github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

mnt doesn't get created, hence all firejails fail #599

New issue

Closed

opened 2026-05-05 06:15:12 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:15:12 -06:00

Owner

Originally created by @ghost on GitHub (Oct 31, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/886

Hi, using latest firejail from git I'm seeing..

(1) .. ALL sandboxed programs fail to start, looks like the needed /run/firejail/mnt dir doesn't get created (this is the main target of this post);
(2) .. some errors/warnings about .Xauthority and .asoundrc, which don't seem to be critical in any way AFAICT..

$ lsb_release -d
Description: Arch Linux

$ pacman -Qi systemd | grep Version
Version : 231-4

$ firejail --version
firejail version 0.9.45

Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- bind support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled

(1) failure:

$ firejail --dns=127.0.0.1 --private=$HOME --name=claws-mail claws-mail
Reading profile /home/dirkos/.config/firejail/claws-mail.profile
Reading profile /etc/firejail/claws-mail.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Parent pid 16058, child pid 16059
Error mounting /run/firejail/mnt: preproc.c:72 preproc_mount_mnt_dir: No such file or directory
Error: cannot establish communication with the parent, exiting...

This happens with all firejailed programs. Both on Arch Linux & Ubuntu (16.04 LTS).
Although I didn't need to do that before, this can be easily fixed by creating
/etc/tmpfiles.d/firejail-run-mnt.conf with the below content:

$ cat /etc/tmpfiles.d/firejail-run-mnt.conf
#Type Path Mode UID GID Age Argument
d /run/firejail/mnt 0755 root root - -

(2) succes:

DNS server 127.0.0.1

Error: file /home/dirkos/.Xauthority already exists
Warning: cannot transfer .Xauthority in private home directory
Error: file /home/dirkos/.asoundrc already exists
Warning: cannot transfer .asoundrc in private home directory
Child process initialized

Note: the above errors and warnings about .Xauthority and .asoundrc seem
to be non-critical as stated above. If you want me to report a separate issue
for these, just ask.

Do you think this is a systemd error or a firejail issue?

Regards.

Originally created by @ghost on GitHub (Oct 31, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/886 Hi, using latest firejail from git I'm seeing.. (1) .. ALL sandboxed programs fail to start, looks like the needed /run/firejail/mnt dir doesn't get created (this is the main target of this post); (2) .. some errors/warnings about .Xauthority and .asoundrc, which don't seem to be critical in any way AFAICT.. $ lsb_release -d Description: Arch Linux $ pacman -Qi systemd | grep Version Version : 231-4 $ firejail --version firejail version 0.9.45 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - networking support is enabled - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled (1) failure: $ firejail --dns=127.0.0.1 --private=$HOME --name=claws-mail claws-mail Reading profile /home/dirkos/.config/firejail/claws-mail.profile Reading profile /etc/firejail/claws-mail.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 16058, child pid 16059 Error mounting /run/firejail/mnt: preproc.c:72 preproc_mount_mnt_dir: No such file or directory Error: cannot establish communication with the parent, exiting... This happens with all firejailed programs. Both on Arch Linux & Ubuntu (16.04 LTS). Although I didn't need to do that before, this can be easily fixed by creating /etc/tmpfiles.d/firejail-run-mnt.conf with the below content: $ cat /etc/tmpfiles.d/firejail-run-mnt.conf #Type Path Mode UID GID Age Argument d /run/firejail/mnt 0755 root root - - (2) succes: $ firejail --dns=127.0.0.1 --private=$HOME --name=claws-mail claws-mail Reading profile /home/dirkos/.config/firejail/claws-mail.profile Reading profile /etc/firejail/claws-mail.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 16731, child pid 16732 DNS server 127.0.0.1 Error: file /home/dirkos/.Xauthority already exists Warning: cannot transfer .Xauthority in private home directory Error: file /home/dirkos/.asoundrc already exists Warning: cannot transfer .asoundrc in private home directory Child process initialized Note: the above errors and warnings about .Xauthority and .asoundrc seem to be non-critical as stated above. If you want me to report a separate issue for these, just ask. Do you think this is a systemd error or a firejail issue? Regards.

gitea-mirror

2026-05-05 06:15:12 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 06:15:18 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 1, 2016):

(1) failure:

It was introduced a few days ago. I put a fix in, it should be all fine now.

(2) succes:

The problem here is "--private=$HOME" somehow fails to mount a temporary filesystem on top of $HOME. I'll have to look at it, so I'll leave the bug open. Instead of "--private=$HOME" use "--private", they are equivalent:

$ firejail --dns=127.0.0.1 --private --name=claws-mail claws-mail

This should work.

@netblue30 commented on GitHub (Nov 1, 2016): > (1) failure: It was introduced a few days ago. I put a fix in, it should be all fine now. > (2) succes: The problem here is "--private=$HOME" somehow fails to mount a temporary filesystem on top of $HOME. I'll have to look at it, so I'll leave the bug open. Instead of "--private=$HOME" use "--private", they are equivalent: ``` $ firejail --dns=127.0.0.1 --private --name=claws-mail claws-mail ``` This should work.

gitea-mirror commented

2026-05-05 06:15:22 -06:00

Author

Owner

@ghost commented on GitHub (Nov 4, 2016):

Thanks for fixing (1). Errors & warnings related to .Xauthority and .asoundrc are indeed gone now. I did some follow-up and testing with claws-mail and some other progs, using both private and private=$HOME. Although you stated that they are equivalent, things look very different here. When using --private claws-mail throws it's setup wizard and there are some warnings about missing files.

$ firejail --debug --dns=127.0.0.1 --private --profile=/etc/firejail/claws-mail.profile --name=claws-mail claws-mail
Full output: https://gist.github.com/4a86282ecbc246b476340be11541c57d [fj.issue.886-private]
Relevant snippet:
** (claws-mail:6): WARNING *: failed to open directory: /etc/skel/.claws-mail
/home/dirkos/.claws-mail/clawsrc: fopen: No such file or directory
xml.c:156 Condition file != NULL failed
xml.c:636 Condition node != NULL failed
(claws-mail:6): Claws-Mail-WARNING *: couldn't read password store from file: Failed to open file '/home/dirkos/.claws-mail/passwordstorerc': No such file or directory

Both warnings are confirmed when joining the sandbox:
$ firejail --join=claws-mail
Switching to pid 16247, the first child process inside the sandbox
Child process initialized
[dirkos@lab16 ~]$ ls -la .claws-mail/
total 12
drwx------ 8 dirkos dirkos 240 Nov 4 13:30 .
drwx------ 3 dirkos dirkos 120 Nov 4 13:30 ..
-rw-r--r-- 1 dirkos dirkos 2040 Nov 4 13:30 accountrc.tmpl
drwx------ 2 dirkos dirkos 100 Nov 4 13:30 addrbook
-rw-r--r-- 1 dirkos dirkos 0 Nov 4 13:30 claws.log
-rw-r--r-- 1 dirkos dirkos 45 Nov 4 13:30 filtering.log
drwx------ 2 dirkos dirkos 40 Nov 4 13:30 imapcache
drwx------ 2 dirkos dirkos 40 Nov 4 13:30 mimetmp
drwx------ 2 dirkos dirkos 40 Nov 4 13:30 newscache
drwx------ 2 dirkos dirkos 40 Nov 4 13:30 tmp
-rw------- 1 dirkos dirkos 769 Nov 4 13:30 toolbar_main.xml
drwx------ 2 dirkos dirkos 40 Nov 4 13:30 uidl
= = =

$ firejail --dns=127.0.0.1 --private=$HOME --profile=/etc/firejail/claws-mail.profile claws-mail
Full output: https://gist.github.com/780e47e876ed82fc89ded650598eb810 [fj.issue.886-private=$HOME]

No warnings from claws-mail this time and it behaves as expected.
Instead of the 12 files shown in the sandbox when using --private, the full 188 files
in the claws-mail profile are there, the 'missing' passwordstorerc included:

$ firejail --join=claws-mail
Switching to pid 17542, the first child process inside the sandbox
Child process initialized
[dirkos@lab16 ~]$ ls -la .claws-mail/
total 188
...
-rw------- 1 dirkos dirkos 1088 Nov 4 13:27 passwordstorerc
-rw------- 1 dirkos dirkos 1088 Nov 4 13:27 passwordstorerc.bak
...

Feel free to ask for further output. I do realize this is not entirely related to why I filed
this issue in the first place, so if you want me to open a new one on this, I'll be happy to oblige.

@ghost commented on GitHub (Nov 4, 2016): Thanks for fixing (1). Errors & warnings related to .Xauthority and .asoundrc are indeed gone now. I did some follow-up and testing with claws-mail and some other progs, using both private and private=$HOME. Although you stated that they are equivalent, things look very different here. When using --private claws-mail throws it's setup wizard and there are some warnings about missing files. $ firejail --debug --dns=127.0.0.1 --private --profile=/etc/firejail/claws-mail.profile --name=claws-mail claws-mail Full output: https://gist.github.com/4a86282ecbc246b476340be11541c57d [fj.issue.886-private] Relevant snippet: *\* (claws-mail:6): WARNING *_: failed to open directory: /etc/skel/.claws-mail /home/dirkos/.claws-mail/clawsrc: fopen: No such file or directory xml.c:156 Condition file != NULL failed xml.c:636 Condition node != NULL failed (claws-mail:6): Claws-Mail-WARNING *_: couldn't read password store from file: Failed to open file '/home/dirkos/.claws-mail/passwordstorerc': No such file or directory Both warnings are confirmed when joining the sandbox: $ firejail --join=claws-mail Switching to pid 16247, the first child process inside the sandbox Child process initialized [dirkos@lab16 ~]$ ls -la .claws-mail/ total 12 drwx------ 8 dirkos dirkos 240 Nov 4 13:30 . drwx------ 3 dirkos dirkos 120 Nov 4 13:30 .. -rw-r--r-- 1 dirkos dirkos 2040 Nov 4 13:30 accountrc.tmpl drwx------ 2 dirkos dirkos 100 Nov 4 13:30 addrbook -rw-r--r-- 1 dirkos dirkos 0 Nov 4 13:30 claws.log -rw-r--r-- 1 dirkos dirkos 45 Nov 4 13:30 filtering.log drwx------ 2 dirkos dirkos 40 Nov 4 13:30 imapcache drwx------ 2 dirkos dirkos 40 Nov 4 13:30 mimetmp drwx------ 2 dirkos dirkos 40 Nov 4 13:30 newscache drwx------ 2 dirkos dirkos 40 Nov 4 13:30 tmp -rw------- 1 dirkos dirkos 769 Nov 4 13:30 toolbar_main.xml drwx------ 2 dirkos dirkos 40 Nov 4 13:30 uidl = = = $ firejail --dns=127.0.0.1 --private=$HOME --profile=/etc/firejail/claws-mail.profile claws-mail Full output: https://gist.github.com/780e47e876ed82fc89ded650598eb810 [fj.issue.886-private=$HOME] No warnings from claws-mail this time and it behaves as expected. Instead of the 12 files shown in the sandbox when using --private, the full 188 files in the claws-mail profile are there, the 'missing' passwordstorerc included: $ firejail --join=claws-mail Switching to pid 17542, the first child process inside the sandbox Child process initialized [dirkos@lab16 ~]$ ls -la .claws-mail/ total 188 ... -rw------- 1 dirkos dirkos 1088 Nov 4 13:27 passwordstorerc -rw------- 1 dirkos dirkos 1088 Nov 4 13:27 passwordstorerc.bak ... Feel free to ask for further output. I do realize this is not entirely related to why I filed this issue in the first place, so if you want me to open a new one on this, I'll be happy to oblige.

gitea-mirror commented

2026-05-05 06:15:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Nov 12, 2016):

All fixed, thanks.

@netblue30 commented on GitHub (Nov 12, 2016): All fixed, thanks.

gitea-mirror commented

2026-05-05 06:15:27 -06:00

Author

Owner

@ghost commented on GitHub (Nov 13, 2016):

Hi, after rebuilding firejail with the latest commits from git, including e75dfa59eb (bugfix: --private=dir where dir is the user home directory) for me the issue is not fixed. In fact, all my firejail related scripts using '--private=$HOME' now fail again. I've opnened https://github.com/netblue30/firejail/issues/910 as this is closed.

Regards

@ghost commented on GitHub (Nov 13, 2016): Hi, after rebuilding firejail with the latest commits from git, including https://github.com/netblue30/firejail/commit/e75dfa59eb8e74b0f1bae2be6e4d981205edcda2 (bugfix: --private=dir where dir is the user home directory) for me the issue is not fixed. In fact, all my firejail related scripts using '--private=$HOME' now fail again. I've opnened https://github.com/netblue30/firejail/issues/910 as this is closed. Regards

gitea-mirror referenced this issue

2026-05-05 10:05:53 -06:00

[PR #599] [MERGED] cpio sandbox profile for decompression #3678

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#599

No description provided.

Rows
Columns