
<user>@<redacted> ~ $ firejail --seccomp.keep=chroot
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

*\* Note: you can use --noprofile to disable default.profile **

Parent pid 2531, child pid 2532
#
Error: cannot establish communication with the parent, exiting...

Starting firejail --seccomp works fine (though of course no chroot), it's only with seccomp.keep that I have issues.

This is for the development version of firejail, built from source a few hours ago, running on LMDE Betsy (Debian Jessie base).

Thanks!

Originally created by @Fred-Barclay on GitHub (Jul 6, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/618 I'm probably doing this wrong but whenever I try to use the seccomp filter but keep chroot, firejail exits with a warning. This is for profiles as well as starting a shell from the terminal: `<user>@<redacted> ~ $ firejail --seccomp.keep=chroot` `Reading profile /etc/firejail/default.profile` `Reading profile /etc/firejail/disable-common.inc` `Reading profile /etc/firejail/disable-programs.inc` `Reading profile /etc/firejail/disable-passwdmgr.inc` ` ` `*\* Note: you can use --noprofile to disable default.profile **` ` ` `Parent pid 2531, child pid 2532` ` #` `Error: cannot establish communication with the parent, exiting...` Starting `firejail --seccomp` works fine (though of course no chroot), it's only with `seccomp.keep` that I have issues. This is for the development version of firejail, built from source a few hours ago, running on LMDE Betsy (Debian Jessie base). Thanks!

gitea-mirror

2026-05-05 05:50:49 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 05:50:55 -06:00

Author

Owner

@manevich commented on GitHub (Jul 6, 2016):

I have no expertise here, but if you run this command with --debug flag you see that you get only few syscalls whitelisted:

SECCOMP Filter:
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  WHITELIST 105 setuid
  WHITELIST 106 setgid
  WHITELIST 116 setgroups
  WHITELIST 32 dup
  WHITELIST 161 chroot
  KILL_PROCESS
Save seccomp filter, size 120 bytes

Too few to run something usefull, I think.

@manevich commented on GitHub (Jul 6, 2016): I have no expertise here, but if you run this command with `--debug` flag you see that you get only few syscalls whitelisted: ``` SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL WHITELIST 105 setuid WHITELIST 106 setgid WHITELIST 116 setgroups WHITELIST 32 dup WHITELIST 161 chroot KILL_PROCESS Save seccomp filter, size 120 bytes ``` Too few to run something usefull, I think.

gitea-mirror commented

2026-05-05 05:50:58 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 6, 2016):

@manevich is right, you need quite a long list there.

@netblue30 commented on GitHub (Jul 6, 2016): @manevich is right, you need quite a long list there.

gitea-mirror commented

2026-05-05 05:51:01 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jul 6, 2016):

So in other words, chroot needs more syscalls that are blacklisted by seccomp, so firejail exits. Is that correct?

@Fred-Barclay commented on GitHub (Jul 6, 2016): So in other words, chroot needs more syscalls that are blacklisted by seccomp, so firejail exits. Is that correct?

gitea-mirror commented

2026-05-05 05:51:03 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 7, 2016):

You would need to run strace on the application you want to sandbox. strace will give you the list of syscalls:

https://firejail.wordpress.com/documentation-2/seccomp-guide/

@netblue30 commented on GitHub (Jul 7, 2016): You would need to run strace on the application you want to sandbox. strace will give you the list of syscalls: https://firejail.wordpress.com/documentation-2/seccomp-guide/

gitea-mirror commented

2026-05-05 05:51:05 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jul 7, 2016):

Thank you @manevich and @netblue30. strace looks like it will do the trick, and I'm left scratching my head and wondering why I didn't think of it earlier. :)
Take care.

@Fred-Barclay commented on GitHub (Jul 7, 2016): Thank you @manevich and @netblue30. `strace` looks like it will do the trick, and I'm left scratching my head and wondering why I didn't think of it earlier. :) Take care.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#431

No description provided.

Rows
Columns