github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1371] seccomp and ignore #937

New issue

Closed

opened 2026-05-05 07:11:40 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:11:40 -06:00

Owner

Originally created by @nick75e on GitHub (Jul 10, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1371

Hi,

In order to make Firefox's CDM work with Netflix I had to get rid of chroot in seccomp.
Since seccomp is in an included profile, I use ignore then seccomp.drop. e.g.:

ignore seccomp
include block.inc         #where seccomp is
seccomp.drop list_of_syscalls

The problem is ignore blocks both seccomp and seccomp.drop.
Can you fix this, please?

Originally created by @nick75e on GitHub (Jul 10, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1371 Hi, In order to make Firefox's CDM work with Netflix I had to get rid of `chroot` in `seccomp`. Since `seccomp` is in an included profile, I use `ignore` then `seccomp.drop`. e.g.: ``` ignore seccomp include block.inc #where seccomp is seccomp.drop list_of_syscalls ``` The problem is `ignore` blocks both `seccomp` and `seccomp.drop`. Can you fix this, please?

gitea-mirror

2026-05-05 07:11:40 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:11:44 -06:00

Author

Owner

@startx2017 commented on GitHub (Jul 10, 2017):

This is a bug, I am working on a fix, I'll have it by tomorrow.

Until the fix is in, @nick75e try this in your profile:

seccomp.drop list_of_syscalls
include block.inc         #where seccomp is

Looking in the code, in the presence of multiple seccomp definitions, firejail will pick only one, in the following order:

seccomp.keep
seccomp.drop
seccomp call_list
seccomp

Also, if a --appimage, --chroot, or --overlay command is present, seccomp will always run the default seccomp filter. (--seccomp). I'll document them in man page.

@startx2017 commented on GitHub (Jul 10, 2017): This is a bug, I am working on a fix, I'll have it by tomorrow. Until the fix is in, @nick75e try this in your profile: ````` seccomp.drop list_of_syscalls include block.inc #where seccomp is ````` Looking in the code, in the presence of multiple seccomp definitions, firejail will pick only one, in the following order: ````` seccomp.keep seccomp.drop seccomp call_list seccomp ````` Also, if a --appimage, --chroot, or --overlay command is present, seccomp will always run the default seccomp filter. (--seccomp). I'll document them in man page.

gitea-mirror commented

2026-05-05 07:11:46 -06:00

Author

Owner

@nick75e commented on GitHub (Jul 11, 2017):

Thanks but your workaround doesn't work.
This is what I get (only an excerpt):

configuring 12 seccomp entries from /run/firejail/mnt/seccomp.protocol
firejail: seccomp.c:176: seccomp_filter_drop: Assertion `0' failed.
Error: proc 29935 cannot sync with peer: unexpected EOF
Peer 29936 unexpectedly killed (Segmentation fault)

I'll wait for the fix. In the meantime, I've imported into the profile the options from the include

@nick75e commented on GitHub (Jul 11, 2017): Thanks but your workaround doesn't work. This is what I get (only an excerpt): ``` configuring 12 seccomp entries from /run/firejail/mnt/seccomp.protocol firejail: seccomp.c:176: seccomp_filter_drop: Assertion `0' failed. Error: proc 29935 cannot sync with peer: unexpected EOF Peer 29936 unexpectedly killed (Segmentation fault) ``` I'll wait for the fix. In the meantime, I've imported into the profile the options from the `include`

gitea-mirror commented

2026-05-05 07:11:47 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 13, 2017):

firejail: seccomp.c:176: seccomp_filter_drop: Assertion `0' failed.

This is the old code, you didn't update or didn't install the new version. The fix is in. Do like this:

$ git pull
$ make && sudo make install

@netblue30 commented on GitHub (Jul 13, 2017): > firejail: seccomp.c:176: seccomp_filter_drop: Assertion `0' failed. This is the old code, you didn't update or didn't install the new version. The fix is in. Do like this: ````` $ git pull $ make && sudo make install `````

gitea-mirror referenced this issue

2026-05-05 10:08:25 -06:00

[PR #993] [MERGED] Replace keepassx whitelisting with keepass whitelisting #3816

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#937

No description provided.

Rows
Columns