github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1414] Firefox Nightly broken due to firejail's seccomp #963

New issue
Closed
opened 2026-05-05 07:13:29 -06:00 by gitea-mirror · 14 comments
gitea-mirror commented 2026-05-05 07:13:29 -06:00
Owner
Copy link

Originally created by @RalfJung on GitHub (Jul 29, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1414

Firefox is itself sandboxing the content processes with seccomp. Nesting seccomp does not seem to be possible, so the fact that firejail uses seccomp actually silently breaks Firefox' sandbox and decreases their isolation.
To make things worse, current Firefox nightly breaks badly when used in firejail; it seems the breakage of seccomp is no longer silent. Also see https://bugzilla.mozilla.org/show_bug.cgi?id=1384804 for some more information.

I commented out the "seccomp" filter in the firefox.profile to fix my issues. I think that should be shipped as new default, or else people will experience breakage when using Firefox with firejail.

Originally created by @RalfJung on GitHub (Jul 29, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1414 Firefox is itself sandboxing the content processes with seccomp. Nesting seccomp does not seem to be possible, so the fact that firejail uses seccomp actually silently breaks Firefox' sandbox and *decreases* their isolation. To make things worse, current Firefox nightly breaks badly when used in firejail; it seems the breakage of seccomp is no longer silent. Also see https://bugzilla.mozilla.org/show_bug.cgi?id=1384804 for some more information. I commented out the "seccomp" filter in the firefox.profile to fix my issues. I think that should be shipped as new default, or else people will experience breakage when using Firefox with firejail.
gitea-mirror 2026-05-05 07:13:29 -06:00
gitea-mirror commented 2026-05-05 07:13:34 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Jul 30, 2017):

I cannot confirm this for Nightly 56.0a1 on Fedora 26. It works for me both with /etc/firejail/firefox.profile and with my modified profile where I added some other stuff. In fact, I'm writing this in the firejailed Nightly.

However, this may be different on another distro. Which one are you using?

Having said that, I think that problems with Firejail can be expected once the Firefox sandbox is complete. It is basically the one used in Chromium - and for that one it depends on if your distro supports user namespaces or not, see this post and the discussion thereafter. For example, I can use Google Chrome with the settings mentioned in that post and with a long list of syscalls in seccomp.keep. If you're using a distro that doesn't support user namespaces that won't be possible.

<!-- gh-comment-id:318891825 --> @curiosity-seeker commented on GitHub (Jul 30, 2017): I cannot confirm this for Nightly 56.0a1 on Fedora 26. It works for me both with /etc/firejail/firefox.profile and with my modified profile where I added some other stuff. In fact, I'm writing this in the firejailed Nightly. However, this may be different on another distro. Which one are you using? Having said that, I think that problems with Firejail can be expected once the Firefox sandbox is complete. It is basically the one used in Chromium - and for that one it depends on if your distro supports user namespaces or not, see [this](https://github.com/netblue30/firejail/issues/554#issuecomment-303456703) post and the discussion thereafter. For example, I can use Google Chrome with the settings mentioned in that post and with a [long list of syscalls](https://github.com/netblue30/firejail/issues/554#issuecomment-305469593) in `seccomp.keep`. If you're using a distro that doesn't support user namespaces that won't be possible.
gitea-mirror commented 2026-05-05 07:13:35 -06:00
Author
Owner
Copy link

@RalfJung commented on GitHub (Jul 30, 2017):

I am using Debian teseting. Also, I should have been more clear: Not all websites are broken. One particular website which reliably breaks for me (and which I used for the regression test in the Firefox bugreport I linked) is https://youtube.com.

<!-- gh-comment-id:318917806 --> @RalfJung commented on GitHub (Jul 30, 2017): I am using Debian teseting. Also, I should have been more clear: Not all websites are broken. One particular website which reliably breaks for me (and which I used for the regression test in the Firefox bugreport I linked) is <https://youtube.com>.
gitea-mirror commented 2026-05-05 07:13:36 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jul 30, 2017):

I did a bit of testing and I cannot repro this issue. As gcp said in the linked bug report, I agree that Firejail is silently breaking Firefox's sandbox and or Firefox is falsely reporting under about:support, and 'seccomp' will need to be eventually removed as has been done for Chromium-based browsers.

<!-- gh-comment-id:318936205 --> @SkewedZeppelin commented on GitHub (Jul 30, 2017): I did a bit of testing and I cannot repro this issue. As gcp said in the linked bug report, I agree that Firejail is silently breaking Firefox's sandbox and or Firefox is falsely reporting under about:support, and 'seccomp' will need to be eventually removed as has been done for Chromium-based browsers.
gitea-mirror commented 2026-05-05 07:13:38 -06:00
Author
Owner
Copy link

@RalfJung commented on GitHub (Jul 31, 2017):

I did a bit of testing and I cannot repro this issue.

Strange. Maybe it has something to do with drivers (video playback seems involved, with YouTube being a trigger for me). I'm on an Intel card, and I think I got the video acceleration drivers installed.

<!-- gh-comment-id:318960124 --> @RalfJung commented on GitHub (Jul 31, 2017): > I did a bit of testing and I cannot repro this issue. Strange. Maybe it has something to do with drivers (video playback seems involved, with YouTube being a trigger for me). I'm on an Intel card, and I think I got the video acceleration drivers installed.
gitea-mirror commented 2026-05-05 07:13:39 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Jul 31, 2017):

Okay, for whatever reason I ran into problems today, too. Firefox Nightly wouldn't even start. After playing around a while I added this line to the profile:

seccomp.keep access,arch_prctl,bind,brk,capget,capset,chmod,clock_getres,clone,close,connect,dup2,epoll_create1,epoll_ctl,epoll_wait,eventfd2,execve,exit,exit_group,fadvise64,fallocate,fchmod,fchown,fcntl,fstat,fstatfs,fsync,ftruncate,futex,getcwd,getdents,getdents64,getegid,geteuid,getgid,get_mempolicy,getpeername,getpgrp,getpid,getppid,getpriority,getrandom,getresgid,getresuid,getrusage,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,ioctl,kill,lseek,lstat,madvise,memfd_create,mkdir,mmap,mprotect,munmap,nanosleep,open,pipe,pipe2,poll,pread64,prlimit64,ptrace,pwrite64,quotactl,read,readahead,readlink,recvfrom,recvmsg,rename,rmdir,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_yield,seccomp,sendmmsg,sendmsg,sendto,setpriority,setresgid,setresuid,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,sigaltstack,socket,socketpair,splice,stat,statfs,symlink,sysinfo,tgkill,umask,uname,unlink,unshare,wait4,write,writev

This seems to work well on my Fedora 26 system with an Intel GPU. It's possible that your Debian system needs some more. So if you're running into problems I suggest that you execute

journalctl -e | grep syscall

and

firejail --debug-syscalls | grep XXX

where XXX is the syscall number output from journalctl. It might be necessary to repeat those steps several times. Just add those syscalls to above list.

EDIT: Above list is very long, indeed. However, if you compare it with the default list of syscalls blocked by Firejail using comm -12 you'll find that only the two whitelisted syscalls

get_mempolicy
ptrace

are in the default list. All other syscalls in above list are not blocked by Firejail anyhow - but they have to be added to seccomp.keep nonetheless.

<!-- gh-comment-id:319049940 --> @curiosity-seeker commented on GitHub (Jul 31, 2017): Okay, for whatever reason I ran into problems today, too. Firefox Nightly wouldn't even start. After playing around a while I added this line to the profile: ``` seccomp.keep access,arch_prctl,bind,brk,capget,capset,chmod,clock_getres,clone,close,connect,dup2,epoll_create1,epoll_ctl,epoll_wait,eventfd2,execve,exit,exit_group,fadvise64,fallocate,fchmod,fchown,fcntl,fstat,fstatfs,fsync,ftruncate,futex,getcwd,getdents,getdents64,getegid,geteuid,getgid,get_mempolicy,getpeername,getpgrp,getpid,getppid,getpriority,getrandom,getresgid,getresuid,getrusage,getsockname,getsockopt,gettid,getuid,inotify_add_watch,inotify_init1,ioctl,kill,lseek,lstat,madvise,memfd_create,mkdir,mmap,mprotect,munmap,nanosleep,open,pipe,pipe2,poll,pread64,prlimit64,ptrace,pwrite64,quotactl,read,readahead,readlink,recvfrom,recvmsg,rename,rmdir,rt_sigaction,rt_sigprocmask,rt_sigreturn,sched_getaffinity,sched_yield,seccomp,sendmmsg,sendmsg,sendto,setpriority,setresgid,setresuid,set_robust_list,setsockopt,set_tid_address,shmat,shmctl,shmdt,shmget,shutdown,sigaltstack,socket,socketpair,splice,stat,statfs,symlink,sysinfo,tgkill,umask,uname,unlink,unshare,wait4,write,writev ``` This seems to work well on my Fedora 26 system with an Intel GPU. It's possible that your Debian system needs some more. So if you're running into problems I suggest that you execute `journalctl -e | grep syscall` and `firejail --debug-syscalls | grep XXX` where XXX is the syscall number output from journalctl. It might be necessary to repeat those steps several times. Just add those syscalls to above list. EDIT: Above list is very long, indeed. However, if you compare it with the default list of syscalls blocked by Firejail using `comm -12` you'll find that only the two whitelisted syscalls ``` get_mempolicy ptrace ``` are in the default list. All other syscalls in above list are not blocked by Firejail anyhow - but they have to be added to `seccomp.keep` nonetheless.
gitea-mirror commented 2026-05-05 07:13:40 -06:00
Author
Owner
Copy link

@RalfJung commented on GitHub (Jul 31, 2017):

TBH I think it makes more sense to just not have firejail just not restrict syscalls -- these filters seems very fragile. firejail still uses mount namespaces to isolate all of Firefox from my private files, so this is much more secure than "just" the Firefox sandbox.

<!-- gh-comment-id:319155774 --> @RalfJung commented on GitHub (Jul 31, 2017): TBH I think it makes more sense to just not have firejail just not restrict syscalls -- these filters seems very fragile. firejail still uses mount namespaces to isolate all of Firefox from my private files, so this is much more secure than "just" the Firefox sandbox.
gitea-mirror commented 2026-05-05 07:13:41 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 2, 2017):

I've managed to reproduce it, and I removed get_mempolicy from the default seccomp list. It seems to be able to play youtube videos now. Once they release the version now in nightly, we'll have to test again and see if we can bring back get_mempolicy in the seccomp filter.

<!-- gh-comment-id:319661506 --> @netblue30 commented on GitHub (Aug 2, 2017): I've managed to reproduce it, and I removed get_mempolicy from the default seccomp list. It seems to be able to play youtube videos now. Once they release the version now in nightly, we'll have to test again and see if we can bring back get_mempolicy in the seccomp filter.
gitea-mirror commented 2026-05-05 07:13:43 -06:00
Author
Owner
Copy link

@gcp commented on GitHub (Aug 18, 2017):

FWIW I just landed a fix in for this, and Firefox now blocks get_mempolicy too. Should be in tomorrow's Nightly.

<!-- gh-comment-id:323282510 --> @gcp commented on GitHub (Aug 18, 2017): FWIW I just landed a fix in for this, and Firefox now blocks get_mempolicy too. Should be in tomorrow's Nightly.
gitea-mirror commented 2026-05-05 07:13:44 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Aug 18, 2017):

Thanks, I'll keep an eye on it and bring back get_mempolicy.

<!-- gh-comment-id:323349461 --> @netblue30 commented on GitHub (Aug 18, 2017): Thanks, I'll keep an eye on it and bring back get_mempolicy.
gitea-mirror commented 2026-05-05 07:13:45 -06:00
Author
Owner
Copy link

@hlieberman commented on GitHub (Sep 13, 2017):

For what it's worth, this still seems to be broken on Nightly 57.0a1 (2017-09-13) with firejail 0.9.48. @gcp, if the fix was supposed to work on the Moz side independently, something else is wrong.

<!-- gh-comment-id:329328015 --> @hlieberman commented on GitHub (Sep 13, 2017): For what it's worth, this still seems to be broken on Nightly 57.0a1 (2017-09-13) with firejail 0.9.48. @gcp, if the fix was supposed to work on the Moz side independently, something else is wrong.
gitea-mirror commented 2026-05-05 07:13:46 -06:00
Author
Owner
Copy link

@gcp commented on GitHub (Sep 14, 2017):

I'm not sure what "still" means given that this was confirmed fixed a month ago, or what "broken" means.

<!-- gh-comment-id:329399009 --> @gcp commented on GitHub (Sep 14, 2017): I'm not sure what "still" means given that this was confirmed fixed a month ago, or what "broken" means.
gitea-mirror commented 2026-05-05 07:13:46 -06:00
Author
Owner
Copy link

@curiosity-seeker commented on GitHub (Sep 14, 2017):

I don't have any problems with Nightly since @gcp landed that fix. However, I'm using the Firejail git version.
@hlieberman : You're still using 0.9.48 but 0.9.50 is available. Perhaps that one solves your problem.

<!-- gh-comment-id:329436743 --> @curiosity-seeker commented on GitHub (Sep 14, 2017): I don't have any problems with Nightly since @gcp landed that fix. However, I'm using the Firejail git version. @hlieberman : You're still using 0.9.48 but 0.9.50 is available. Perhaps that one solves your problem.
gitea-mirror commented 2026-05-05 07:13:47 -06:00
Author
Owner
Copy link

@hlieberman commented on GitHub (Sep 15, 2017):

Confirmed; problem goes away in 0.9.50. Thanks!

<!-- gh-comment-id:329912332 --> @hlieberman commented on GitHub (Sep 15, 2017): Confirmed; problem goes away in 0.9.50. Thanks!
gitea-mirror commented 2026-05-05 07:13:50 -06:00
Author
Owner
Copy link

@gcp commented on GitHub (Sep 19, 2017):

if the fix was supposed to work on the Moz side independently, something else is wrong.

The fix on our side was backed out, which is why this requires an updated firejail right now:
https://bugzilla.mozilla.org/show_bug.cgi?id=1384804#c25

I will try to reland the fix on Firefox, but the conclusion is that it seems to be impossible to block get_mempolicy because some versions of libnuma require it even if they can read /prof/.../status

<!-- gh-comment-id:330519902 --> @gcp commented on GitHub (Sep 19, 2017): >if the fix was supposed to work on the Moz side independently, something else is wrong. The fix on our side was backed out, which is why this requires an updated firejail right now: https://bugzilla.mozilla.org/show_bug.cgi?id=1384804#c25 I will try to reland the fix on Firefox, but the conclusion is that it seems to be impossible to block get_mempolicy because some versions of libnuma require it even if they can read /prof/.../status
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#963
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?