github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1324] seccomp.keep fails on Arch #906

New issue
Closed
opened 2026-05-05 07:07:10 -06:00 by gitea-mirror · 4 comments
gitea-mirror commented 2026-05-05 07:07:10 -06:00
Owner
Copy link

Originally created by @tsankuanglee on GitHub (May 31, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1324

I'm getting this on Arch. I wonder whether it's an Arch only problem.

$ uname -a
Linux localhost 4.11.3-1-ARCH #1 SMP PREEMPT Sun May 28 10:40:17 CEST 2017 x86_64 GNU/Linux
$ cat test.profile
seccomp.keep poll
$ firejail --profile=test.profile
Reading profile test.profile
Parent pid 13292, child pid 13293
Error: proc 13292 cannot sync with peer: unexpected EOF
Peer 13293 unexpectedly killed (Bad system call)
Originally created by @tsankuanglee on GitHub (May 31, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1324 I'm getting this on Arch. I wonder whether it's an Arch only problem. ``` $ uname -a Linux localhost 4.11.3-1-ARCH #1 SMP PREEMPT Sun May 28 10:40:17 CEST 2017 x86_64 GNU/Linux $ cat test.profile seccomp.keep poll $ firejail --profile=test.profile Reading profile test.profile Parent pid 13292, child pid 13293 Error: proc 13292 cannot sync with peer: unexpected EOF Peer 13293 unexpectedly killed (Bad system call) ```
gitea-mirror 2026-05-05 07:07:10 -06:00
gitea-mirror commented 2026-05-05 07:07:19 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 1, 2017):

seccomp.keep lines are usually very large. A simple /bin/bash session will get you around 50 syscalls, while a regular GUI program is over 100 - you have an example here: https://github.com/netblue30/firejail/issues/1323

Also, read this document: https://firejail.wordpress.com/documentation-2/seccomp-guide/. Is not as up to date as it should be, but it will get you started.

<!-- gh-comment-id:305466062 --> @netblue30 commented on GitHub (Jun 1, 2017): seccomp.keep lines are usually very large. A simple /bin/bash session will get you around 50 syscalls, while a regular GUI program is over 100 - you have an example here: https://github.com/netblue30/firejail/issues/1323 Also, read this document: https://firejail.wordpress.com/documentation-2/seccomp-guide/. Is not as up to date as it should be, but it will get you started.
gitea-mirror commented 2026-05-05 07:07:22 -06:00
Author
Owner
Copy link

@tsankuanglee commented on GitHub (Jun 5, 2017):

Thanks a lot for the link. I had actually read that post before posting. The problem here is that it fails on Arch regardless what's given to seccomp.keep .

<!-- gh-comment-id:306110445 --> @tsankuanglee commented on GitHub (Jun 5, 2017): Thanks a lot for the link. I had actually read that post before posting. The problem here is that it fails on Arch regardless what's given to seccomp.keep .
gitea-mirror commented 2026-05-05 07:07:24 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jun 5, 2017):

Run a sandbox and use --debug to print out the debug messages, and put the output here.

<!-- gh-comment-id:306333013 --> @netblue30 commented on GitHub (Jun 5, 2017): Run a sandbox and use --debug to print out the debug messages, and put the output here.
gitea-mirror commented 2026-05-05 07:07:29 -06:00
Author
Owner
Copy link

@tsankuanglee commented on GitHub (Jun 22, 2017):

Sorry for the late reply. Here's the output. (environment is the same)

$ uname -a
Linux quartet 4.11.5-1-ARCH #1 SMP PREEMPT Wed Jun 14 16:19:27 CEST 2017 x86_64 GNU/Linux
$ cat test.profile
seccomp.keep poll
$ firejail --profile=test.profile --debug
Reading profile test.profile
Autoselecting /bin/bash as shell
Command name #/bin/bash#
DISPLAY=:1.0 parsed as 1
Using the local network stack
Parent pid 19647, child pid 19648
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/nginx
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/me/.config/firejail
Disable /run/firejail/network                                                                                                                                                                                                                                                  
Disable /run/firejail/bandwidth                                                                                                                                                                                                                                                
Disable /run/firejail/name                                                                                                                                                                                                                                                     
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Current directory: /home/me/jails
DISPLAY=:1.0 parsed as 1
Masking all X11 sockets except /tmp/.X11-unix/X1
Build drop seccomp filter
sbox run: /usr/lib/firejail/fseccomp keep /run/firejail/mnt/seccomp poll (null)
sbox file descriptors:
total 0
lrwx------ 1 me me 64 Jun 22 01:01 0 -> /dev/null
lrwx------ 1 me me 64 Jun 22 01:01 1 -> /dev/pts/1
lrwx------ 1 me me 64 Jun 22 01:01 2 -> /dev/pts/1
lr-x------ 1 me me 64 Jun 22 01:01 3 -> /proc/3/fd
Dropping all capabilities
Username me, no supplementary groups
seccomp filter configured
sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp (null)
sbox file descriptors:
total 0
lrwx------ 1 me me 64 Jun 22 01:01 0 -> /dev/null
lrwx------ 1 me me 64 Jun 22 01:01 1 -> /dev/pts/1
lrwx------ 1 me me 64 Jun 22 01:01 2 -> /dev/pts/1
lr-x------ 1 me me 64 Jun 22 01:01 3 -> /proc/5/fd
SECCOMP Filter:
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  WHITELIST 105 setuid
  WHITELIST 106 setgid
  WHITELIST 116 setgroups
  WHITELIST 32 dup
  WHITELIST 157 prctl
  WHITELIST 7 poll
  KILL_PROCESS
configuring 20 seccomp entries from /run/firejail/mnt/seccomp
Error: proc 19647 cannot sync with peer: unexpected EOF
Peer 19648 unexpectedly killed (Bad system call)
<!-- gh-comment-id:310276366 --> @tsankuanglee commented on GitHub (Jun 22, 2017): Sorry for the late reply. Here's the output. (environment is the same) ``` $ uname -a Linux quartet 4.11.5-1-ARCH #1 SMP PREEMPT Wed Jun 14 16:19:27 CEST 2017 x86_64 GNU/Linux $ cat test.profile seccomp.keep poll $ firejail --profile=test.profile --debug Reading profile test.profile Autoselecting /bin/bash as shell Command name #/bin/bash# DISPLAY=:1.0 parsed as 1 Using the local network stack Parent pid 19647, child pid 19648 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp.protocol file Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/nginx Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/me/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/config.gz Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Current directory: /home/me/jails DISPLAY=:1.0 parsed as 1 Masking all X11 sockets except /tmp/.X11-unix/X1 Build drop seccomp filter sbox run: /usr/lib/firejail/fseccomp keep /run/firejail/mnt/seccomp poll (null) sbox file descriptors: total 0 lrwx------ 1 me me 64 Jun 22 01:01 0 -> /dev/null lrwx------ 1 me me 64 Jun 22 01:01 1 -> /dev/pts/1 lrwx------ 1 me me 64 Jun 22 01:01 2 -> /dev/pts/1 lr-x------ 1 me me 64 Jun 22 01:01 3 -> /proc/3/fd Dropping all capabilities Username me, no supplementary groups seccomp filter configured sbox run: /usr/lib/firejail/fseccomp print /run/firejail/mnt/seccomp (null) sbox file descriptors: total 0 lrwx------ 1 me me 64 Jun 22 01:01 0 -> /dev/null lrwx------ 1 me me 64 Jun 22 01:01 1 -> /dev/pts/1 lrwx------ 1 me me 64 Jun 22 01:01 2 -> /dev/pts/1 lr-x------ 1 me me 64 Jun 22 01:01 3 -> /proc/5/fd SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! WHITELIST 105 setuid WHITELIST 106 setgid WHITELIST 116 setgroups WHITELIST 32 dup WHITELIST 157 prctl WHITELIST 7 poll KILL_PROCESS configuring 20 seccomp entries from /run/firejail/mnt/seccomp Error: proc 19647 cannot sync with peer: unexpected EOF Peer 19648 unexpectedly killed (Bad system call) ```
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#906
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?