[GH-ISSUE #706] When we use the --private-dev option with the --chroot option, the /dev/log socket is missing

gitea-mirror commented

2026-05-05 05:56:53 -06:00

Owner

Originally created by @nuxwin on GitHub (Aug 13, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/706

Current behavior

The /dev/log socket is missing.

Expected behavior

The /dev/log socket should be here (as stated in documentation):

....
       --private-dev
              Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available.

              Example:
              $ firejail --private-dev
              Parent pid 9887, child pid 9888
              Child process initialized
              $ ls /dev
              dri  full  log  null  ptmx  pts  random  shm  snd  tty  urandom  zero
              $

....

Additional info

Without the --private-dev option, result is as follow:

@srv01:/home/nuxwin$ ls /dev/
autofs              full                network_latency     sda5                tty11               tty24               tty37               tty5                tty62               vcs2                vhci
block               fuse                network_throughput  sg0                 tty12               tty25               tty38               tty50               tty63               vcs3                vhost-net
bsg                 hpet                null                sg1                 tty13               tty26               tty39               tty51               tty7                vcs4                watchdog
btrfs-control       hugepages           port                shm                 tty14               tty27               tty4                tty52               tty8                vcs5                watchdog0
cdrom               initctl             ppp                 snapshot            tty15               tty28               tty40               tty53               tty9                vcs6                xconsole
char                input               psaux               snd                 tty16               tty29               tty41               tty54               ttyS0               vcsa                zero
console             kmsg                ptmx                sr0                 tty17               tty3                tty42               tty55               ttyS1               vcsa1
core                log                 pts                 stderr              tty18               tty30               tty43               tty56               ttyS2               vcsa2
cpu                 loop-control        random              stdin               tty19               tty31               tty44               tty57               ttyS3               vcsa3
cpu_dma_latency     mapper              rtc                 stdout              tty2                tty32               tty45               tty58               uhid                vcsa4
cuse                mcelog              rtc0                tty                 tty20               tty33               tty46               tty59               uinput              vcsa5
disk                mem                 sda                 tty0                tty21               tty34               tty47               tty6                urandom             vcsa6
dvd                 mqueue              sda1                tty1                tty22               tty35               tty48               tty60               vcs                 vfio
fd                  net                 sda2                tty10               tty23               tty36               tty49               tty61               vcs1                vga_arbiter

With the --private-dev option, result is as follow:

@srv01:/home/nuxwin$ ls /dev/
full     null     ptmx     pts      random   shm      snd      tty      urandom  zero
@srv01:/home/nuxwin$

Info about my environment:

root@srv01:/usr/local/etc/firejail# firejail --version
firejail version 0.9.42~rc1
X11 support is disabled.

root@srv01:/usr/local/etc/firejail# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.5 (jessie)
Release:    8.5
Codename:   jessie

root@srv01:/var/chroot/InstantSSH/shared_jail/dev# systemctl --version
systemd 215
+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR

root@srv01:/var/chroot/InstantSSH/shared_jail/dev# ls -la /dev/log
lrwxrwxrwx 1 root root 28 août  11 01:06 /dev/log -> /run/systemd/journal/dev-log

Note that the chroot is created with makejail and some internal utilities.

Thank you for your interest.

Originally created by @nuxwin on GitHub (Aug 13, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/706 **Current behavior** The `/dev/log` socket is missing. **Expected behavior** The `/dev/log` socket should be here (as stated in documentation): ``` .... --private-dev Create a new /dev directory. Only dri, null, full, zero, tty, pts, ptmx, random, snd, urandom, log and shm devices are available. Example: $ firejail --private-dev Parent pid 9887, child pid 9888 Child process initialized $ ls /dev dri full log null ptmx pts random shm snd tty urandom zero $ .... ``` **Additional info** Without the `--private-dev` option, result is as follow: ``` @srv01:/home/nuxwin$ ls /dev/ autofs full network_latency sda5 tty11 tty24 tty37 tty5 tty62 vcs2 vhci block fuse network_throughput sg0 tty12 tty25 tty38 tty50 tty63 vcs3 vhost-net bsg hpet null sg1 tty13 tty26 tty39 tty51 tty7 vcs4 watchdog btrfs-control hugepages port shm tty14 tty27 tty4 tty52 tty8 vcs5 watchdog0 cdrom initctl ppp snapshot tty15 tty28 tty40 tty53 tty9 vcs6 xconsole char input psaux snd tty16 tty29 tty41 tty54 ttyS0 vcsa zero console kmsg ptmx sr0 tty17 tty3 tty42 tty55 ttyS1 vcsa1 core log pts stderr tty18 tty30 tty43 tty56 ttyS2 vcsa2 cpu loop-control random stdin tty19 tty31 tty44 tty57 ttyS3 vcsa3 cpu_dma_latency mapper rtc stdout tty2 tty32 tty45 tty58 uhid vcsa4 cuse mcelog rtc0 tty tty20 tty33 tty46 tty59 uinput vcsa5 disk mem sda tty0 tty21 tty34 tty47 tty6 urandom vcsa6 dvd mqueue sda1 tty1 tty22 tty35 tty48 tty60 vcs vfio fd net sda2 tty10 tty23 tty36 tty49 tty61 vcs1 vga_arbiter ``` With the `--private-dev` option, result is as follow: ``` @srv01:/home/nuxwin$ ls /dev/ full null ptmx pts random shm snd tty urandom zero @srv01:/home/nuxwin$ ``` Info about my environment: ``` root@srv01:/usr/local/etc/firejail# firejail --version firejail version 0.9.42~rc1 X11 support is disabled. root@srv01:/usr/local/etc/firejail# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.5 (jessie) Release: 8.5 Codename: jessie root@srv01:/var/chroot/InstantSSH/shared_jail/dev# systemctl --version systemd 215 +PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR root@srv01:/var/chroot/InstantSSH/shared_jail/dev# ls -la /dev/log lrwxrwxrwx 1 root root 28 août 11 01:06 /dev/log -> /run/systemd/journal/dev-log ``` Note that the chroot is created with makejail and some internal utilities. Thank you for your interest.

gitea-mirror

2026-05-05 05:56:53 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:56:56 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 13, 2016):

Le 13/08/2016 à 04:38, Fred Barclay a écrit :

For what it's worth, |/dev/log| is present on my machine when using
the |--private-dev| option:
|$ firejail --private-dev dash|
...
|$ ls /dev|
|dri full log null ptmx pts random shm snd tty urandom zero|

Comparitively, the following is visible outside of firejail:

|$ ls /dev autofs disk kmsg null sda2 snapshot tty13 tty24 tty35 tty46
tty57 ttyS1 vcs1 vcsa4 block dm-0 kvm port sda3 snd tty14 tty25 tty36
tty47 tty58 ttyS2 vcs2 vcsa5 bsg dri log ppp sda4 sr0 tty15 tty26
tty37 tty48 tty59 ttyS3 vcs3 vcsa6 btrfs-control dvd loop-control
psaux sda5 stderr tty16 tty27 tty38 tty49 tty6 uhid vcs4 vcsa7 bus
dvdrw MAKEDEV ptmx sda6 stdin tty17 tty28 tty39 tty5 tty60 uinput vcs5
vcsa8 cdrom ecryptfs mapper pts sda7 stdout tty18 tty29 tty4 tty50
tty61 urandom vcs6 vfio cdrw fb0 mcelog random sda8 tty tty19 tty3
tty40 tty51 tty62 v4l vcs7 vga_arbiter char fd media0 rfkill sdb tty0
tty2 tty30 tty41 tty52 tty63 vboxdrv vcs8 vhci console full mem rtc
sg0 tty1 tty20 tty31 tty42 tty53 tty7 vboxdrvu vcsa vhost-net core
fuse net rtc0 sg1 tty10 tty21 tty32 tty43 tty54 tty8 vboxnetctl vcsa1
video0 cpu_dma_latency hpet network_latency sda sg2 tty11 tty22 tty33
tty44 tty55 tty9 vboxusb vcsa2 xconsole cuse input network_throughput
sda1 shm tty12 tty23 tty34 tty45 tty56 ttyS0 vcs vcsa3 zero |

My OS is LMDE 2 "Betsy" (close, but not the same as, Debian Jessie).
Firejail looks like this:

|$ firejail --version firejail version 0.9.42~rc2 Compile time support:

AppArmor support is disabled - bind support is enabled - chroot
support is enabled - file and directory whitelisting support is
enabled - file transfer support is enabled - networking support is
enabled - seccomp-bpf support is enabled - user namespace support is
enabled - X11 snadboxing support is enabled |

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/706#issuecomment-239597366,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAHqmlTkxOujcCgDnR82O6vAqml6AQ8Uks5qfS4NgaJpZM4JjkwR.

@Fred-Barclay https://github.com/Fred-Barclay

You've removed your comment but I'll answer you ;)

$ firejail --private-dev dash

Works also for me. In such a case, the /dev/log socket is present.
However, I've clearly mentionned that the problem occurs when using
the --private-dev option with the ̀--chroot` option (case of a login shell
via FireJail).

Thank you.

Laurent Declercq
iHMS/i-MSCP Project Director

@nuxwin commented on GitHub (Aug 13, 2016): Le 13/08/2016 à 04:38, Fred Barclay a écrit : > For what it's worth, |/dev/log| is present on my machine when using > the |--private-dev| option: > |$ firejail --private-dev dash| > ... > |$ ls /dev| > |dri full log null ptmx pts random shm snd tty urandom zero| > > Comparitively, the following is visible outside of firejail: > > |$ ls /dev autofs disk kmsg null sda2 snapshot tty13 tty24 tty35 tty46 > tty57 ttyS1 vcs1 vcsa4 block dm-0 kvm port sda3 snd tty14 tty25 tty36 > tty47 tty58 ttyS2 vcs2 vcsa5 bsg dri log ppp sda4 sr0 tty15 tty26 > tty37 tty48 tty59 ttyS3 vcs3 vcsa6 btrfs-control dvd loop-control > psaux sda5 stderr tty16 tty27 tty38 tty49 tty6 uhid vcs4 vcsa7 bus > dvdrw MAKEDEV ptmx sda6 stdin tty17 tty28 tty39 tty5 tty60 uinput vcs5 > vcsa8 cdrom ecryptfs mapper pts sda7 stdout tty18 tty29 tty4 tty50 > tty61 urandom vcs6 vfio cdrw fb0 mcelog random sda8 tty tty19 tty3 > tty40 tty51 tty62 v4l vcs7 vga_arbiter char fd media0 rfkill sdb tty0 > tty2 tty30 tty41 tty52 tty63 vboxdrv vcs8 vhci console full mem rtc > sg0 tty1 tty20 tty31 tty42 tty53 tty7 vboxdrvu vcsa vhost-net core > fuse net rtc0 sg1 tty10 tty21 tty32 tty43 tty54 tty8 vboxnetctl vcsa1 > video0 cpu_dma_latency hpet network_latency sda sg2 tty11 tty22 tty33 > tty44 tty55 tty9 vboxusb vcsa2 xconsole cuse input network_throughput > sda1 shm tty12 tty23 tty34 tty45 tty56 ttyS0 vcs vcsa3 zero | > > My OS is LMDE 2 "Betsy" (close, but not the same as, Debian Jessie). > Firejail looks like this: > > |$ firejail --version firejail version 0.9.42~rc2 Compile time support: > - AppArmor support is disabled - bind support is enabled - chroot > support is enabled - file and directory whitelisting support is > enabled - file transfer support is enabled - networking support is > enabled - seccomp-bpf support is enabled - user namespace support is > enabled - X11 snadboxing support is enabled | > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub > https://github.com/netblue30/firejail/issues/706#issuecomment-239597366, > or mute the thread > https://github.com/notifications/unsubscribe-auth/AAHqmlTkxOujcCgDnR82O6vAqml6AQ8Uks5qfS4NgaJpZM4JjkwR. @Fred-Barclay https://github.com/Fred-Barclay You've removed your comment but I'll answer you ;) ``` $ firejail --private-dev dash ``` Works also for me. In such a case, the `/dev/log` socket is present. However, I've clearly mentionned that the problem occurs when using the `--private-dev` option with the ̀--chroot` option (case of a login shell via FireJail). Thank you. ## Laurent Declercq iHMS/i-MSCP Project Director

gitea-mirror commented

2026-05-05 05:56:59 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Aug 13, 2016):

@nuxwin Right... I hadn't noticed that you used --chroot as well when I made that reply. 😄 Once I realised it I deleted my comment.

@Fred-Barclay commented on GitHub (Aug 13, 2016): @nuxwin Right... I hadn't noticed that you used `--chroot` as well when I made that reply. :smile: Once I realised it I deleted my comment.

gitea-mirror commented

2026-05-05 05:57:00 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 13, 2016):

@Fred-Barclay No grave ;)

Anyway, from my point of view, re-mouting /dev/log is something strange. What will be the result if the syslog daemon is restarted ? Normally, We use a proxy (syslogproxyd) but here, it seem that there is no way to tell firejail to not take care of /dev/log.

@netblue30 You're thinking about this?

@nuxwin commented on GitHub (Aug 13, 2016): @Fred-Barclay No grave ;) Anyway, from my point of view, re-mouting /dev/log is something strange. What will be the result if the syslog daemon is restarted ? Normally, We use a proxy (syslogproxyd) but here, it seem that there is no way to tell firejail to not take care of /dev/log. @netblue30 You're thinking about this?

gitea-mirror commented

2026-05-05 05:57:02 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 13, 2016):

Ugly bug!

@netblue30 commented on GitHub (Aug 13, 2016): Ugly bug!

gitea-mirror commented

2026-05-05 05:57:03 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 14, 2016):

@netblue30

Would be great to have a fix as soon as possible. Then, I would be able to release my InstantSSH plugin with FireJail support. I hope that the problem doesn't comes from systemd (they played a lot with syslog and their journal)... I'll try with a distro without systemd to see If I can reproduce.

BTW: No pressure ;)

@nuxwin commented on GitHub (Aug 14, 2016): @netblue30 Would be great to have a fix as soon as possible. Then, I would be able to release my InstantSSH plugin with FireJail support. I hope that the problem doesn't comes from systemd (they played a lot with syslog and their journal)... I'll try with a distro without systemd to see If I can reproduce. BTW: No pressure ;)

gitea-mirror commented

2026-05-05 05:57:04 -06:00

Author

Owner

@nuxwin commented on GitHub (Aug 15, 2016):

@netblue30 Bug found. On latest Debian distro with systemd (such as Jessie), /dev/log is a symlink to /run/systemd/journal/dev-log. Once I mounted /run/systemd/journal/dev-log (I mounted full rundir in fact) in my chroot, this worked as expected. I'll provide a fix soon. We should avoid mounting full system rundir inside chroot. Thus, I'll see how we can handle that.

Note that even without the --private-dev option this doesn't work in chroot as long as /run/systemd/journal/dev-log is not mounted inside the chroot.

@nuxwin commented on GitHub (Aug 15, 2016): @netblue30 Bug found. On latest Debian distro with systemd (such as Jessie), `/dev/log` is a symlink to `/run/systemd/journal/dev-log`. Once I mounted `/run/systemd/journal/dev-log` (I mounted full rundir in fact) in my chroot, this worked as expected. I'll provide a fix soon. We should avoid mounting full system rundir inside chroot. Thus, I'll see how we can handle that. Note that even without the `--private-dev` option this doesn't work in chroot as long as `/run/systemd/journal/dev-log` is not mounted inside the chroot.

gitea-mirror commented

2026-05-05 05:57:05 -06:00

Author

Owner

@netblue30 commented on GitHub (Aug 15, 2016):

Sure, send a patch. Thanks!

@netblue30 commented on GitHub (Aug 15, 2016): Sure, send a patch. Thanks!

Rows
Columns

[GH-ISSUE #706] When we use the --private-dev option with the --chroot option, the /dev/log socket is missing #483