github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1109] Qemu Woes #758

New issue

Closed

opened 2026-05-05 06:35:26 -06:00 by gitea-mirror · 9 comments

gitea-mirror commented

2026-05-05 06:35:26 -06:00

Owner

Originally created by @indolering on GitHub (Feb 20, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1109

I upgraded Firejail and when I open Boxes I can't see any of my virtual machines. Looking at the system logs, it appears as if Firejail had trouble with the existing sandbox profile .... ?

 5:04:20 PM libvirtd: End of file while reading data: Input/output error
 5:03:40 PM kernel: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
 5:03:29 PM kernel: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
 5:03:27 PM libvirtd: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin /usr/local/bin/qemu-system-x86_64 -help) unexpected exit status 1: Reading profile /etc/firejail/qemu-system-x86_64.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Error mkdir: fs_home.c:305 fs_private: File exists
Error: cannot establish communication with the parent, exiting...

I disabled the Firejail qemu profile and Boxes works just fine.

Fedora 25,
Firejail: 0.9.45, release 0.1.201702191845git884fdb7.fc25

Originally created by @indolering on GitHub (Feb 20, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1109 I upgraded Firejail and when I open Boxes I can't see any of my virtual machines. Looking at the system logs, it appears as if Firejail had trouble with the existing sandbox profile .... ? ``` 5:04:20 PM libvirtd: End of file while reading data: Input/output error 5:03:40 PM kernel: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0 5:03:29 PM kernel: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0 5:03:27 PM libvirtd: internal error: Child process (LC_ALL=C PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin /usr/local/bin/qemu-system-x86_64 -help) unexpected exit status 1: Reading profile /etc/firejail/qemu-system-x86_64.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-passwdmgr.inc Error mkdir: fs_home.c:305 fs_private: File exists Error: cannot establish communication with the parent, exiting... ``` I disabled the Firejail qemu profile and Boxes works just fine. Fedora 25, Firejail: 0.9.45, release 0.1.201702191845git884fdb7.fc25

gitea-mirror

2026-05-05 06:35:26 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:35:32 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 21, 2017):

How did you disable qemu profile? What commands do you use to start the sandbox (with or without qemu profile)?

@netblue30 commented on GitHub (Feb 21, 2017): How did you disable qemu profile? What commands do you use to start the sandbox (with or without qemu profile)?

gitea-mirror commented

2026-05-05 06:35:35 -06:00

Author

Owner

@indolering commented on GitHub (Feb 21, 2017):

How did you disable qemu profile?

It's a PITA, renaming (by changing the extension) and overriding via .local don't work, so I just commented out the entire profile.

What commands do you use to start the sandbox (with or without qemu profile)?

None, it's part of the default set. Is there a flip I can switch to enable auditing for a specific profile?

@indolering commented on GitHub (Feb 21, 2017): > How did you disable qemu profile? It's a PITA, renaming (by changing the extension) and overriding via .local don't work, so I just commented out the entire profile. > What commands do you use to start the sandbox (with or without qemu profile)? None, it's part of the default set. Is there a flip I can switch to enable auditing for a specific profile?

gitea-mirror commented

2026-05-05 06:35:39 -06:00

Author

Owner

@netblue30 commented on GitHub (Feb 22, 2017):

That's good, it means the namespaces are working fine. You would need to find out the line (or the lines) in the profile that create the problem. Open the profile in a text editor and enable the lines one by one.

@netblue30 commented on GitHub (Feb 22, 2017): That's good, it means the namespaces are working fine. You would need to find out the line (or the lines) in the profile that create the problem. Open the profile in a text editor and enable the lines one by one.

gitea-mirror commented

2026-05-05 06:35:42 -06:00

Author

Owner

@indolering commented on GitHub (Feb 22, 2017):

Argh, so it turns out that I wasn't properly relaunching the sandbox (I thought that re-logging in was good enough but I need to do a complete restart). I commented out both the system and launcher profiles but it doesn't seem to work.

Could it be the use of the Copr repo (which pulls from master)? Is there someone more capable of troubleshooting that runs Fedora we can ping?

@indolering commented on GitHub (Feb 22, 2017): Argh, so it turns out that I wasn't properly relaunching the sandbox (I thought that re-logging in was good enough but I need to do a complete restart). I commented out both the system and launcher profiles but it doesn't seem to work. Could it be the use of the Copr repo (which pulls from master)? Is there someone more capable of troubleshooting that runs Fedora we can ping?

gitea-mirror commented

2026-05-05 06:35:44 -06:00

Author

Owner

@indolering commented on GitHub (Mar 28, 2017):

@netblue30 I just updated to the latest version of Firejail and I still can't open Boxes without issues.

@indolering commented on GitHub (Mar 28, 2017): @netblue30 I just updated to the latest version of Firejail and I still can't open Boxes without issues.

gitea-mirror commented

2026-05-05 06:35:46 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 31, 2017):

Reopening!

@netblue30 commented on GitHub (Mar 31, 2017): Reopening!

gitea-mirror commented

2026-05-05 06:35:49 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 28, 2018):

Is this still an issue?

@chiraag-nataraj commented on GitHub (Jul 28, 2018): Is this still an issue?

gitea-mirror commented

2026-05-05 06:35:53 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 28, 2018):

For example, the following profile works for me:

blacklist /usr/local/bin
blacklist /usr/local/sbin

blacklist /boot

private-tmp
disable-mnt
private-opt emp

shell none
seccomp
seccomp.block-secondary
noroot
caps.drop all
apparmor
nonewprivs
ipc-namespace
machine-id
nodbus
nou2f
nogroups
memory-deny-write-execute

whitelist ${DOWNLOADS}
whitelist ${HOME}/qemu-vms
whitelist ${HOME}/.config/gtk-3.0
whitelist ${HOME}/.themes

private-etc qemu-ifdown,qemu-ifup,fonts,resolv.conf,nsswitch.conf
private-bin qemu-system-x86_64

(as the profile might suggest, qemu VMs are stored in qemu-vms)

[Edit] To clarify though, I'm on Debian [unstable/experimental] and running the firejail from git.

@chiraag-nataraj commented on GitHub (Jul 28, 2018): For example, the following profile works for me: ``` blacklist /usr/local/bin blacklist /usr/local/sbin blacklist /boot private-tmp disable-mnt private-opt emp shell none seccomp seccomp.block-secondary noroot caps.drop all apparmor nonewprivs ipc-namespace machine-id nodbus nou2f nogroups memory-deny-write-execute whitelist ${DOWNLOADS} whitelist ${HOME}/qemu-vms whitelist ${HOME}/.config/gtk-3.0 whitelist ${HOME}/.themes private-etc qemu-ifdown,qemu-ifup,fonts,resolv.conf,nsswitch.conf private-bin qemu-system-x86_64 ``` (as the profile might suggest, qemu VMs are stored in `qemu-vms`) [Edit] To clarify though, I'm on Debian [unstable/experimental] and running the firejail from git.

gitea-mirror commented

2026-05-05 06:35:54 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 30, 2018):

Closing for now since there's been no activity in over a year. @indolering, please feel free to reopen if you still have this issue with the latest version of firejail.

@chiraag-nataraj commented on GitHub (Jul 30, 2018): Closing for now since there's been no activity in over a year. @indolering, please feel free to reopen if you still have this issue with the latest version of firejail.

gitea-mirror referenced this issue

2026-05-05 10:07:07 -06:00

[PR #758] [MERGED] Option to fix .desktop files for firecfg #3745

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#758

No description provided.

Rows
Columns