github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #744] blacklisting a symbolic link causes firejail to fail on jessie/armhf #503

New issue
Closed
opened 2026-05-05 05:59:46 -06:00 by gitea-mirror · 8 comments
gitea-mirror commented 2026-05-05 05:59:46 -06:00
Owner
Copy link

Originally created by @tdaitx on GitHub (Aug 25, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/744

Debian jessie has a lot of symbolic links to gcc programs in /usr/bin (eg. gcc -> gcc-4.9) and that makes firejail fail with the message Error: cannot establish communication with the parent, exiting...

A simple testcase to reproduce the issue:

$ ls -l deadbeef*
-rw-r--r-- 1 user user  0 Aug 24 23:02 deadbeef
lrwxrwxrwx 1 user user 34 Aug 24 23:02 deadbeef.link -> deadbeef

link-test.profile contains:

blacklist ${HOME}/deadbeef.link

It will fail as:

$ firejail --debug --profile=/etc/firejail/link-test.profile 
Reading profile /etc/firejail/000.profile
Command name #bash#
Using the local network stack
Parent pid 3541, child pid 3542
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd
Sanitizing /etc/group
Disable /etc/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Error: cannot establish communication with the parent, exiting...

Using a blacklist mask causes the same error:

blacklist ${HOME}/deadbeef*

Trying to whitelist the real file as bellow does not help at all:

noblacklist ${HOME}/deadbeef
blacklist ${HOME}/deadbeef.link

Using the overlay does not help as well.

System information:

$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 8.5 (jessie)
Release:    8.5
Codename:   jessie

cat /proc/cpuinfo
processor   : 0
model name  : ARMv7 Processor rev 4 (v7l)
BogoMIPS    : 37.89
Features    : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part    : 0xc07
CPU revision    : 4

processor   : 1
model name  : ARMv7 Processor rev 4 (v7l)
BogoMIPS    : 37.89
Features    : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm 
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part    : 0xc07
CPU revision    : 4

Hardware    : Allwinner sun7i (A20) Family
Revision    : 0000
Serial      : 16516603070355cc

Firejail package version on jessie: 0.9.40-3~bpo8+

Note: the same test works just fine on adm64 with the package version 0.9.38-1.

Please let me know how else I can help.

Originally created by @tdaitx on GitHub (Aug 25, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/744 Debian jessie has a lot of symbolic links to gcc programs in /usr/bin (eg. gcc -> gcc-4.9) and that makes firejail fail with the message `Error: cannot establish communication with the parent, exiting...` A simple testcase to reproduce the issue: ``` $ ls -l deadbeef* -rw-r--r-- 1 user user 0 Aug 24 23:02 deadbeef lrwxrwxrwx 1 user user 34 Aug 24 23:02 deadbeef.link -> deadbeef ``` link-test.profile contains: ``` blacklist ${HOME}/deadbeef.link ``` It will fail as: ``` $ firejail --debug --profile=/etc/firejail/link-test.profile Reading profile /etc/firejail/000.profile Command name #bash# Using the local network stack Parent pid 3541, child pid 3542 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd Sanitizing /etc/group Disable /etc/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Error: cannot establish communication with the parent, exiting... ``` Using a blacklist mask causes the same error: ``` blacklist ${HOME}/deadbeef* ``` Trying to whitelist the real file as bellow does not help at all: ``` noblacklist ${HOME}/deadbeef blacklist ${HOME}/deadbeef.link ``` Using the overlay does not help as well. System information: ``` $ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 8.5 (jessie) Release: 8.5 Codename: jessie ``` ``` cat /proc/cpuinfo processor : 0 model name : ARMv7 Processor rev 4 (v7l) BogoMIPS : 37.89 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc07 CPU revision : 4 processor : 1 model name : ARMv7 Processor rev 4 (v7l) BogoMIPS : 37.89 Features : half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt vfpd32 lpae evtstrm CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc07 CPU revision : 4 Hardware : Allwinner sun7i (A20) Family Revision : 0000 Serial : 16516603070355cc ``` Firejail package version on jessie: 0.9.40-3~bpo8+ Note: the same test works just fine on adm64 with the package version 0.9.38-1. Please let me know how else I can help.
gitea-mirror 2026-05-05 05:59:46 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 05:59:54 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Aug 25, 2016):

Confirm it on Debian Jessie, ARMv7 Processor rev 5 (v7l) with latest git.

touch test
ln -s test test.link
firejail --noprofile --blacklist=test.link
Parent pid 14809, child pid 14810
Error: cannot establish communication with the parent, exiting...

firejail --noprofile --blacklist=test works fine

<!-- gh-comment-id:242336553 --> @manevich commented on GitHub (Aug 25, 2016): Confirm it on Debian Jessie, ARMv7 Processor rev 5 (v7l) with latest git. ``` touch test ln -s test test.link firejail --noprofile --blacklist=test.link Parent pid 14809, child pid 14810 Error: cannot establish communication with the parent, exiting... ``` `firejail --noprofile --blacklist=test` works fine
gitea-mirror commented 2026-05-05 05:59:57 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Aug 25, 2016):

Well, looks like problem is call to realpath in disable_file function on https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L200
But I currently have no idea why it crashes.
Seems unrelated to firejail version, 0.9.38 and 0.9.36 built from git fail too.
Simple test snippet

#include <stdio.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>

int main(int argc, char **argv) {
        char *filename = strdup("test.link");
        char *fname = realpath(filename, NULL);
        if (fname != NULL)
                printf("%s\n", fname);
}

compiled using gcc -ggdb -O2 -fPIE -pie -Wformat -Wformat-security realpath-test.c -o realpath-test works fine

$ ./realpath-test
/home/user/test
<!-- gh-comment-id:242371784 --> @manevich commented on GitHub (Aug 25, 2016): Well, looks like problem is call to realpath in disable_file function on https://github.com/netblue30/firejail/blob/master/src/firejail/fs.c#L200 But I currently have no idea why it crashes. Seems unrelated to firejail version, 0.9.38 and 0.9.36 built from git fail too. Simple test snippet ``` c #include <stdio.h> #include <limits.h> #include <stdlib.h> #include <string.h> int main(int argc, char **argv) { char *filename = strdup("test.link"); char *fname = realpath(filename, NULL); if (fname != NULL) printf("%s\n", fname); } ``` compiled using `gcc -ggdb -O2 -fPIE -pie -Wformat -Wformat-security realpath-test.c -o realpath-test` works fine ``` $ ./realpath-test /home/user/test ```
gitea-mirror commented 2026-05-05 06:00:01 -06:00
Author
Owner
Copy link

@manevich commented on GitHub (Aug 25, 2016):

From output of strace firejail --noprofile --blacklist=/home/user/test.link:

4678  lstat64("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
4678  lstat64("/home/user", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
4678  lstat64("/home/user/test.link", {st_mode=S_IFLNK|0777, st_size=4, ...}) = 0
4678  readlink("/home/user/test.link", "test", 4095) = 4
4678  --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x74736578} ---

Segfault in realpath function.
It's not specific to blacklisting, firejail --noprofile --whitelist=/home/user/test.link fails with same diagnostics.
Still no clues what exactly triggers it.

<!-- gh-comment-id:242516601 --> @manevich commented on GitHub (Aug 25, 2016): From output of `strace firejail --noprofile --blacklist=/home/user/test.link`: ``` 4678 lstat64("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 4678 lstat64("/home/user", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0 4678 lstat64("/home/user/test.link", {st_mode=S_IFLNK|0777, st_size=4, ...}) = 0 4678 readlink("/home/user/test.link", "test", 4095) = 4 4678 --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x74736578} --- ``` Segfault in `realpath` function. It's not specific to blacklisting, `firejail --noprofile --whitelist=/home/user/test.link` fails with same diagnostics. Still no clues what exactly triggers it.
gitea-mirror commented 2026-05-05 06:00:03 -06:00
Author
Owner
Copy link

@tdaitx commented on GitHub (Aug 26, 2016):

This is a backtrace from gdb:

# gdb firejail
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "arm-linux-gnueabihf".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from firejail...Reading symbols from /usr/lib/debug/.build-id/9f/a0c1c05da847ec40149b2d9877c5bf4552951d.debug...done.
done.
(gdb) b realpath
Function "realpath" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y

Breakpoint 1 (realpath) pending.
(gdb) b canonicalize.c:175
Breakpoint 2 at 0xb6e353c2: file canonicalize.c, line 175.
(gdb) set follow-fork-mode child
(gdb) run --noprofile --blacklist=test.link
Starting program: /usr/bin/firejail --noprofile --blacklist=test.link
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
[New process 26089]
Parent pid 26088, child pid 26089
The new log directory is /proc/26089/root/var/log
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1".
[Switching to process 26089]

Breakpoint 1, fs_build_cp_command () at fs.c:190
190         char* fname = realpath("/bin/cp", NULL);
(gdb) continue
Continuing.

Breakpoint 1, __realpath (name=0x7f66f7bc "/bin/cp", resolved=0x0) at canonicalize.c:44
44  canonicalize.c: No such file or directory.
(gdb) continue
Continuing.
Warning: masking /etc/firejail disabled when starting the sandbox as root

Breakpoint 1, disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249
249     char* fname = realpath(filename, NULL);
(gdb) bt
#0  disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249
#1  0x7f65304c in globbing (op=BLACKLIST_FILE, pattern=<optimized out>, noblacklist=0x7f790c38, 
    noblacklist_len=0) at fs.c:394
#2  0x7f653358 in fs_blacklist () at fs.c:520
#3  0x7f665aea in sandbox (sandbox_arg=<optimized out>) at sandbox.c:524
#4  0xb6e711fc in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92
   from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) continue
Continuing.

Breakpoint 1, __realpath (name=0x7f790cd0 "test.link", resolved=0x0) at canonicalize.c:44
44  canonicalize.c: No such file or directory.
(gdb) bt
#0  __realpath (name=0x7f790cd0 "test.link", resolved=0x0) at canonicalize.c:44
#1  0x7f652af8 in realpath (__resolved=0x0, __name=0x7f790cd0 "test.link")
    at /usr/include/arm-linux-gnueabihf/bits/stdlib.h:48
#2  disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249
#3  0x7f65304c in globbing (op=BLACKLIST_FILE, pattern=<optimized out>, noblacklist=0x7f790c38, 
    noblacklist_len=0) at fs.c:394
#4  0x7f653358 in fs_blacklist () at fs.c:520
#5  0x7f665aea in sandbox (sandbox_arg=<optimized out>) at sandbox.c:524
#6  0xb6e711fc in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92
   from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) info source
Current source file is canonicalize.c
Compilation directory is /build/glibc-ItIyWk/glibc-2.19/stdlib
Source language is c.
Compiled with DWARF 2 debugging format.
Does not include preprocessor macro info.
(gdb) next
50  in canonicalize.c
<<< snipped all repeated (gdb) entries as I was simply hitting enter to repeat the 'next' command >>>
60  in canonicalize.c
76  in canonicalize.c
78  in canonicalize.c
79  in canonicalize.c
86  in canonicalize.c
84  in canonicalize.c
86  in canonicalize.c
88  in canonicalize.c
93  in canonicalize.c
101 in canonicalize.c
169 in canonicalize.c
159 in canonicalize.c
169 in canonicalize.c
101 in canonicalize.c
161 in canonicalize.c
101 in canonicalize.c
107 in canonicalize.c
111 in canonicalize.c
114 in canonicalize.c
116 in canonicalize.c
118 in canonicalize.c
128 in canonicalize.c
129 in canonicalize.c
131 in canonicalize.c
158 in canonicalize.c
159 in canonicalize.c
161 in canonicalize.c
159 in canonicalize.c
158 in canonicalize.c
161 in canonicalize.c
164 in canonicalize.c
166 in canonicalize.c
169 in canonicalize.c
166 in canonicalize.c
169 in canonicalize.c
166 in canonicalize.c
169 in canonicalize.c
166 in canonicalize.c
169 in canonicalize.c
166 in canonicalize.c
169 in canonicalize.c
175 in canonicalize.c
Breakpoint 2, __realpath (name=<optimized out>, resolved=0x0) at canonicalize.c:175
175 in canonicalize.c
(gdb) bt
#0  __realpath (name=<optimized out>, resolved=0x0) at canonicalize.c:175
#1  0x7f652af8 in realpath (__resolved=0x0, __name=0x7f790cd0 "test.link")
    at /usr/include/arm-linux-gnueabihf/bits/stdlib.h:48
#2  disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249
#3  0x7f65304c in globbing (op=BLACKLIST_FILE, pattern=<optimized out>, noblacklist=0x7f790c38, 
    noblacklist_len=0) at fs.c:394
#4  0x7f653358 in fs_blacklist () at fs.c:520
#5  0x7f665aea in sandbox (sandbox_arg=<optimized out>) at sandbox.c:524
#6  0xb6e711fc in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92
   from /lib/arm-linux-gnueabihf/libc.so.6
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) continue
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__realpath (name=<optimized out>, 
    name@entry=<error reading variable: Cannot access memory at address 0x74736618>, 
    resolved=0x0, 
    resolved@entry=<error reading variable: Cannot access memory at address 0x74736618>)
    at canonicalize.c:176
176 in canonicalize.c
(gdb) bt
#0  __realpath (name=<optimized out>, 
    name@entry=<error reading variable: Cannot access memory at address 0x74736618>, 
    resolved=0x0, 
    resolved@entry=<error reading variable: Cannot access memory at address 0x74736618>)
    at canonicalize.c:176
Cannot access memory at address 0x74736618
(gdb) c
Continuing.
Error: cannot establish communication with the parent, exiting...

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
<!-- gh-comment-id:242647771 --> @tdaitx commented on GitHub (Aug 26, 2016): This is a backtrace from gdb: ``` # gdb firejail GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "arm-linux-gnueabihf". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from firejail...Reading symbols from /usr/lib/debug/.build-id/9f/a0c1c05da847ec40149b2d9877c5bf4552951d.debug...done. done. (gdb) b realpath Function "realpath" not defined. Make breakpoint pending on future shared library load? (y or [n]) y Breakpoint 1 (realpath) pending. (gdb) b canonicalize.c:175 Breakpoint 2 at 0xb6e353c2: file canonicalize.c, line 175. (gdb) set follow-fork-mode child (gdb) run --noprofile --blacklist=test.link Starting program: /usr/bin/firejail --noprofile --blacklist=test.link [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". [New process 26089] Parent pid 26088, child pid 26089 The new log directory is /proc/26089/root/var/log [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". [Switching to process 26089] Breakpoint 1, fs_build_cp_command () at fs.c:190 190 char* fname = realpath("/bin/cp", NULL); (gdb) continue Continuing. Breakpoint 1, __realpath (name=0x7f66f7bc "/bin/cp", resolved=0x0) at canonicalize.c:44 44 canonicalize.c: No such file or directory. (gdb) continue Continuing. Warning: masking /etc/firejail disabled when starting the sandbox as root Breakpoint 1, disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249 249 char* fname = realpath(filename, NULL); (gdb) bt #0 disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249 #1 0x7f65304c in globbing (op=BLACKLIST_FILE, pattern=<optimized out>, noblacklist=0x7f790c38, noblacklist_len=0) at fs.c:394 #2 0x7f653358 in fs_blacklist () at fs.c:520 #3 0x7f665aea in sandbox (sandbox_arg=<optimized out>) at sandbox.c:524 #4 0xb6e711fc in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92 from /lib/arm-linux-gnueabihf/libc.so.6 Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) continue Continuing. Breakpoint 1, __realpath (name=0x7f790cd0 "test.link", resolved=0x0) at canonicalize.c:44 44 canonicalize.c: No such file or directory. (gdb) bt #0 __realpath (name=0x7f790cd0 "test.link", resolved=0x0) at canonicalize.c:44 #1 0x7f652af8 in realpath (__resolved=0x0, __name=0x7f790cd0 "test.link") at /usr/include/arm-linux-gnueabihf/bits/stdlib.h:48 #2 disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249 #3 0x7f65304c in globbing (op=BLACKLIST_FILE, pattern=<optimized out>, noblacklist=0x7f790c38, noblacklist_len=0) at fs.c:394 #4 0x7f653358 in fs_blacklist () at fs.c:520 #5 0x7f665aea in sandbox (sandbox_arg=<optimized out>) at sandbox.c:524 #6 0xb6e711fc in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92 from /lib/arm-linux-gnueabihf/libc.so.6 Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) info source Current source file is canonicalize.c Compilation directory is /build/glibc-ItIyWk/glibc-2.19/stdlib Source language is c. Compiled with DWARF 2 debugging format. Does not include preprocessor macro info. (gdb) next 50 in canonicalize.c <<< snipped all repeated (gdb) entries as I was simply hitting enter to repeat the 'next' command >>> 60 in canonicalize.c 76 in canonicalize.c 78 in canonicalize.c 79 in canonicalize.c 86 in canonicalize.c 84 in canonicalize.c 86 in canonicalize.c 88 in canonicalize.c 93 in canonicalize.c 101 in canonicalize.c 169 in canonicalize.c 159 in canonicalize.c 169 in canonicalize.c 101 in canonicalize.c 161 in canonicalize.c 101 in canonicalize.c 107 in canonicalize.c 111 in canonicalize.c 114 in canonicalize.c 116 in canonicalize.c 118 in canonicalize.c 128 in canonicalize.c 129 in canonicalize.c 131 in canonicalize.c 158 in canonicalize.c 159 in canonicalize.c 161 in canonicalize.c 159 in canonicalize.c 158 in canonicalize.c 161 in canonicalize.c 164 in canonicalize.c 166 in canonicalize.c 169 in canonicalize.c 166 in canonicalize.c 169 in canonicalize.c 166 in canonicalize.c 169 in canonicalize.c 166 in canonicalize.c 169 in canonicalize.c 166 in canonicalize.c 169 in canonicalize.c 175 in canonicalize.c Breakpoint 2, __realpath (name=<optimized out>, resolved=0x0) at canonicalize.c:175 175 in canonicalize.c (gdb) bt #0 __realpath (name=<optimized out>, resolved=0x0) at canonicalize.c:175 #1 0x7f652af8 in realpath (__resolved=0x0, __name=0x7f790cd0 "test.link") at /usr/include/arm-linux-gnueabihf/bits/stdlib.h:48 #2 disable_file (op=BLACKLIST_FILE, filename=0x7f790cd0 "test.link") at fs.c:249 #3 0x7f65304c in globbing (op=BLACKLIST_FILE, pattern=<optimized out>, noblacklist=0x7f790c38, noblacklist_len=0) at fs.c:394 #4 0x7f653358 in fs_blacklist () at fs.c:520 #5 0x7f665aea in sandbox (sandbox_arg=<optimized out>) at sandbox.c:524 #6 0xb6e711fc in ?? () at ../ports/sysdeps/unix/sysv/linux/arm/nptl/../clone.S:92 from /lib/arm-linux-gnueabihf/libc.so.6 Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) continue Continuing. Program received signal SIGSEGV, Segmentation fault. __realpath (name=<optimized out>, name@entry=<error reading variable: Cannot access memory at address 0x74736618>, resolved=0x0, resolved@entry=<error reading variable: Cannot access memory at address 0x74736618>) at canonicalize.c:176 176 in canonicalize.c (gdb) bt #0 __realpath (name=<optimized out>, name@entry=<error reading variable: Cannot access memory at address 0x74736618>, resolved=0x0, resolved@entry=<error reading variable: Cannot access memory at address 0x74736618>) at canonicalize.c:176 Cannot access memory at address 0x74736618 (gdb) c Continuing. Error: cannot establish communication with the parent, exiting... Program terminated with signal SIGSEGV, Segmentation fault. The program no longer exists. ```
gitea-mirror commented 2026-05-05 06:00:06 -06:00
Author
Owner
Copy link

@tdaitx commented on GitHub (Aug 26, 2016):

In case anyone wants to generate a debug build in Debian see this patch:

Copy and paste, beware that git removes the tabs.

diff -Nru firejail-0.9.40/debian/changelog firejail-0.9.40/debian/changelog
--- firejail-0.9.40/debian/changelog    2016-06-26 10:56:12.000000000 -0300
+++ firejail-0.9.40/debian/changelog    2016-08-26 04:11:13.000000000 -0300
@@ -1,3 +1,9 @@
+firejail (0.9.40-3~bpo8+2) UNRELEASED; urgency=medium
+
+  * Add debug build.
+
+ -- Tiago Stürmer Daitx <tdaitx@gmail.com>  Fri, 26 Aug 2016 04:10:36 -0300
+
 firejail (0.9.40-3~bpo8+1) jessie-backports; urgency=low

   * Rebuild for jessie-backports.
diff -Nru firejail-0.9.40/debian/control firejail-0.9.40/debian/control
--- firejail-0.9.40/debian/control  2016-06-14 17:28:45.000000000 -0300
+++ firejail-0.9.40/debian/control  2016-08-26 02:34:37.000000000 -0300
@@ -19,3 +19,20 @@
  process and all its descendants to have their own private view of the
  globally shared kernel resources, such as the network stack, process
  table, mount table.
+
+Package: firejail-dbg
+Architecture: any
+Section: debug
+Priority: extra
+Depends:
+    firejail (= ${binary:Version}),
+    ${misc:Depends}
+Description: debugging symbols for firejail
+ Firejail is a SUID security sandbox program that reduces the risk of
+ security breaches by restricting the running environment of untrusted
+ applications using Linux namespaces and seccomp-bpf.  It allows a
+ process and all its descendants to have their own private view of the
+ globally shared kernel resources, such as the network stack, process
+ table, mount table.
+ .
+ This package contains the debugging symbols for firejail.
diff -Nru firejail-0.9.40/debian/rules firejail-0.9.40/debian/rules
--- firejail-0.9.40/debian/rules    2016-06-14 17:28:45.000000000 -0300
+++ firejail-0.9.40/debian/rules    2016-08-26 02:37:16.000000000 -0300
@@ -2,6 +2,8 @@

 #export DH_VERBOSE=1

+.PHONY: override_dh_strip override_dh_fixperms override_dh_installchangelogs override_dh_auto_install override_dh_auto_test
+
 export DEB_BUILD_MAINT_OPTIONS = hardening=+all

 %:
@@ -15,9 +17,12 @@
    dh_installchangelogs RELNOTES upstream

 override_dh_auto_install:
-   dh_auto_install
+   dh_auto_install --destdir=debian/firejail
    # documentation will be installed by debhelper
    rm --verbose -rf debian/firejail/usr/share/doc/firejail

 override_dh_auto_test:
    # skip tests here as they are run as autopkgtest
+
+override_dh_strip:
+   dh_strip --dbg-package=firejail-dbg
<!-- gh-comment-id:242651582 --> @tdaitx commented on GitHub (Aug 26, 2016): In case anyone wants to generate a debug build in Debian [see this patch](https://gist.github.com/tdaitx/5dcd47a3f11b742fa3335518be547514): Copy and paste, beware that git removes the tabs. ``` diff diff -Nru firejail-0.9.40/debian/changelog firejail-0.9.40/debian/changelog --- firejail-0.9.40/debian/changelog 2016-06-26 10:56:12.000000000 -0300 +++ firejail-0.9.40/debian/changelog 2016-08-26 04:11:13.000000000 -0300 @@ -1,3 +1,9 @@ +firejail (0.9.40-3~bpo8+2) UNRELEASED; urgency=medium + + * Add debug build. + + -- Tiago Stürmer Daitx <tdaitx@gmail.com> Fri, 26 Aug 2016 04:10:36 -0300 + firejail (0.9.40-3~bpo8+1) jessie-backports; urgency=low * Rebuild for jessie-backports. diff -Nru firejail-0.9.40/debian/control firejail-0.9.40/debian/control --- firejail-0.9.40/debian/control 2016-06-14 17:28:45.000000000 -0300 +++ firejail-0.9.40/debian/control 2016-08-26 02:34:37.000000000 -0300 @@ -19,3 +19,20 @@ process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. + +Package: firejail-dbg +Architecture: any +Section: debug +Priority: extra +Depends: + firejail (= ${binary:Version}), + ${misc:Depends} +Description: debugging symbols for firejail + Firejail is a SUID security sandbox program that reduces the risk of + security breaches by restricting the running environment of untrusted + applications using Linux namespaces and seccomp-bpf. It allows a + process and all its descendants to have their own private view of the + globally shared kernel resources, such as the network stack, process + table, mount table. + . + This package contains the debugging symbols for firejail. diff -Nru firejail-0.9.40/debian/rules firejail-0.9.40/debian/rules --- firejail-0.9.40/debian/rules 2016-06-14 17:28:45.000000000 -0300 +++ firejail-0.9.40/debian/rules 2016-08-26 02:37:16.000000000 -0300 @@ -2,6 +2,8 @@ #export DH_VERBOSE=1 +.PHONY: override_dh_strip override_dh_fixperms override_dh_installchangelogs override_dh_auto_install override_dh_auto_test + export DEB_BUILD_MAINT_OPTIONS = hardening=+all %: @@ -15,9 +17,12 @@ dh_installchangelogs RELNOTES upstream override_dh_auto_install: - dh_auto_install + dh_auto_install --destdir=debian/firejail # documentation will be installed by debhelper rm --verbose -rf debian/firejail/usr/share/doc/firejail override_dh_auto_test: # skip tests here as they are run as autopkgtest + +override_dh_strip: + dh_strip --dbg-package=firejail-dbg ```
gitea-mirror commented 2026-05-05 06:00:07 -06:00
Author
Owner
Copy link

@laino commented on GitHub (Sep 18, 2017):

Can confirm this is still an issue, especially because /var is full of symlinks and you may want to do something like:

noblacklist /var/X
blacklist /var/*
<!-- gh-comment-id:330337254 --> @laino commented on GitHub (Sep 18, 2017): Can confirm this is still an issue, especially because /var is full of symlinks and you may want to do something like: ``` noblacklist /var/X blacklist /var/* ```
gitea-mirror commented 2026-05-05 06:00:10 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 20, 2018):

Is this still an issue? I have an older Raspberry Pi which is running Debian armel that I can test.

<!-- gh-comment-id:414366579 --> @chiraag-nataraj commented on GitHub (Aug 20, 2018): Is this still an issue? I have an older Raspberry Pi which is running Debian armel that I can test.
gitea-mirror commented 2026-05-05 06:00:12 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Aug 20, 2018):

I cannot replicate this issue on my Raspberry Pi running Debian armel. @tdaitx @manevich @laino if y'all still have this issue, please feel free to re-open, but since there hasn't been any activity since September, I'm going to go ahead and close this for now.

<!-- gh-comment-id:414369662 --> @chiraag-nataraj commented on GitHub (Aug 20, 2018): I cannot replicate this issue on my Raspberry Pi running Debian armel. @tdaitx @manevich @laino if y'all still have this issue, please feel free to re-open, but since there hasn't been any activity since September, I'm going to go ahead and close this for now.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#503
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?