github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

cgroup inside firejailed process #586

New issue

Closed

opened 2026-05-05 06:13:48 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:13:48 -06:00

Owner

Originally created by @gi11es on GitHub (Oct 16, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/862

Hi,

I'd like to assign the subprocesses of a firejailed process to a different cgroup than the firejailed process. In order to do that, I need to be able to write to the /sys/fs/cgroup VFS. I can't find an option in firejail that would let me do that. Am I missing something? Can the disabling of /sys/fs be turned off?

Originally created by @gi11es on GitHub (Oct 16, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/862 Hi, I'd like to assign the subprocesses of a firejailed process to a different cgroup than the firejailed process. In order to do that, I need to be able to write to the /sys/fs/cgroup VFS. I can't find an option in firejail that would let me do that. Am I missing something? Can the disabling of /sys/fs be turned off?

gitea-mirror

2026-05-05 06:13:48 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 06:13:53 -06:00

Author

Owner

@gi11es commented on GitHub (Oct 17, 2016):

Some context about why I need something like this: https://phabricator.wikimedia.org/T145623

@gi11es commented on GitHub (Oct 17, 2016): Some context about why I need something like this: https://phabricator.wikimedia.org/T145623

gitea-mirror commented

2026-05-05 06:13:56 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 17, 2016):

I put a fix in git, use "firejail --noblacklist=/sys/fs program-name".

@netblue30 commented on GitHub (Oct 17, 2016): I put a fix in git, use "firejail --noblacklist=/sys/fs program-name".

gitea-mirror commented

2026-05-05 06:13:58 -06:00

Author

Owner

@gi11es commented on GitHub (Nov 4, 2016):

It doesn't work, or at least doesn't work in the way I need it to.

gilles@ubuntu:~/Documents/Mediawiki/firejail$ ls -al /sys/fs/cgroup/
total 0
drwxr-xr-x 13 root root 340 Oct 18 21:31 .
drwxr-xr-x 10 root root   0 Nov  4 09:33 ..
dr-xr-xr-x  2 root root   0 Oct 18 21:31 blkio
lrwxrwxrwx  1 root root  11 Oct 18 21:31 cpu -> cpu,cpuacct
lrwxrwxrwx  1 root root  11 Oct 18 21:31 cpuacct -> cpu,cpuacct
dr-xr-xr-x  2 root root   0 Oct 18 21:31 cpu,cpuacct
dr-xr-xr-x  2 root root   0 Oct 18 21:31 cpuset
dr-xr-xr-x  5 root root   0 Oct 18 21:31 devices
dr-xr-xr-x  2 root root   0 Oct 18 21:31 freezer
dr-xr-xr-x  2 root root   0 Oct 18 21:31 hugetlb
dr-xr-xr-x  2 root root   0 Oct 18 21:31 memory
lrwxrwxrwx  1 root root  16 Oct 18 21:31 net_cls -> net_cls,net_prio
dr-xr-xr-x  2 root root   0 Oct 18 21:31 net_cls,net_prio
lrwxrwxrwx  1 root root  16 Oct 18 21:31 net_prio -> net_cls,net_prio
dr-xr-xr-x  2 root root   0 Oct 18 21:31 perf_event
dr-xr-xr-x  5 root root   0 Oct 18 21:31 pids
dr-xr-xr-x  5 root root   0 Oct 18 21:31 systemd
gilles@ubuntu:~/Documents/Mediawiki/firejail$ firejail --noblacklist=/sys/fs ls -al /sys/fs/cgroup/
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 62583, child pid 62584
Child process initialized
total 0
dr-xr-xr-x  2 65534 65534 0 Oct 18 21:31 .
drwxr-xr-x 10 65534 65534 0 Nov  4 09:33 ..

Parent is shutting down, bye...

In order to be able to manipulate cgroups from within the firejailed process, the contents of /sys/fs/cgroup need to be present and modifiable. --noblacklist=/sys/fs seems to only mount subdirectories of /sys/fs as empty directories:

gilles@ubuntu:~/Documents/Mediawiki/firejail$ firejail --noblacklist=/sys/fs ls -al /sys/fs/
Reading profile /usr/local/etc/firejail/default.profile
Reading profile /usr/local/etc/firejail/disable-common.inc
Reading profile /usr/local/etc/firejail/disable-programs.inc
Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 62639, child pid 62640
Child process initialized
total 0
drwxr-xr-x 10 65534 65534 0 Nov  4 09:33 .
dr-xr-xr-x 13 65534 65534 0 Nov  4 09:32 ..
dr-xr-xr-x  2 65534 65534 0 Nov  4 09:32 bpf
drwxr-xr-x  3 65534 65534 0 Nov  4 09:32 btrfs
dr-xr-xr-x  2 65534 65534 0 Oct 18 21:31 cgroup
drwxr-xr-x  2 65534 65534 0 Nov  4 09:32 ecryptfs
drwxr-xr-x  4 65534 65534 0 Nov  4 09:32 ext4
drwxr-xr-x  3 65534 65534 0 Oct 18 21:31 fuse
dr-xr-xr-x  2 65534 65534 0 Oct 18 21:31 pstore
drwxr-xr-x  3 65534 65534 0 Nov  4 09:32 xfs

Parent is shutting down, bye...

@gi11es commented on GitHub (Nov 4, 2016): It doesn't work, or at least doesn't work in the way I need it to. ``` gilles@ubuntu:~/Documents/Mediawiki/firejail$ ls -al /sys/fs/cgroup/ total 0 drwxr-xr-x 13 root root 340 Oct 18 21:31 . drwxr-xr-x 10 root root 0 Nov 4 09:33 .. dr-xr-xr-x 2 root root 0 Oct 18 21:31 blkio lrwxrwxrwx 1 root root 11 Oct 18 21:31 cpu -> cpu,cpuacct lrwxrwxrwx 1 root root 11 Oct 18 21:31 cpuacct -> cpu,cpuacct dr-xr-xr-x 2 root root 0 Oct 18 21:31 cpu,cpuacct dr-xr-xr-x 2 root root 0 Oct 18 21:31 cpuset dr-xr-xr-x 5 root root 0 Oct 18 21:31 devices dr-xr-xr-x 2 root root 0 Oct 18 21:31 freezer dr-xr-xr-x 2 root root 0 Oct 18 21:31 hugetlb dr-xr-xr-x 2 root root 0 Oct 18 21:31 memory lrwxrwxrwx 1 root root 16 Oct 18 21:31 net_cls -> net_cls,net_prio dr-xr-xr-x 2 root root 0 Oct 18 21:31 net_cls,net_prio lrwxrwxrwx 1 root root 16 Oct 18 21:31 net_prio -> net_cls,net_prio dr-xr-xr-x 2 root root 0 Oct 18 21:31 perf_event dr-xr-xr-x 5 root root 0 Oct 18 21:31 pids dr-xr-xr-x 5 root root 0 Oct 18 21:31 systemd gilles@ubuntu:~/Documents/Mediawiki/firejail$ firejail --noblacklist=/sys/fs ls -al /sys/fs/cgroup/ Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 62583, child pid 62584 Child process initialized total 0 dr-xr-xr-x 2 65534 65534 0 Oct 18 21:31 . drwxr-xr-x 10 65534 65534 0 Nov 4 09:33 .. Parent is shutting down, bye... ``` In order to be able to manipulate cgroups from within the firejailed process, the contents of /sys/fs/cgroup need to be present and modifiable. --noblacklist=/sys/fs seems to only mount subdirectories of /sys/fs as empty directories: ``` gilles@ubuntu:~/Documents/Mediawiki/firejail$ firejail --noblacklist=/sys/fs ls -al /sys/fs/ Reading profile /usr/local/etc/firejail/default.profile Reading profile /usr/local/etc/firejail/disable-common.inc Reading profile /usr/local/etc/firejail/disable-programs.inc Reading profile /usr/local/etc/firejail/disable-passwdmgr.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 62639, child pid 62640 Child process initialized total 0 drwxr-xr-x 10 65534 65534 0 Nov 4 09:33 . dr-xr-xr-x 13 65534 65534 0 Nov 4 09:32 .. dr-xr-xr-x 2 65534 65534 0 Nov 4 09:32 bpf drwxr-xr-x 3 65534 65534 0 Nov 4 09:32 btrfs dr-xr-xr-x 2 65534 65534 0 Oct 18 21:31 cgroup drwxr-xr-x 2 65534 65534 0 Nov 4 09:32 ecryptfs drwxr-xr-x 4 65534 65534 0 Nov 4 09:32 ext4 drwxr-xr-x 3 65534 65534 0 Oct 18 21:31 fuse dr-xr-xr-x 2 65534 65534 0 Oct 18 21:31 pstore drwxr-xr-x 3 65534 65534 0 Nov 4 09:32 xfs Parent is shutting down, bye... ```

gitea-mirror referenced this issue

2026-05-05 10:05:48 -06:00

[PR #586] [MERGED] mpv.profile: make youtube-dl work #3672

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#586

No description provided.

Rows
Columns