[GH-ISSUE #810] disable-common.inc noblacklist bug #552

New issue

Closed

opened 2026-05-05 06:06:41 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented 2026-05-05 06:06:41 -06:00

Owner

Copy link

Originally created by @ghost on GitHub (Sep 25, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/810

Hello, after updating from 0.9.38.2 to 0.9.42 (Gentoo), Firejail couldn't work even with the simplest program.

firejail echo a
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 6626, child pid 6627
Error: cannot establish communication with the parent, exiting...

When commenting

noblacklist ${PATH}/mount
noblacklist ${PATH}/umount
noblacklist ${PATH}/su
noblacklist ${PATH}/sudo
noblacklist ${PATH}/nc

in /etc/firejail/disable-common.inc, I get what I want

firejail echo a
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 6715, child pid 6716
Child process initialized
a

Parent is shutting down, bye...

Note that it only happens to my "sandbox" user, and only when using a separate X, not through su. This may have to do with the fact that this user is not in the wheel group.

Originally created by @ghost on GitHub (Sep 25, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/810 Hello, after updating from 0.9.38.2 to 0.9.42 (Gentoo), Firejail couldn't work even with the simplest program. ``` firejail echo a Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 6626, child pid 6627 Error: cannot establish communication with the parent, exiting... ``` When commenting ``` noblacklist ${PATH}/mount noblacklist ${PATH}/umount noblacklist ${PATH}/su noblacklist ${PATH}/sudo noblacklist ${PATH}/nc ``` in `/etc/firejail/disable-common.inc`, I get what I want ``` firejail echo a Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 6715, child pid 6716 Child process initialized a Parent is shutting down, bye... ``` Note that it only happens to my "sandbox" user, and only when using a separate X, not through su. This may have to do with the fact that this user is not in the wheel group.

gitea-mirror 2026-05-05 06:06:41 -06:00

• closed this issue
• added the
  information_old
  label

gitea-mirror commented 2026-05-05 06:06:47 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Sep 25, 2016):

So basically you are saying that in order to do "echo a" you need /bin/sudo to be available in the filestystem? Try to find out which of the lines you commented out is creating the problem.

<!-- gh-comment-id:249420349 --> @netblue30 commented on GitHub (Sep 25, 2016): So basically you are saying that in order to do "echo a" you need /bin/sudo to be available in the filestystem? Try to find out which of the lines you commented out is creating the problem.

gitea-mirror commented 2026-05-05 06:06:51 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Sep 25, 2016):

Maybe I've not been clear, but leaving any of these lines uncommented makes the failure appear (makes me think the noblacklist feature has a problem, actually). By the way, --debug brings nothing.

<!-- gh-comment-id:249433188 --> @ghost commented on GitHub (Sep 25, 2016): Maybe I've not been clear, but leaving any of these lines uncommented makes the failure appear (makes me think the noblacklist feature has a problem, actually). By the way, `--debug` brings nothing.

gitea-mirror commented 2026-05-05 06:06:52 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Sep 25, 2016):

Managed to pinpoint even more. The lines are uncommented here (as shipped).

su -l sandbox
Password:
sandbox@gentoo ~ $ echo $PATH
/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.3:/usr/games/bin
sandbox@gentoo ~ $ firejail echo a
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 333, child pid 334
Error: cannot establish communication with the parent, exiting...
sandbox@gentoo ~ $ PATH=/bin:/usr/bin firejail echo a
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 388, child pid 389
Child process initialized
a

Parent is shutting down, bye...

<!-- gh-comment-id:249433449 --> @ghost commented on GitHub (Sep 25, 2016): Managed to pinpoint even more. The lines are uncommented here (as shipped). ``` su -l sandbox Password: sandbox@gentoo ~ $ echo $PATH /usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.9.3:/usr/games/bin sandbox@gentoo ~ $ firejail echo a Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 333, child pid 334 Error: cannot establish communication with the parent, exiting... sandbox@gentoo ~ $ PATH=/bin:/usr/bin firejail echo a Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 388, child pid 389 Child process initialized a Parent is shutting down, bye... ```

gitea-mirror commented 2026-05-05 06:06:54 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Sep 26, 2016):

There where two bugs reported by gentoo users:

https://github.com/netblue30/firejail/issues/804 - this one seems to be fixed in git

https://github.com/netblue30/firejail/issues/674 - I think this one can be fixed by commenting out "include disable-devel.inc", but I see you don't have it in the profile.

I would say, update to the latest version in git and give it a try. I'll take a look at noblacklist.

<!-- gh-comment-id:249626778 --> @netblue30 commented on GitHub (Sep 26, 2016): There where two bugs reported by gentoo users: https://github.com/netblue30/firejail/issues/804 - this one seems to be fixed in git https://github.com/netblue30/firejail/issues/674 - I think this one can be fixed by commenting out "include disable-devel.inc", but I see you don't have it in the profile. I would say, update to the latest version in git and give it a try. I'll take a look at noblacklist.

gitea-mirror commented 2026-05-05 06:06:56 -06:00

Author

Owner

Copy link

@sakaki- commented on GitHub (Oct 3, 2016):

I see the same thing as Q3CPMA (running Gentoo, firejail 0.9.42). Issue only happens with the busybox USE flag set (it is by default) which in turn enables busybox-workaround in firejail's configure step (leading to the inclusion of the five problematic noblacklist lines at the head of /etc/firejail/disable-common.inc).
PS otherwise a very nice program, thank you.

<!-- gh-comment-id:251149260 --> @sakaki- commented on GitHub (Oct 3, 2016): I see the same thing as Q3CPMA (running Gentoo, firejail 0.9.42). Issue only happens with the `busybox` USE flag set (it is by default) which in turn enables `busybox-workaround` in firejail's configure step (leading to the inclusion of the five problematic `noblacklist` lines at the head of `/etc/firejail/disable-common.inc`). PS otherwise a very nice program, thank you.

gitea-mirror commented 2026-05-05 06:06:59 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Oct 3, 2016):

We have some special functionality for busybox, disabled by default. if you enable it on a non-busybox system, it will probably not work.

<!-- gh-comment-id:251222134 --> @netblue30 commented on GitHub (Oct 3, 2016): We have some special functionality for busybox, disabled by default. if you enable it on a non-busybox system, it will probably not work.

gitea-mirror commented 2026-05-05 06:07:02 -06:00

Author

Owner

Copy link

@sakaki- commented on GitHub (Oct 3, 2016):

Sounds like the busybox USE flag shouldn't be set by default in the ebuild in that case. I'll file a bug report on Gentoo. Thanks for the response!

<!-- gh-comment-id:251228762 --> @sakaki- commented on GitHub (Oct 3, 2016): Sounds like the busybox USE flag shouldn't be set by default in the ebuild in that case. I'll file a bug report on Gentoo. Thanks for the response!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#552

No description provided.