General troubleshooting steps
To be written.
Common problems
To be written.
Common problems (historical)
These problems have already been fixed. If you still encounter them on the latest firejail version, please report it as a bug.
Device access on non-systemd systems
Note: This should be fixed as of firejail 0.9.68 (see RELNOTES, #4725 and #4732).
In order to access devices in /dev on non-systemd systems your user account must be in a supplementary group
like audio for example. By default firejail removes all supplementary groups for the most programs. This breaks
functions that need devices access like webcams or raw ALSA on such systems.
Add
ignore nogroups
ignore noroot
to your globals.local. If you only need the tty and games group, you can omit ignore noroot.
3D acceleration with nVidia-Hardware
Note: This should be fixed as of firejail 0.9.68 (see RELNOTES, #4725 and #4732).
Users with NVIDIA hardware may need to add ignore nogroups to globals.local, see #3144.
Seccomp
Note: If a program is crashing due to seccomp, please report it as a bug.
The seccomp command is intended to prevent a program from making arbitrary
system calls, other than the ones that it actually needs.
By default, a seccomp violation results in the program being immediately killed
by the kernel (seccomp-error-action kill), likely with no log being produced.
To make debugging easier, it is possible to use the following command:
seccomp-error-action log
Which effectively disables the seccomp protection and makes any violation be
logged to dmesg.
Example
Assume that firefox.profile contains the following line:
seccomp !ptrace
Which means "block all syscalls, except for those in the default syscall group
and the ptrace syscall".
After running the following command:
firejail --seccomp-error-action=log /usr/bin/firefox
The following seccomp violations appear in the audit log:
$ dmesg | grep audit:
[...] audit: [...] exe="/usr/bin/bwrap" sig=0 arch=c000003e syscall=166 compat=0 [...]
[...] audit: [...] exe="/usr/lib/firefox/firefox" sig=0 arch=c000003e syscall=161 compat=0 [...]
Which shows that syscalls 166 and 161 were blocked.
To find out the names of these syscalls:
$ firejail --debug-syscalls | grep -E '161|166'
161 - chroot
166 - umount2
This means that Firefox needs access to the chroot and umount2 syscalls.
So add these to the list (alongside any existing syscalls) in ~/.config/firejail/firefox.local (for example):
seccomp !chroot,!ptrace,!umount2
ignore seccomp
Note: The ignore line above is inteded to ignore the seccomp line in
firefox.profile, to prevent it from overriding the one in firefox.local.
Then, keep running Firefox and editing the seccomp line until there are no more new messages in the audit log.
To confirm that the changes work, run the program again, but without
--seccomp-error-action=log and check that there are no crashes:
firejail /usr/bin/firefox