github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1088] Sandboxed daemon cannot mmap to kernel #743

New issue

Closed

opened 2026-05-05 06:33:25 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 06:33:25 -06:00

Owner

Originally created by @xplodwild on GitHub (Feb 3, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1088

Hi,

I'm currently trying to sandbox a daemon which mmap a shared library (.so) to kernel memory to save memory in case multiple instances are running. However, when running through firejail, the mmap2 call fails.

strace log when running firejail --noprofile strace ./bin as a normal user:

open("/var/opt/.../libderp32-linux.so", O_RDONLY|O_CLOEXEC) = 5
read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\370\3\0004\0\0\0"..., 512) = 512
fstat64(5, {st_mode=S_IFREG|0777, st_size=4647528, ...}) = 0
mmap2(NULL, 4642720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = -1 EPERM (Operation not permitted)
close(5)

However, when running sudo firejail --noprofile strace ./bin, the binary runs fine and the library is mmap'd properly. Similarly, running ./bin without firejail works fine too.

Am I missing something or is it a firejail bug?
Thanks!

Originally created by @xplodwild on GitHub (Feb 3, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1088 Hi, I'm currently trying to sandbox a daemon which mmap a shared library (.so) to kernel memory to save memory in case multiple instances are running. However, when running through firejail, the mmap2 call fails. strace log when running `firejail --noprofile strace ./bin` as a normal user: ``` open("/var/opt/.../libderp32-linux.so", O_RDONLY|O_CLOEXEC) = 5 read(5, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0P\370\3\0004\0\0\0"..., 512) = 512 fstat64(5, {st_mode=S_IFREG|0777, st_size=4647528, ...}) = 0 mmap2(NULL, 4642720, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = -1 EPERM (Operation not permitted) close(5) ``` However, when running `sudo firejail --noprofile strace ./bin`, the binary runs fine and the library is mmap'd properly. Similarly, running `./bin` without firejail works fine too. Am I missing something or is it a firejail bug? Thanks!

gitea-mirror

2026-05-05 06:33:25 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:33:29 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 8, 2017):

Does it work as "sudo firejail --noprofile ./bin" ?

@netblue30 commented on GitHub (Feb 8, 2017): Does it work as "sudo firejail --noprofile ./bin" ?

gitea-mirror commented

2026-05-05 06:33:32 -06:00

Author

Owner

@xplodwild commented on GitHub (Feb 13, 2017):

Yes, as mentionned in my issue, it works with sudo firejail --noprofile ./bin, sudo ./bin, ./bin, but not firejail --noprofile ./bin

@xplodwild commented on GitHub (Feb 13, 2017): Yes, as mentionned in my issue, it works with `sudo firejail --noprofile ./bin`, `sudo ./bin`, `./bin`, but not `firejail --noprofile ./bin`

gitea-mirror commented

2026-05-05 06:33:35 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Sep 30, 2018):

@xplodwild Is this still an issue?

@chiraag-nataraj commented on GitHub (Sep 30, 2018): @xplodwild Is this still an issue?

gitea-mirror commented

2026-05-05 06:33:37 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (May 21, 2019):

Going to close for inactivity. @xplodwild, please feel free to re-open if this is still an issue.

@chiraag-nataraj commented on GitHub (May 21, 2019): Going to close for inactivity. @xplodwild, please feel free to re-open if this is still an issue.

gitea-mirror referenced this issue

2026-05-05 10:07:01 -06:00

[PR #743] [MERGED] additional batch of chown/chmod changes #3737

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#743

No description provided.

Rows
Columns