Firejail: Firefox using 100% CPU with firejail when downloading files
Firefox 64.0 is using 100% CPU when downloading files via built-in mechanism. To reproduce:
firejail /usr/bin/firefox
Then go to https://www.kernel.org/ or to some other source of big files and simultaneously download as many files as the number of your CPU cores is. Open top or htop and see that Firefox is eating all your cores.
For me downloading on 4 cores without firejail takes about 30% of CPU but with firejail it takes 370%.
Of course it doesn't happen when not paired with firejail. It also works correctly with --noprofile option.
[mk@linux ~]$ firejail --version
firejail version 0.9.56
Compile time support:
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- seccomp-bpf support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled
I also tested with /etc/firejail/firefox.local removed but there was no difference.
[mk@linux ~]$ firejail --debug /usr/bin/firefox
Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/firefox'
Command name #firefox#
Found firefox profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 11262, child pid 11263
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null)
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 100, nogroups 1
No supplementary groups
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mk/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/hidraw0 file
mounting /run/firejail/mnt/dev/hidraw1 file
mounting /run/firejail/mnt/dev/usb directory
Process /dev/shm directory
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Disable /mnt
Disable /media
Disable /run/mount
Directory ${DOWNLOADS} resolved as Pobrane
Debug 405: new_name #/home/mk/Pobrane#, whitelist
Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Pobrane
Debug 405: new_name #/home/mk/Downloads#, whitelist
Debug 505: fname #/home/mk/Downloads#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Downloads
Debug 405: new_name #/home/mk/.cache/mozilla/firefox#, whitelist
Debug 505: fname #/home/mk/.cache/mozilla/firefox#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.cache/mozilla/firefox
Debug 405: new_name #/home/mk/.mozilla#, whitelist
Debug 505: fname #/home/mk/.mozilla#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.mozilla
Directory ${DOWNLOADS} resolved as Pobrane
Debug 405: new_name #/home/mk/Pobrane#, whitelist
Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Pobrane
Debug 405: new_name #/home/mk/.pki#, whitelist
Debug 505: fname #/home/mk/.pki#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.pki
Debug 405: new_name #/home/mk/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
expanded: /home/mk/.XCompose
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
expanded: /home/mk/.asoundrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/ibus#, whitelist
Debug 505: fname #/home/mk/.config/ibus#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/ibus
Debug 405: new_name #/home/mk/.config/mimeapps.list#, whitelist
Debug 505: fname #/home/mk/.config/mimeapps.list#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/mimeapps.list
Debug 405: new_name #/home/mk/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
expanded: /home/mk/.config/pkcs11
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/user-dirs.dirs#, whitelist
Debug 505: fname #/home/mk/.config/user-dirs.dirs#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/user-dirs.dirs
Debug 405: new_name #/home/mk/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
expanded: /home/mk/.drirc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
expanded: /home/mk/.icons
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/applications#, whitelist
Debug 505: fname #/home/mk/.local/share/applications#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/applications
Debug 405: new_name #/home/mk/.local/share/icons#, whitelist
Debug 505: fname #/home/mk/.local/share/icons#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/icons
Debug 405: new_name #/home/mk/.local/share/mime#, whitelist
Debug 505: fname #/home/mk/.local/share/mime#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/mime
Debug 405: new_name #/home/mk/.mime.types#, whitelist
Debug 505: fname #/home/mk/.mime.types#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.mime.types
Debug 405: new_name #/home/mk/.cache/fontconfig#, whitelist
Debug 505: fname #/home/mk/.cache/fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.cache/fontconfig
Debug 405: new_name #/home/mk/.config/fontconfig#, whitelist
Debug 505: fname #/home/mk/.config/fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/fontconfig
Debug 405: new_name #/home/mk/.fontconfig#, whitelist
Debug 505: fname #/home/mk/.fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.fontconfig
Debug 405: new_name #/home/mk/.fonts#, whitelist
Debug 505: fname #/home/mk/.fonts#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.fonts
Debug 405: new_name #/home/mk/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
expanded: /home/mk/.fonts.conf
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
expanded: /home/mk/.fonts.conf.d
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
expanded: /home/mk/.fonts.d
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/fonts#, whitelist
Debug 505: fname #/home/mk/.local/share/fonts#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/fonts
Debug 405: new_name #/home/mk/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
expanded: /home/mk/.pangorc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/gtk-2.0#, whitelist
Debug 505: fname #/home/mk/.config/gtk-2.0#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/gtk-2.0
Debug 405: new_name #/home/mk/.config/gtk-3.0#, whitelist
Debug 505: fname #/home/mk/.config/gtk-3.0#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/gtk-3.0
Debug 405: new_name #/home/mk/.config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
expanded: /home/mk/.config/gtkrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
expanded: /home/mk/.config/gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.gnome2#, whitelist
Debug 505: fname #/home/mk/.gnome2#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.gnome2
Debug 405: new_name #/home/mk/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
expanded: /home/mk/.gnome2-private
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
expanded: /home/mk/.gtk-2.0
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
expanded: /home/mk/.gtkrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0
expanded: /home/mk/.gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
expanded: /home/mk/.kde/share/config/gtkrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
expanded: /home/mk/.kde/share/config/gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
expanded: /home/mk/.kde4/share/config/gtkrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
expanded: /home/mk/.kde4/share/config/gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
expanded: /home/mk/.local/share/themes
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.themes#, whitelist
Debug 505: fname #/home/mk/.themes#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.themes
Debug 405: new_name #/home/mk/.config/dconf#, whitelist
Debug 505: fname #/home/mk/.config/dconf#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/dconf
Debug 405: new_name #/home/mk/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
expanded: /home/mk/.config/Kvantum
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/Trolltech.conf#, whitelist
Debug 505: fname #/home/mk/.config/Trolltech.conf#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/Trolltech.conf
Debug 405: new_name #/home/mk/.config/kdeglobals#, whitelist
Debug 505: fname #/home/mk/.config/kdeglobals#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/kdeglobals
Debug 405: new_name #/home/mk/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
expanded: /home/mk/.config/kio_httprc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/kioslaverc#, whitelist
Debug 505: fname #/home/mk/.config/kioslaverc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/kioslaverc
Debug 405: new_name #/home/mk/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
expanded: /home/mk/.config/ksslcablacklist
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/qt5ct#, whitelist
Debug 505: fname #/home/mk/.config/qt5ct#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/qt5ct
Debug 405: new_name #/home/mk/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
expanded: /home/mk/.kde/share/config/kdeglobals
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
expanded: /home/mk/.kde/share/config/kio_httprc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
expanded: /home/mk/.kde/share/config/kioslaverc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
expanded: /home/mk/.kde/share/config/ksslcablacklist
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
expanded: /home/mk/.kde/share/config/oxygenrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
expanded: /home/mk/.kde/share/icons
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/kdeglobals#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kdeglobals#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kdeglobals
Debug 405: new_name #/home/mk/.kde4/share/config/kio_httprc#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kio_httprc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kio_httprc
Debug 405: new_name #/home/mk/.kde4/share/config/kioslaverc#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kioslaverc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kioslaverc
Debug 405: new_name #/home/mk/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
expanded: /home/mk/.kde4/share/config/ksslcablacklist
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
expanded: /home/mk/.kde4/share/config/oxygenrc
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
expanded: /home/mk/.kde4/share/icons
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
expanded: /home/mk/.local/share/qt5ct
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/home/mk/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
expanded: /home/mk/.cache/kioexec/krun
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/var/lib/dbus#, whitelist
Debug 405: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
expanded: /var/lib/menu-xdg
real path: (null)
realpath: No such file or directory
Debug 405: new_name #/var/cache/fontconfig#, whitelist
Debug 405: new_name #/var/tmp#, whitelist
Debug 405: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 405: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Drop privileges: pid 3, uid 1000, gid 100, nogroups 0
Supplementary groups: 50
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Drop privileges: pid 4, uid 1000, gid 100, nogroups 0
Supplementary groups: 50
Drop privileges: pid 5, uid 1000, gid 100, nogroups 0
Supplementary groups: 50
Mounting tmpfs on /var directory
Whitelisting /home/mk/Pobrane
634 627 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4
Whitelisting /home/mk/Downloads
635 627 8:3 /mk/Downloads /home/mk/Downloads rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Downloads dir=/home/mk/Downloads fstype=ext4
Whitelisting /home/mk/.cache/mozilla/firefox
636 627 0:46 /mozilla/firefox /home/mk/.cache/mozilla/firefox rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k
fsname=/mozilla/firefox dir=/home/mk/.cache/mozilla/firefox fstype=tmpfs
Whitelisting /home/mk/.mozilla
637 627 8:3 /mk/.mozilla /home/mk/.mozilla rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.mozilla dir=/home/mk/.mozilla fstype=ext4
Whitelisting /home/mk/Pobrane
638 634 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4
Whitelisting /home/mk/.pki
639 627 8:3 /mk/.pki /home/mk/.pki rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.pki dir=/home/mk/.pki fstype=ext4
Whitelisting /home/mk/.config/ibus
640 627 8:3 /mk/.config/ibus /home/mk/.config/ibus rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/ibus dir=/home/mk/.config/ibus fstype=ext4
Whitelisting /home/mk/.config/mimeapps.list
641 627 8:3 /mk/.config/mimeapps.list /home/mk/.config/mimeapps.list rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/mimeapps.list dir=/home/mk/.config/mimeapps.list fstype=ext4
Whitelisting /home/mk/.config/user-dirs.dirs
642 627 8:3 /mk/.config/user-dirs.dirs /home/mk/.config/user-dirs.dirs rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/user-dirs.dirs dir=/home/mk/.config/user-dirs.dirs fstype=ext4
Whitelisting /home/mk/.local/share/applications
643 627 8:3 /mk/.local/share/applications /home/mk/.local/share/applications rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/applications dir=/home/mk/.local/share/applications fstype=ext4
Whitelisting /home/mk/.local/share/icons
644 627 8:3 /mk/.local/share/icons /home/mk/.local/share/icons rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/icons dir=/home/mk/.local/share/icons fstype=ext4
Whitelisting /home/mk/.local/share/mime
645 627 8:3 /mk/.local/share/mime /home/mk/.local/share/mime rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/mime dir=/home/mk/.local/share/mime fstype=ext4
Whitelisting /home/mk/.mime.types
646 627 8:3 /mk/.mime.types /home/mk/.mime.types rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.mime.types dir=/home/mk/.mime.types fstype=ext4
Whitelisting /home/mk/.cache/fontconfig
647 627 0:46 /fontconfig /home/mk/.cache/fontconfig rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k
fsname=/fontconfig dir=/home/mk/.cache/fontconfig fstype=tmpfs
Whitelisting /home/mk/.config/fontconfig
648 627 8:3 /mk/.config/fontconfig /home/mk/.config/fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/fontconfig dir=/home/mk/.config/fontconfig fstype=ext4
Whitelisting /home/mk/.fontconfig
649 627 8:3 /mk/.fontconfig /home/mk/.fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.fontconfig dir=/home/mk/.fontconfig fstype=ext4
Whitelisting /home/mk/.fonts
650 627 8:3 /mk/.fonts /home/mk/.fonts rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.fonts dir=/home/mk/.fonts fstype=ext4
Whitelisting /home/mk/.local/share/fonts
651 627 8:3 /mk/.local/share/fonts /home/mk/.local/share/fonts rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/fonts dir=/home/mk/.local/share/fonts fstype=ext4
Whitelisting /home/mk/.config/gtk-2.0
652 627 8:3 /mk/.config/gtk-2.0 /home/mk/.config/gtk-2.0 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/gtk-2.0 dir=/home/mk/.config/gtk-2.0 fstype=ext4
Whitelisting /home/mk/.config/gtk-3.0
653 627 8:3 /mk/.config/gtk-3.0 /home/mk/.config/gtk-3.0 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/gtk-3.0 dir=/home/mk/.config/gtk-3.0 fstype=ext4
Whitelisting /home/mk/.gnome2
654 627 8:3 /mk/.gnome2 /home/mk/.gnome2 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.gnome2 dir=/home/mk/.gnome2 fstype=ext4
Whitelisting /home/mk/.themes
655 627 8:3 /mk/.themes /home/mk/.themes rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.themes dir=/home/mk/.themes fstype=ext4
Whitelisting /home/mk/.config/dconf
656 627 8:3 /mk/.config/dconf /home/mk/.config/dconf rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/dconf dir=/home/mk/.config/dconf fstype=ext4
Whitelisting /home/mk/.config/Trolltech.conf
657 627 8:3 /mk/.config/Trolltech.conf /home/mk/.config/Trolltech.conf rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/Trolltech.conf dir=/home/mk/.config/Trolltech.conf fstype=ext4
Whitelisting /home/mk/.config/kdeglobals
658 627 8:3 /mk/.config/kdeglobals /home/mk/.config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/kdeglobals dir=/home/mk/.config/kdeglobals fstype=ext4
Whitelisting /home/mk/.config/kioslaverc
659 627 8:3 /mk/.config/kioslaverc /home/mk/.config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/kioslaverc dir=/home/mk/.config/kioslaverc fstype=ext4
Whitelisting /home/mk/.config/qt5ct
660 627 8:3 /mk/.config/qt5ct /home/mk/.config/qt5ct rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/qt5ct dir=/home/mk/.config/qt5ct fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kdeglobals
661 627 8:3 /mk/.kde4/share/config/kdeglobals /home/mk/.kde4/share/config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kdeglobals dir=/home/mk/.kde4/share/config/kdeglobals fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kio_httprc
662 627 8:3 /mk/.kde4/share/config/kio_httprc /home/mk/.kde4/share/config/kio_httprc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kio_httprc dir=/home/mk/.kde4/share/config/kio_httprc fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kioslaverc
663 627 8:3 /mk/.kde4/share/config/kioslaverc /home/mk/.kde4/share/config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kioslaverc dir=/home/mk/.kde4/share/config/kioslaverc fstype=ext4
Whitelisting /var/lib/dbus
664 633 8:2 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw
fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4
Whitelisting /var/cache/fontconfig
665 633 8:2 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw
fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4
Whitelisting /var/tmp
666 633 0:70 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw
fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Directory ${DOWNLOADS} resolved as Pobrane
Mounting noexec /home/mk/Pobrane
Mounting noexec /home/mk/Downloads
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/mk/.Xauthority
Mounting read-only /home/mk/.config/kdeglobals
Mounting read-only /home/mk/.config/kioslaverc
Mounting read-only /home/mk/.kde4/share/config/kdeglobals
Mounting read-only /home/mk/.kde4/share/config/kio_httprc
Mounting read-only /home/mk/.kde4/share/config/kioslaverc
Disable /etc/anacrontab
Disable /etc/cron.daily
Disable /etc/cron.hourly
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/cron.d
Disable /etc/cron.deny
Disable /etc/profile.d
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Mounting read-only /home/mk/.bashrc
Mounting read-only /home/mk/.local/share/applications
Not blacklist /home/mk/.pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /usr/bin/fusermount
Disable /usr/bin/gpasswd
Disable /usr/bin/ksu
Disable /usr/bin/mount
Disable /usr/bin/ncat
Disable /usr/bin/newgidmap
Disable /usr/bin/newgrp
Disable /usr/bin/newuidmap
Disable /usr/bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/procmail
Disable /usr/bin/sg
Disable /usr/bin/strace
Disable /usr/bin/su
Disable /usr/bin/sudo
Disable /usr/bin/umount
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/xev
Disable /usr/bin/xinput
Disable /usr/bin/xfce4-terminal
Mounting noexec /tmp/.X11-unix
Disable /usr/bin/bwrap
Disable /usr/bin/as
Disable /usr/bin/gcc (requested /usr/bin/cc)
Disable /usr/bin/c++filt
Disable /usr/bin/c++
Disable /usr/bin/c89
Disable /usr/bin/c99
Disable /usr/bin/cpp
Disable /usr/bin/cpp2html
Disable /usr/bin/g++
Disable /usr/bin/gcc
Disable /usr/bin/gcc-ranlib
Disable /usr/bin/gcc-nm
Disable /usr/bin/gcc-ar
Disable /usr/bin/gccmakedep
Disable /usr/bin/ld
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/include
Disable /usr/bin/clang-format
Disable /usr/bin/clang-include-fixer
Disable /usr/bin/clang-apply-replacements
Disable /usr/bin/clang-offload-bundler
Disable /usr/bin/clangd
Disable /usr/bin/clang-refactor
Disable /usr/bin/clang-reorder-fields
Disable /usr/bin/clang-7 (requested /usr/bin/clang)
Disable /usr/bin/clang-import-test
Disable /usr/bin/clang-func-mapping
Disable /usr/bin/clang-query
Disable /usr/bin/clang-7
Disable /usr/bin/clang-check
Disable /usr/bin/clang-tidy
Disable /usr/bin/clang-7 (requested /usr/bin/clang-cpp)
Disable /usr/bin/clang-7 (requested /usr/bin/clang++)
Disable /usr/bin/clang-rename
Disable /usr/bin/clang-change-namespace
Disable /usr/bin/clang-7 (requested /usr/bin/clang-cl)
Disable /usr/bin/llvm-tblgen
Disable /usr/bin/llvm-undname
Disable /usr/bin/llvm-cxxdump
Disable /usr/bin/llvm-c-test
Disable /usr/bin/llvm-nm
Disable /usr/bin/llvm-pdbutil
Disable /usr/bin/llvm-rtdyld
Disable /usr/bin/llvm-mca
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-dlltool)
Disable /usr/bin/llvm-cat
Disable /usr/bin/llvm-strings
Disable /usr/bin/llvm-stress
Disable /usr/bin/llvm-objcopy (requested /usr/bin/llvm-strip)
Disable /usr/bin/llvm-objcopy
Disable /usr/bin/llvm-dwarfdump
Disable /usr/bin/llvm-PerfectShuffle
Disable /usr/bin/llvm-exegesis
Disable /usr/bin/llvm-extract
Disable /usr/bin/llvm-size
Disable /usr/bin/llvm-ar
Disable /usr/bin/llvm-bcanalyzer
Disable /usr/bin/llvm-config
Disable /usr/bin/llvm-split
Disable /usr/bin/llvm-mc
Disable /usr/bin/llvm-diff
Disable /usr/bin/llvm-profdata
Disable /usr/bin/llvm-objdump
Disable /usr/bin/llvm-opt-report
Disable /usr/bin/llvm-rc
Disable /usr/bin/llvm-cfi-verify
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-lib)
Disable /usr/bin/llvm-mt
Disable /usr/bin/llvm-readobj (requested /usr/bin/llvm-readelf)
Disable /usr/bin/llvm-lto
Disable /usr/bin/llvm-symbolizer
Disable /usr/bin/llvm-link
Disable /usr/bin/llvm-cvtres
Disable /usr/bin/llvm-dwp
Disable /usr/bin/llvm-lto2
Disable /usr/bin/llvm-as
Disable /usr/bin/llvm-xray
Disable /usr/bin/llvm-readobj
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-ranlib)
Disable /usr/bin/llvm-dis
Disable /usr/bin/llvm-cov
Disable /usr/bin/llvm-cxxfilt
Disable /usr/bin/llvm-modextract
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/bin/java)
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java)
Disable /usr/share/java
Disable /usr/bin/rust-gdb
Disable /usr/bin/rust-lldb
Disable /usr/bin/rustc
Disable /usr/bin/openssl
Disable /usr/bin/openssl-1.0
Disable /usr/bin/luac5.2
Disable /usr/bin/lua
Disable /usr/bin/lua (requested /usr/bin/lua5.3)
Disable /usr/bin/luac5.1
Disable /usr/bin/luac (requested /usr/bin/luac5.3)
Disable /usr/bin/lua5.2
Disable /usr/bin/luac
Disable /usr/bin/lua5.1
Disable /usr/lib/lua
Disable /usr/bin/core_perl/cpan
Disable /usr/bin/core_perl
Disable /usr/bin/perl
Disable /usr/lib/perl5
Disable /usr/share/perl-image-exiftool
Disable /usr/share/perl5
Disable /usr/bin/ruby
Disable /usr/lib/ruby
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7-config (requested /usr/bin/python2-config)
Disable /usr/bin/python2-pylupdate5
Disable /usr/bin/python2-pyrcc5
Disable /usr/bin/python2.7-config
Disable /usr/bin/python2-pyuic5
Disable /usr/bin/python2.7
Disable /usr/lib/python2.6
Disable /usr/lib/python2.7
Disable /usr/bin/python3.7m-config (requested /usr/bin/python3.7-config)
Disable /usr/bin/python3.7 (requested /usr/bin/python3)
Disable /usr/bin/python3.7m-config (requested /usr/bin/python3-config)
Disable /usr/bin/python3.7m
Disable /usr/bin/python3.7m-config
Disable /usr/bin/python3.7
Disable /usr/lib/python3.6
Disable /usr/lib/python3.7
Not blacklist /home/mk/.mozilla
Disable /tmp/ssh-ZaxvlS8w0ta9
Not blacklist /home/mk/.cache/mozilla
Mounting read-only /home/mk/.config/user-dirs.dirs
Mounting read-only /home/mk/.local/share/applications
Mounting noexec /home/mk
Mounting noexec /tmp
Disable /sys/fs
Disable /sys/module
Drop privileges: pid 6, uid 1000, gid 100, nogroups 0
Supplementary groups: 50
873 627 0:68 /pulse /home/mk/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
fsname=/pulse dir=/home/mk/.config/pulse fstype=tmpfs
blacklist /dev/dvb
blacklist /dev/sr0
Create the new ld.so.preload file
Post-exec seccomp protector enabled
Mount the new ld.so.preload file
Current directory: /home/mk
DISPLAY=:0.0 parsed as 0
Dropping all capabilities
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null)
Dropping all capabilities
Drop privileges: pid 7, uid 1000, gid 100, nogroups 1
No supplementary groups
line OP JT JF K
=================================
0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 15 01 00 00000029 jeq socket 0006 (false 0005)
0005: 06 00 00 7fff0000 ret ALLOW
0006: 20 00 00 00000010 ld data.args[0]
0007: 15 00 01 00000001 jeq 1 0008 (false 0009)
0008: 06 00 00 7fff0000 ret ALLOW
0009: 15 00 01 00000002 jeq 2 000a (false 000b)
000a: 06 00 00 7fff0000 ret ALLOW
000b: 15 00 01 0000000a jeq a 000c (false 000d)
000c: 06 00 00 7fff0000 ret ALLOW
000d: 15 00 01 00000010 jeq 10 000e (false 000f)
000e: 06 00 00 7fff0000 ret ALLOW
000f: 06 00 00 0005005f ret ERRNO(95)
Build drop seccomp filter
sbox run: /usr/lib/firejail/fseccomp drop /run/firejail/mnt/seccomp /run/firejail/mnt/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null)
Dropping all capabilities
Drop privileges: pid 8, uid 1000, gid 100, nogroups 1
No supplementary groups
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
sbox run: /usr/lib/firejail/fsec-optimize /run/firejail/mnt/seccomp (null)
Dropping all capabilities
Drop privileges: pid 9, uid 1000, gid 100, nogroups 1
No supplementary groups
configuring 73 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp (null)
Dropping all capabilities
Drop privileges: pid 10, uid 1000, gid 100, nogroups 1
No supplementary groups
line OP JT JF K
=================================
0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005)
0005: 35 01 00 00000000 jge read 0007 (false 0006)
0006: 06 00 00 00050001 ret ERRNO(1)
0007: 15 40 00 0000009f jeq adjtimex 0048 (false 0008)
0008: 15 3f 00 00000131 jeq clock_adjtime 0048 (false 0009)
0009: 15 3e 00 000000e3 jeq clock_settime 0048 (false 000a)
000a: 15 3d 00 000000a4 jeq settimeofday 0048 (false 000b)
000b: 15 3c 00 0000009a jeq modify_ldt 0048 (false 000c)
000c: 15 3b 00 000000d4 jeq lookup_dcookie 0048 (false 000d)
000d: 15 3a 00 0000012a jeq perf_event_open 0048 (false 000e)
000e: 15 39 00 00000137 jeq process_vm_writev 0048 (false 000f)
000f: 15 38 00 000000b0 jeq delete_module 0048 (false 0010)
0010: 15 37 00 00000139 jeq finit_module 0048 (false 0011)
0011: 15 36 00 000000af jeq init_module 0048 (false 0012)
0012: 15 35 00 0000009c jeq _sysctl 0048 (false 0013)
0013: 15 34 00 000000b7 jeq afs_syscall 0048 (false 0014)
0014: 15 33 00 000000ae jeq create_module 0048 (false 0015)
0015: 15 32 00 000000b1 jeq get_kernel_syms 0048 (false 0016)
0016: 15 31 00 000000b5 jeq getpmsg 0048 (false 0017)
0017: 15 30 00 000000b6 jeq putpmsg 0048 (false 0018)
0018: 15 2f 00 000000b2 jeq query_module 0048 (false 0019)
0019: 15 2e 00 000000b9 jeq security 0048 (false 001a)
001a: 15 2d 00 0000008b jeq sysfs 0048 (false 001b)
001b: 15 2c 00 000000b8 jeq tuxcall 0048 (false 001c)
001c: 15 2b 00 00000086 jeq uselib 0048 (false 001d)
001d: 15 2a 00 00000088 jeq ustat 0048 (false 001e)
001e: 15 29 00 000000ec jeq vserver 0048 (false 001f)
001f: 15 28 00 000000ad jeq ioperm 0048 (false 0020)
0020: 15 27 00 000000ac jeq iopl 0048 (false 0021)
0021: 15 26 00 000000f6 jeq kexec_load 0048 (false 0022)
0022: 15 25 00 00000140 jeq kexec_file_load 0048 (false 0023)
0023: 15 24 00 000000a9 jeq reboot 0048 (false 0024)
0024: 15 23 00 000000ee jeq set_mempolicy 0048 (false 0025)
0025: 15 22 00 00000100 jeq migrate_pages 0048 (false 0026)
0026: 15 21 00 00000117 jeq move_pages 0048 (false 0027)
0027: 15 20 00 000000ed jeq mbind 0048 (false 0028)
0028: 15 1f 00 000000a7 jeq swapon 0048 (false 0029)
0029: 15 1e 00 000000a8 jeq swapoff 0048 (false 002a)
002a: 15 1d 00 000000a3 jeq acct 0048 (false 002b)
002b: 15 1c 00 000000f8 jeq add_key 0048 (false 002c)
002c: 15 1b 00 00000141 jeq bpf 0048 (false 002d)
002d: 15 1a 00 0000012c jeq fanotify_init 0048 (false 002e)
002e: 15 19 00 000000d2 jeq io_cancel 0048 (false 002f)
002f: 15 18 00 000000cf jeq io_destroy 0048 (false 0030)
0030: 15 17 00 000000d0 jeq io_getevents 0048 (false 0031)
0031: 15 16 00 000000ce jeq io_setup 0048 (false 0032)
0032: 15 15 00 000000d1 jeq io_submit 0048 (false 0033)
0033: 15 14 00 000000fb jeq ioprio_set 0048 (false 0034)
0034: 15 13 00 00000138 jeq kcmp 0048 (false 0035)
0035: 15 12 00 000000fa jeq keyctl 0048 (false 0036)
0036: 15 11 00 000000a5 jeq mount 0048 (false 0037)
0037: 15 10 00 0000012f jeq name_to_handle_at 0048 (false 0038)
0038: 15 0f 00 000000b4 jeq nfsservctl 0048 (false 0039)
0039: 15 0e 00 00000130 jeq open_by_handle_at 0048 (false 003a)
003a: 15 0d 00 00000087 jeq personality 0048 (false 003b)
003b: 15 0c 00 0000009b jeq pivot_root 0048 (false 003c)
003c: 15 0b 00 00000136 jeq process_vm_readv 0048 (false 003d)
003d: 15 0a 00 00000065 jeq ptrace 0048 (false 003e)
003e: 15 09 00 000000d8 jeq remap_file_pages 0048 (false 003f)
003f: 15 08 00 000000f9 jeq request_key 0048 (false 0040)
0040: 15 07 00 000000ab jeq setdomainname 0048 (false 0041)
0041: 15 06 00 000000aa jeq sethostname 0048 (false 0042)
0042: 15 05 00 00000067 jeq syslog 0048 (false 0043)
0043: 15 04 00 000000a6 jeq umount2 0048 (false 0044)
0044: 15 03 00 00000143 jeq userfaultfd 0048 (false 0045)
0045: 15 02 00 00000099 jeq vhangup 0048 (false 0046)
0046: 15 01 00 00000116 jeq vmsplice 0048 (false 0047)
0047: 06 00 00 7fff0000 ret ALLOW
0048: 06 00 00 00000000 ret KILL
seccomp filter configured
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/firefox
Child process initialized in 152.33 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.protocol seccomp filter
monitoring pid 11
mkkot
All 20 comments
I've seen similar behavior o that site. You may try with firejail --ignore=seccomp.
Vincent43
on 2 Jan 2019
👍1
I haven't been able to duplicate (I'm on Arch). Even 7 simultaneous downloads don't take my CPU above ~26%.
Fred-Barclay
on 2 Jan 2019
@Fred-Barclay can you go to https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/ and try to open several commits, each on a new tab?
Vincent43
on 2 Jan 2019
I can't really reproduce either. Downloading a 10GB file at 150Mbps doesn't push any of my cores past 20%.
And I tried opening a bunch of large commits from there and all of them loaded near instantly.
I am sure there are a lot of variables that effect this result which is why we don't all see the same like: processor (and microcode), kernel version, kernel config, distro compiler flags, network speed, drive, disk encryption, browser (and extensions), etc.
SkewedZeppelin
on 2 Jan 2019
👍2
It could be also issues related to that site itself in a specific time period.
Vincent43
on 2 Jan 2019
👍1
Guys, this has nothing to do with kernel.org. I just used the site as it has easily available big files to download. The problem is with downloading files with firefox and firejail. I tried firejail --ignore=seccomp but it doesn't change anything. I will try to dig more and see if I can narrow down the problem.
//Edit: this doesn't happen on fresh firefox profile. However, please try to change this setting:
Now you should be able to reproduce the issue.
mkkot
on 3 Jan 2019
Yep, it's "Always ask you where to save files" that does it! This is the progress from 0 to 5 simultaneous downloads:
Fred-Barclay
on 3 Jan 2019
👍1
hello, i have tried to reproduce and i don't have this problem while using firejailed firefox, manjaro kde edition, firejail 0.9.57 r4574 from 18 december
ghost
on 9 Jan 2019
I tried to reproduce:
- Firefox esr
- Fedora 29 + GNOME + Wayland
- "Always ask you where to save files"
- 8 Simultane downloads
- firejail 0.9.56
Result:
- CPU 100%
- Firefox 25-50% CPU
- Tracker 100% CPU
rusty-snake
on 9 Jan 2019
Unfortunately, I cannot reproduce this either :confused:
chiraag-nataraj
on 7 Feb 2019
I'm pretty sure that I have a solution for this. What I've done is to create a file ~/.local/bin/firefox-esr which is all of:
#!/bin/sh
2> /dev/null 1> /dev/null cpulimit -l 50 firejail firefox-esr "$@" &
The directory ~/.local/bin is the first item in my $PATH.
Boruch-Baum
on 19 Mar 2019
@Boruch-Baum Does that actually work? IMHO it would eternally loop, executing firefox-esr in ~/.local/bin on each iteration (causing even higher CPU usage and confusing your system into a fit). It would only work if you called firefox-esr in that shell script by its full path.
glitsj16
on 19 Mar 2019
@glitsj16 : Yup, it's how I'm writing this comment now - a firefox instance in a firejail under cpulimit, as launched by that wrapper script. Pretty cool, eh? I had started launching firefox under cpulimit years ago, without firejail, so it was just natural for me to try this. My guess is that firejail internally canonicalizes the path of \foo which would avoid the loop.
Boruch-Baum
on 19 Mar 2019
Duplicate of #2608
Fred-Barclay
on 20 Mar 2019
Also sorry for the noise! Was trying to use Github's "mark as duplicate" tool. Anyhow, this looks like it's similar to #2608 #2330 #1730
https://help.github.com/en/articles/about-duplicate-issues-and-pull-requests
Fred-Barclay
on 20 Mar 2019
👍1
Upstream released Firefox 66, which carries a Linux-specific fix for Firefox freezing when downloading files (see releasenotes and bug report).
glitsj16
on 20 Mar 2019
👍1
@mkkot Is your issue resolved?
chiraag-nataraj
on 21 May 2019
I will answer to that when I get home next week. Can't check now.
wt., 21 maj 2019 o 11:28 ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com
napisał(a):
@mkkot https://github.com/mkkot Is your issue resolved?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/netblue30/firejail/issues/2324?email_source=notifications&email_token=ACQLHTXFHUKUA7OOII5DATLPWO6FLA5CNFSM4GMXO73KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV3KHZY#issuecomment-494314471,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACQLHTR7BRWTF27K6P6E4OLPWO6FLANCNFSM4GMXO73A
.
--
Pozdrawiam / Greetings
Marcin Kocur █
Brak odpowiedzi? / No answer?
http://koci.net.pl/email/
mkkot
on 21 May 2019
👍1
Firefox 66.0.2:
I think I will have to read about some performance visualizers to debug this issue.
mkkot
on 23 May 2019
Closing this due to inactivity.
glitsj16
on 20 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
HulaHoopWhonix
·
4Comments
ericschdt
·
3Comments
bryce-lynch
·
4Comments
francoism90
·
4Comments
dandelionred
·
3Comments
Most helpful comment
I can't really reproduce either. Downloading a 10GB file at 150Mbps doesn't push any of my cores past 20%.
And I tried opening a bunch of large commits from there and all of them loaded near instantly.
I am sure there are a lot of variables that effect this result which is why we don't all see the same like: processor (and microcode), kernel version, kernel config, distro compiler flags, network speed, drive, disk encryption, browser (and extensions), etc.