github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1328] firejail 0.9.46 private-bin breaks with no errors or warnings #907

New issue

Closed

opened 2026-05-05 07:07:31 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 07:07:31 -06:00

Owner

Originally created by @chiraag-nataraj on GitHub (Jun 3, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1328

In that same mutt profile, I have the following line:

private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk

This line works perfectly well in 0.9.44 but mutt refuses to launch the editor (emacsclient) in 0.9.46. Commenting out this line fixes the problem.

Why would the binaries needed by mutt change based on the firejail version?

Originally created by @chiraag-nataraj on GitHub (Jun 3, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1328 In that same mutt profile, I have the following line: ```` private-bin sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk ```` This line works perfectly well in 0.9.44 but mutt refuses to launch the editor (emacsclient) in 0.9.46. Commenting out this line fixes the problem. Why would the binaries needed by mutt change based on the firejail version?

gitea-mirror closed this issue

2026-05-05 07:07:34 -06:00

gitea-mirror commented

2026-05-05 07:07:40 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Jun 3, 2017):

@chiraag-nataraj Try doing the following:

firejail --private-bin=sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk

Then run mutt and try to launch the editor. Copy the output here.
Thanks!

Note to self: see #1327

@Fred-Barclay commented on GitHub (Jun 3, 2017): @chiraag-nataraj Try doing the following: ``` firejail --private-bin=sh,mutt,mutt_dotlock,bash,emacsclient,elinks,gpg,gpg-agent,pinentry,dig,awk ``` Then run mutt and try to launch the editor. Copy the output here. Thanks! Note to self: see #1327

gitea-mirror commented

2026-05-05 07:07:43 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 3, 2017):

There's no output. That's what gets me. Mutt supposedly tries to launch the editor and immediately aborts with no explanation whatsoever. No seccomp entry or anything (already checked). I am going to continue investigating.

@chiraag-nataraj commented on GitHub (Jun 3, 2017): There's no output. That's what gets me. Mutt supposedly tries to launch the editor and immediately aborts with no explanation whatsoever. No seccomp entry or anything (already checked). I am going to continue investigating.

gitea-mirror commented

2026-05-05 07:07:46 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 3, 2017):

When I use firejail --trace, I get the following (it's not much):

Reading profile /home/chiraag/.config/firejail/mutt.profile
Parent pid 17829, child pid 17830
Warning: skipping proxychains.conf for private /etc
23:fseccomp:open /run/firejail/mnt/seccomp:3
Child process initialized in 46.21 ms
24:bash:open /dev/tty:3
24:mutt:fopen /proc/filesystems:0x55fdf506b040
24:mutt:access /etc/selinux/config:-1
24:mutt:access /lib/terminfo/r/rxvt-unicode:0
24:mutt:fopen /lib/terminfo/r/rxvt-unicode:0x55fdf50aac60
24:mutt:fopen /home/chiraag/.muttrc/.muttrc.localb:0x55fdf51521b0
24:mutt:fopen /home/chiraag/.muttrc/.muttrc.local:0x55fdf514c310
24:mutt:fopen /home/chiraag/.mutthistory:(nil)
24:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-24-9486865720593099851:0
24:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-24-15104734278847866818:0
24:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-24-9060183403553630014:0
Mailbox is unchanged.

Parent is shutting down, bye...

The unlink calls are where I try to read an email.

When it works properly, I get:

Reading profile /home/chiraag/.config/firejail/mutt.profile
Parent pid 18192, child pid 18193
Warning: skipping proxychains.conf for private /etc
12:fseccomp:open /run/firejail/mnt/seccomp:3
Child process initialized in 44.57 ms
13:bash:open /dev/tty:3
13:mutt:fopen /proc/filesystems:0x557832ec2040
13:mutt:access /etc/selinux/config:-1
13:mutt:access /lib/terminfo/r/rxvt-unicode:0
13:mutt:fopen /lib/terminfo/r/rxvt-unicode:0x557832f01c60
13:mutt:fopen /home/chiraag/.muttrc/.muttrc.localb:0x557832faa3d0
13:mutt:fopen /home/chiraag/.muttrc/.muttrc.local:0x557832fa3310
13:mutt:fopen /home/chiraag/.mutthistory:(nil).rc:0x557832faa3d0
19:emacsclient:socket AF_LOCAL SOCK_STREAM 0:33d0
19:emacsclient:connect 3 /tmp/user/1000/emacs1000/server:0
Waiting for Emacs...uttrc.d/smime.rc:0x557832faa3d0
13:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-13-4577586848044658258:0
Mailbox is unchanged.

Parent is shutting down, bye...

@chiraag-nataraj commented on GitHub (Jun 3, 2017): When I use `firejail --trace`, I get the following (it's not much): ```` Reading profile /home/chiraag/.config/firejail/mutt.profile Parent pid 17829, child pid 17830 Warning: skipping proxychains.conf for private /etc 23:fseccomp:open /run/firejail/mnt/seccomp:3 Child process initialized in 46.21 ms 24:bash:open /dev/tty:3 24:mutt:fopen /proc/filesystems:0x55fdf506b040 24:mutt:access /etc/selinux/config:-1 24:mutt:access /lib/terminfo/r/rxvt-unicode:0 24:mutt:fopen /lib/terminfo/r/rxvt-unicode:0x55fdf50aac60 24:mutt:fopen /home/chiraag/.muttrc/.muttrc.localb:0x55fdf51521b0 24:mutt:fopen /home/chiraag/.muttrc/.muttrc.local:0x55fdf514c310 24:mutt:fopen /home/chiraag/.mutthistory:(nil) 24:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-24-9486865720593099851:0 24:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-24-15104734278847866818:0 24:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-24-9060183403553630014:0 Mailbox is unchanged. Parent is shutting down, bye... ```` The `unlink` calls are where I try to read an email. When it works properly, I get: ```` Reading profile /home/chiraag/.config/firejail/mutt.profile Parent pid 18192, child pid 18193 Warning: skipping proxychains.conf for private /etc 12:fseccomp:open /run/firejail/mnt/seccomp:3 Child process initialized in 44.57 ms 13:bash:open /dev/tty:3 13:mutt:fopen /proc/filesystems:0x557832ec2040 13:mutt:access /etc/selinux/config:-1 13:mutt:access /lib/terminfo/r/rxvt-unicode:0 13:mutt:fopen /lib/terminfo/r/rxvt-unicode:0x557832f01c60 13:mutt:fopen /home/chiraag/.muttrc/.muttrc.localb:0x557832faa3d0 13:mutt:fopen /home/chiraag/.muttrc/.muttrc.local:0x557832fa3310 13:mutt:fopen /home/chiraag/.mutthistory:(nil).rc:0x557832faa3d0 19:emacsclient:socket AF_LOCAL SOCK_STREAM 0:33d0 19:emacsclient:connect 3 /tmp/user/1000/emacs1000/server:0 Waiting for Emacs...uttrc.d/smime.rc:0x557832faa3d0 13:mutt:unlink /tmp/user/1000/mutt1000/mutt-chiraag-1000-13-4577586848044658258:0 Mailbox is unchanged. Parent is shutting down, bye... ````

gitea-mirror commented

2026-05-05 07:07:51 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 3, 2017):

Ha. Aha. Ahahahahahaha. Symlinks. So /usr/bin/emacsclient -> /usr/bin/emacsclient.emacs25 and I didn't whitelist that. I guess the link-following policy changed between the two versions?

@chiraag-nataraj commented on GitHub (Jun 3, 2017): Ha. Aha. Ahahahahahaha. Symlinks. So `/usr/bin/emacsclient` -> `/usr/bin/emacsclient.emacs25` and I didn't whitelist that. I guess the link-following policy changed between the two versions?

gitea-mirror commented

2026-05-05 07:07:54 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 3, 2017):

Hmm...so now I have this weird problem where I can manually call it (using firejail --join and manually invoking the editor), but it doesn't work from within mutt.

[edit] Another symlink - this one from /bin/sh to /bin/dash.

@chiraag-nataraj commented on GitHub (Jun 3, 2017): Hmm...so now I have this weird problem where I can manually call it (using `firejail --join` and manually invoking the editor), but it doesn't work from within mutt. [edit] Another symlink - this one from `/bin/sh` to `/bin/dash`.

gitea-mirror commented

2026-05-05 07:07:57 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jun 3, 2017):

Issue fixed. The main thing was the symlink following behavior which changed. I guess I could have also changed the default in /etc/firejail/firejail.config 😛.

@chiraag-nataraj commented on GitHub (Jun 3, 2017): Issue fixed. The main thing was the symlink following behavior which changed. I guess I could have also changed the default in `/etc/firejail/firejail.config` 😛.

gitea-mirror referenced this issue

2026-05-05 08:24:56 -06:00

[GH-ISSUE #2786] private-gnupg? #1744

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#907

No description provided.

Rows
Columns