Firejail: Can't run Discord with Linux-Hardened kernel

Created on 15 Nov 2020  路  8Comments  路  Source: netblue30/firejail

Bug and expected behavior
To be clear, I'm not calling this a bug, but seeking support.

Discord works perfectly fine with the default profile and default kernel on my Arch Linux system. However, when I use the linux-hardened kernel, I get the error The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/discord/chrome-sandbox is owned by root and has mode 4755

And /opt/discord/chrome-sandbox does have the correct permissions (because again, this works perfectly fine with the standard Linux kernel.

$ ls -alh /opt/discord
drwxr-xr-x  5 root root   19 Oct 30 09:59 .
drwxr-xr-x 11 root root   11 Nov  9 21:55 ..
-rwxr-xr-x  1 root root 110M Oct 22 10:38 Discord
-rwsr-xr-x  1 root root 235K Oct 22 10:38 chrome-sandbox
-rw-r--r--  1 root root 174K Oct 22 10:38 chrome_100_percent.pak
-rw-r--r--  1 root root 310K Oct 22 10:38 chrome_200_percent.pak
-rw-r--r--  1 root root  313 Oct 22 10:38 discord.desktop
-rw-r--r--  1 root root  29K Oct 22 10:38 discord.png
-rw-r--r--  1 root root  10M Oct 22 10:38 icudtl.dat
-rw-r--r--  1 root root 243K Oct 22 10:38 libEGL.so
-rw-r--r--  1 root root 8.0M Oct 22 10:38 libGLESv2.so
-rw-r--r--  1 root root 2.9M Oct 22 10:38 libffmpeg.so
drwxr-xr-x  2 root root   55 Oct 30 09:59 locales
-rw-r--r--  1 root root  81K Oct 22 10:38 natives_blob.bin
drwxr-xr-x  3 root root    5 Oct 30 09:59 resources
-rw-r--r--  1 root root 8.3M Oct 22 10:38 resources.pak
-rw-r--r--  1 root root 274K Oct 22 10:38 snapshot_blob.bin
drwxr-xr-x  2 root root    5 Oct 30 09:59 swiftshader
-rw-r--r--  1 root root 685K Oct 22 10:38 v8_context_snapshot.bin

How can I determine what kernel parameter I need to change to make this work while using the hardened kernel?

Environment

  • Arch Linux
    ```
    firejail version 0.9.64

Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is enabled
- private-home support is enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

**Checklist**
 - [x] The upstream profile (and redirect profile if exists) have no changes fixing it.
 - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`)
 - [x] Programs needed for interaction are listed in the profile.
 - [x] A short search for duplicates was performed.
 - [] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile.
 - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages.


<details><summary> debug output </summary>

$ firejail --debug discord
Autoselecting /bin/bash as shell
Building quoted command line: 'discord'
Command name #discord#
Found discord.profile profile in /etc/firejail directory
Reading profile /etc/firejail/discord.profile
Found globals.local profile in /home/seonwoo/.config/firejail directory
Reading profile /home/seonwoo/.config/firejail/globals.local
Found discord-common.profile profile in /etc/firejail directory
Reading profile /etc/firejail/discord-common.profile
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 504567, child pid 504568
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 100, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1301 800 0:24 /etc /etc ro,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1301 fsname=/etc dir=/etc fstype=zfs
Mounting noexec /etc
1506 1301 0:24 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1506 fsname=/etc dir=/etc fstype=zfs
Mounting read-only /var
1509 1507 0:53 / /var/lib/docker rw,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1509 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting read-only /var/lib/docker
1510 1509 0:53 / /var/lib/docker ro,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1510 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting noexec /var
1567 1566 0:53 / /var/lib/docker ro,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1567 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting noexec /var/lib/docker
1569 1567 0:53 / /var/lib/docker ro,nosuid,nodev,noexec,noatime master:75 - zfs zroot/enc/ephemeral/docker rw,xattr,posixacl
mountid=1569 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting read-only /usr
1570 800 0:24 /usr /usr ro,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1570 fsname=/usr dir=/usr fstype=zfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/seonwoo/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Drop privileges: pid 3, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting a new /root directory
Mounting a new /home directory
Create a new user directory
Drop privileges: pid 4, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Drop privileges: pid 5, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Copying files in the new /opt directory:
copying /opt/discord to private /opt
Creating empty /run/firejail/mnt/opt/discord directory
sbox run: /run/firejail/lib/fcopy /opt/discord /run/firejail/mnt/opt/discord
Mount-bind /run/firejail/mnt/opt on top of /opt
Private /opt installed in 535.89 ms
Copying files in the new bin directory
Checking /usr/local/bin/discord
Checking /usr/bin/discord
file /opt/discord/Discord not found
sbox run: /run/firejail/lib/fcopy /usr/bin/discord /run/firejail/mnt/bin
Checking /usr/local/bin/bash
Checking /usr/bin/bash
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin
Checking /usr/local/bin/cut
Checking /usr/bin/cut
sbox run: /run/firejail/lib/fcopy /usr/bin/cut /run/firejail/mnt/bin
Checking /usr/local/bin/echo
Checking /usr/bin/echo
sbox run: /run/firejail/lib/fcopy /usr/bin/echo /run/firejail/mnt/bin
Checking /usr/local/bin/egrep
Checking /usr/bin/egrep
sbox run: /run/firejail/lib/fcopy /usr/bin/egrep /run/firejail/mnt/bin
Checking /usr/local/bin/fish
Checking /usr/bin/fish
Checking /bin/fish
Checking /usr/games/fish
Checking /usr/local/games/fish
Checking /usr/local/sbin/fish
Checking /usr/sbin/fish
Checking /sbin/fish
Warning: file fish not found
Checking /usr/local/bin/grep
Checking /usr/bin/grep
sbox run: /run/firejail/lib/fcopy /usr/bin/grep /run/firejail/mnt/bin
Checking /usr/local/bin/head
Checking /usr/bin/head
sbox run: /run/firejail/lib/fcopy /usr/bin/head /run/firejail/mnt/bin
Checking /usr/local/bin/sed
Checking /usr/bin/sed
sbox run: /run/firejail/lib/fcopy /usr/bin/sed /run/firejail/mnt/bin
Checking /usr/local/bin/sh
Checking /usr/bin/sh
sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin
sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin
Checking /usr/local/bin/tclsh
Checking /usr/bin/tclsh
sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh8.6 /run/firejail/mnt/bin
sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh /run/firejail/mnt/bin
Checking /usr/local/bin/tr
Checking /usr/bin/tr
sbox run: /run/firejail/lib/fcopy /usr/bin/tr /run/firejail/mnt/bin
Checking /usr/local/bin/xdg-mime
Checking /usr/bin/xdg-mime
sbox run: /run/firejail/lib/fcopy /usr/bin/xdg-mime /run/firejail/mnt/bin
Checking /usr/local/bin/xdg-open
Checking /usr/bin/xdg-open
sbox run: /run/firejail/lib/fcopy /usr/bin/xdg-open /run/firejail/mnt/bin
Checking /usr/local/bin/zsh
Checking /usr/bin/zsh
sbox run: /run/firejail/lib/fcopy /usr/bin/zsh /run/firejail/mnt/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
16 programs installed in 27.33 ms
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules/5.9.8-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Copying files in the new /etc directory:
Warning: file /etc/alternatives not found.
Warning: skipping alternatives for private /etc
copying /etc/ca-certificates to private /etc
Creating empty /run/firejail/mnt/etc/ca-certificates directory
sbox run: /run/firejail/lib/fcopy /etc/ca-certificates /run/firejail/mnt/etc/ca-certificates
Warning: file /etc/crypto-policies not found.
Warning: skipping crypto-policies for private /etc
copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts
copying /etc/group to private /etc
sbox run: /run/firejail/lib/fcopy /etc/group /run/firejail/mnt/etc
copying /etc/ld.so.cache to private /etc
sbox run: /run/firejail/lib/fcopy /etc/ld.so.cache /run/firejail/mnt/etc
copying /etc/localtime to private /etc
sbox run: /run/firejail/lib/fcopy /etc/localtime /run/firejail/mnt/etc
copying /etc/login.defs to private /etc
sbox run: /run/firejail/lib/fcopy /etc/login.defs /run/firejail/mnt/etc
copying /etc/machine-id to private /etc
sbox run: /run/firejail/lib/fcopy /etc/machine-id /run/firejail/mnt/etc
Warning: file /etc/password not found.
Warning: skipping password for private /etc
Warning: file /etc/pki not found.
Warning: skipping pki for private /etc
copying /etc/resolv.conf to private /etc
sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc
copying /etc/ssl to private /etc
Creating empty /run/firejail/mnt/etc/ssl directory
sbox run: /run/firejail/lib/fcopy /etc/ssl /run/firejail/mnt/etc/ssl
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 57.94 ms
Cannot find /usr/etc
Debug 456: new_name #/home/seonwoo/.config/discord#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/discord
expanded: /home/seonwoo/.config/discord
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/BetterDiscord#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/BetterDiscord
expanded: /home/seonwoo/.config/BetterDiscord
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/betterdiscordctl#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/betterdiscordctl
expanded: /home/seonwoo/.local/share/betterdiscordctl
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
expanded: /home/seonwoo/.XCompose
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
expanded: /home/seonwoo/.asoundrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/ibus#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ibus
expanded: /home/seonwoo/.config/ibus
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/mimeapps.list#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/mimeapps.list
expanded: /home/seonwoo/.config/mimeapps.list
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
expanded: /home/seonwoo/.config/pkcs11
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/user-dirs.dirs#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/user-dirs.dirs
expanded: /home/seonwoo/.config/user-dirs.dirs
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/user-dirs.locale#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/user-dirs.locale
expanded: /home/seonwoo/.config/user-dirs.locale
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
expanded: /home/seonwoo/.drirc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
expanded: /home/seonwoo/.icons
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/applications#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/applications
expanded: /home/seonwoo/.local/share/applications
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/icons
expanded: /home/seonwoo/.local/share/icons
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/mime#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/mime
expanded: /home/seonwoo/.local/share/mime
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.mime.types#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types
expanded: /home/seonwoo/.mime.types
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.uim.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.uim.d
expanded: /home/seonwoo/.uim.d
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/dconf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/dconf
expanded: /home/seonwoo/.config/dconf
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.cache/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/fontconfig
expanded: /home/seonwoo/.cache/fontconfig
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig
expanded: /home/seonwoo/.config/fontconfig
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig
expanded: /home/seonwoo/.fontconfig
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts
expanded: /home/seonwoo/.fonts
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
expanded: /home/seonwoo/.fonts.conf
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
expanded: /home/seonwoo/.fonts.conf.d
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
expanded: /home/seonwoo/.fonts.d
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts
expanded: /home/seonwoo/.local/share/fonts
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
expanded: /home/seonwoo/.pangorc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-2.0
expanded: /home/seonwoo/.config/gtk-2.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtk-3.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-3.0
expanded: /home/seonwoo/.config/gtk-3.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtk-4.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-4.0
expanded: /home/seonwoo/.config/gtk-4.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
expanded: /home/seonwoo/.config/gtkrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
expanded: /home/seonwoo/.config/gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gnome2#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2
expanded: /home/seonwoo/.gnome2
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
expanded: /home/seonwoo/.gnome2-private
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
expanded: /home/seonwoo/.gtk-2.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
expanded: /home/seonwoo/.gtkrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0
expanded: /home/seonwoo/.gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
expanded: /home/seonwoo/.kde/share/config/gtkrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
expanded: /home/seonwoo/.kde/share/config/gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
expanded: /home/seonwoo/.kde4/share/config/gtkrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
expanded: /home/seonwoo/.kde4/share/config/gtkrc-2.0
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
expanded: /home/seonwoo/.local/share/themes
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes
expanded: /home/seonwoo/.themes
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
expanded: /home/seonwoo/.cache/kioexec/krun
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
expanded: /home/seonwoo/.config/Kvantum
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/Trolltech.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf
expanded: /home/seonwoo/.config/Trolltech.conf
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kdeglobals
expanded: /home/seonwoo/.config/kdeglobals
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
expanded: /home/seonwoo/.config/kio_httprc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc
expanded: /home/seonwoo/.config/kioslaverc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
expanded: /home/seonwoo/.config/ksslcablacklist
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.config/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct
expanded: /home/seonwoo/.config/qt5ct
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
expanded: /home/seonwoo/.kde/share/config/kdeglobals
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
expanded: /home/seonwoo/.kde/share/config/kio_httprc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
expanded: /home/seonwoo/.kde/share/config/kioslaverc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
expanded: /home/seonwoo/.kde/share/config/ksslcablacklist
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
expanded: /home/seonwoo/.kde/share/config/oxygenrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
expanded: /home/seonwoo/.kde/share/icons
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals
expanded: /home/seonwoo/.kde4/share/config/kdeglobals
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc
expanded: /home/seonwoo/.kde4/share/config/kio_httprc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc
expanded: /home/seonwoo/.kde4/share/config/kioslaverc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
expanded: /home/seonwoo/.kde4/share/config/ksslcablacklist
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
expanded: /home/seonwoo/.kde4/share/config/oxygenrc
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
expanded: /home/seonwoo/.kde4/share/icons
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/home/seonwoo/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
expanded: /home/seonwoo/.local/share/qt5ct
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/var/lib/ca-certificates#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/ca-certificates
expanded: /var/lib/ca-certificates
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/var/lib/dbus#, whitelist
Debug 456: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
expanded: /var/lib/menu-xdg
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/var/lib/uim#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/uim
expanded: /var/lib/uim
real path: (null)
realpath: No such file or directory
Debug 456: new_name #/var/cache/fontconfig#, whitelist
Debug 456: new_name #/var/tmp#, whitelist
Debug 456: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 456: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Debug 456: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Mounting tmpfs on /var directory
Whitelisting /var/lib/dbus
1808 1807 0:24 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1808 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=zfs
Whitelisting /var/cache/fontconfig
1809 1807 0:24 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/permanent/root rw,xattr,posixacl
mountid=1809 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=zfs
Whitelisting /var/tmp
1810 1807 0:137 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1810 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1811 1800 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1811 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Drop privileges: pid 32, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting read-only /home/seonwoo/.Xauthority
1814 1773 0:144 /seonwoo/.Xauthority /home/seonwoo/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1814 fsname=/seonwoo/.Xauthority dir=/home/seonwoo/.Xauthority fstype=tmpfs
Disable /run/user/1000/systemd
Disable /usr/share/applications/veracrypt.desktop
Disable /usr/share/pixmaps/veracrypt.xpm
Disable /run/screens (requested /var/run/screens)
Mounting read-only /home/seonwoo/.bashrc
1819 1773 0:144 /seonwoo/.bashrc /home/seonwoo/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1819 fsname=/seonwoo/.bashrc dir=/home/seonwoo/.bashrc fstype=tmpfs
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Disable /proc/config.gz
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java)
Disable /usr/share/java
Disable /usr/lib/valgrind
Disable /usr/src
Disable /usr/local/src
Disable /usr/include
Disable /usr/local/include
Mounting noexec /run/user/1000
1833 1832 0:22 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,relatime master:16 - tmpfs run rw,mode=755,inode64
mountid=1833 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Warning: not remounting /run/user/1000/gvfs
Mounting noexec /dev/shm
1834 1780 0:145 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1834 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1836 1835 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1836 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1837 1836 0:48 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1837 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /var
1841 1838 0:137 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1841 fsname=/ dir=/var/tmp fstype=tmpfs
Not blacklist /home/seonwoo/.config/discord
Drop privileges: pid 33, uid 1000, gid 100, nogroups 0
Warning: cleaning all supplementary groups
Mounting read-only /tmp/.X11-unix
1842 1837 0:48 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,relatime master:69 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1842 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /run/mount
Disable /run/media
/etc/pulse/client.conf not found
Current directory: /home/seonwoo
DISPLAY=:0.0 parsed as 0
Install protocol filter: unix,inet,inet6,netlink
configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol
Dropping all capabilities
Drop privileges: pid 34, uid 1000, gid 100, nogroups 1
No supplementary groups

line OP JT JF K

0000: 20 00 00 00000004 ld data.architecture
0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002)
0002: 20 00 00 00000000 ld data.syscall-number
0003: 15 01 00 00000167 jeq unknown 0005 (false 0004)
0004: 06 00 00 7fff0000 ret ALLOW
0005: 05 00 00 00000006 jmp 000c
0006: 20 00 00 00000004 ld data.architecture
0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008)
0008: 06 00 00 7fff0000 ret ALLOW
0009: 20 00 00 00000000 ld data.syscall-number
000a: 15 01 00 00000029 jeq socket 000c (false 000b)
000b: 06 00 00 7fff0000 ret ALLOW
000c: 20 00 00 00000010 ld data.args[0]
000d: 15 00 01 00000001 jeq 1 000e (false 000f)
000e: 06 00 00 7fff0000 ret ALLOW
000f: 15 00 01 00000002 jeq 2 0010 (false 0011)
0010: 06 00 00 7fff0000 ret ALLOW
0011: 15 00 01 0000000a jeq a 0012 (false 0013)
0012: 06 00 00 7fff0000 ret ALLOW
0013: 15 00 01 00000010 jeq 10 0014 (false 0015)
0014: 06 00 00 7fff0000 ret ALLOW
0015: 06 00 00 0005005f ret ERRNO(95)
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dropping all capabilities
Drop privileges: pid 35, uid 1000, gid 100, nogroups 1
No supplementary groups

line OP JT JF K

0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 15 00 01 00000015 jeq 15 0005 (false 0006)
0005: 06 00 00 00000001 ret KILL
0006: 15 00 01 00000034 jeq 34 0007 (false 0008)
0007: 06 00 00 00000001 ret KILL
0008: 15 00 01 0000001a jeq 1a 0009 (false 000a)
0009: 06 00 00 00000001 ret KILL
000a: 15 00 01 0000011b jeq 11b 000b (false 000c)
000b: 06 00 00 00000001 ret KILL
000c: 15 00 01 00000155 jeq 155 000d (false 000e)
000d: 06 00 00 00000001 ret KILL
000e: 15 00 01 00000156 jeq 156 000f (false 0010)
000f: 06 00 00 00000001 ret KILL
0010: 15 00 01 0000007f jeq 7f 0011 (false 0012)
0011: 06 00 00 00000001 ret KILL
0012: 15 00 01 00000080 jeq 80 0013 (false 0014)
0013: 06 00 00 00000001 ret KILL
0014: 15 00 01 0000015e jeq 15e 0015 (false 0016)
0015: 06 00 00 00000001 ret KILL
0016: 15 00 01 00000081 jeq 81 0017 (false 0018)
0017: 06 00 00 00000001 ret KILL
0018: 15 00 01 0000006e jeq 6e 0019 (false 001a)
0019: 06 00 00 00000001 ret KILL
001a: 15 00 01 00000065 jeq 65 001b (false 001c)
001b: 06 00 00 00000001 ret KILL
001c: 15 00 01 00000121 jeq 121 001d (false 001e)
001d: 06 00 00 00000001 ret KILL
001e: 15 00 01 00000057 jeq 57 001f (false 0020)
001f: 06 00 00 00000001 ret KILL
0020: 15 00 01 00000073 jeq 73 0021 (false 0022)
0021: 06 00 00 00000001 ret KILL
0022: 15 00 01 00000067 jeq 67 0023 (false 0024)
0023: 06 00 00 00000001 ret KILL
0024: 15 00 01 0000015b jeq 15b 0025 (false 0026)
0025: 06 00 00 00000001 ret KILL
0026: 15 00 01 0000015c jeq 15c 0027 (false 0028)
0027: 06 00 00 00000001 ret KILL
0028: 15 00 01 00000087 jeq 87 0029 (false 002a)
0029: 06 00 00 00000001 ret KILL
002a: 15 00 01 00000095 jeq 95 002b (false 002c)
002b: 06 00 00 00000001 ret KILL
002c: 15 00 01 0000007c jeq 7c 002d (false 002e)
002d: 06 00 00 00000001 ret KILL
002e: 15 00 01 00000157 jeq 157 002f (false 0030)
002f: 06 00 00 00000001 ret KILL
0030: 15 00 01 000000fd jeq fd 0031 (false 0032)
0031: 06 00 00 00000001 ret KILL
0032: 15 00 01 00000150 jeq 150 0033 (false 0034)
0033: 06 00 00 00000001 ret KILL
0034: 15 00 01 00000152 jeq 152 0035 (false 0036)
0035: 06 00 00 00000001 ret KILL
0036: 15 00 01 0000015d jeq 15d 0037 (false 0038)
0037: 06 00 00 00000001 ret KILL
0038: 15 00 01 0000011e jeq 11e 0039 (false 003a)
0039: 06 00 00 00000001 ret KILL
003a: 15 00 01 0000011f jeq 11f 003b (false 003c)
003b: 06 00 00 00000001 ret KILL
003c: 15 00 01 00000120 jeq 120 003d (false 003e)
003d: 06 00 00 00000001 ret KILL
003e: 15 00 01 00000056 jeq 56 003f (false 0040)
003f: 06 00 00 00000001 ret KILL
0040: 15 00 01 00000033 jeq 33 0041 (false 0042)
0041: 06 00 00 00000001 ret KILL
0042: 15 00 01 0000007b jeq 7b 0043 (false 0044)
0043: 06 00 00 00000001 ret KILL
0044: 15 00 01 000000d9 jeq d9 0045 (false 0046)
0045: 06 00 00 00000001 ret KILL
0046: 15 00 01 000000f5 jeq f5 0047 (false 0048)
0047: 06 00 00 00000001 ret KILL
0048: 15 00 01 000000f6 jeq f6 0049 (false 004a)
0049: 06 00 00 00000001 ret KILL
004a: 15 00 01 000000f7 jeq f7 004b (false 004c)
004b: 06 00 00 00000001 ret KILL
004c: 15 00 01 000000f8 jeq f8 004d (false 004e)
004d: 06 00 00 00000001 ret KILL
004e: 15 00 01 000000f9 jeq f9 004f (false 0050)
004f: 06 00 00 00000001 ret KILL
0050: 15 00 01 00000101 jeq 101 0051 (false 0052)
0051: 06 00 00 00000001 ret KILL
0052: 15 00 01 00000112 jeq 112 0053 (false 0054)
0053: 06 00 00 00000001 ret KILL
0054: 15 00 01 00000114 jeq 114 0055 (false 0056)
0055: 06 00 00 00000001 ret KILL
0056: 15 00 01 00000126 jeq 126 0057 (false 0058)
0057: 06 00 00 00000001 ret KILL
0058: 15 00 01 0000013d jeq 13d 0059 (false 005a)
0059: 06 00 00 00000001 ret KILL
005a: 15 00 01 0000013c jeq 13c 005b (false 005c)
005b: 06 00 00 00000001 ret KILL
005c: 15 00 01 0000003d jeq 3d 005d (false 005e)
005d: 06 00 00 00000001 ret KILL
005e: 15 00 01 00000058 jeq 58 005f (false 0060)
005f: 06 00 00 00000001 ret KILL
0060: 15 00 01 000000a9 jeq a9 0061 (false 0062)
0061: 06 00 00 00000001 ret KILL
0062: 15 00 01 00000082 jeq 82 0063 (false 0064)
0063: 06 00 00 00000001 ret KILL
0064: 06 00 00 7fff0000 ret ALLOW
Dual 32/64 bit seccomp filter configured
Build default+drop seccomp filter
sbox run: /run/firejail/lib/fseccomp default drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec !chroot
Dropping all capabilities
Drop privileges: pid 36, uid 1000, gid 100, nogroups 1
No supplementary groups
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
Drop privileges: pid 37, uid 1000, gid 100, nogroups 1
No supplementary groups
configuring 136 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
Drop privileges: pid 38, uid 1000, gid 100, nogroups 1
No supplementary groups

line OP JT JF K

0000: 20 00 00 00000004 ld data.architecture
0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002)
0002: 06 00 00 7fff0000 ret ALLOW
0003: 20 00 00 00000000 ld data.syscall-number
0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005)
0005: 35 01 00 00000000 jge read 0007 (false 0006)
0006: 06 00 00 00050001 ret ERRNO(1)
0007: 15 00 01 000000a1 jeq chroot 0008 (false 0009)
0008: 06 00 00 7fff0000 ret ALLOW
0009: 15 00 01 0000009f jeq adjtimex 000a (false 000b)
000a: 06 00 00 00050001 ret ERRNO(1)
000b: 15 00 01 00000131 jeq clock_adjtime 000c (false 000d)
000c: 06 00 00 00050001 ret ERRNO(1)
000d: 15 00 01 000000e3 jeq clock_settime 000e (false 000f)
000e: 06 00 00 00050001 ret ERRNO(1)
000f: 15 00 01 000000a4 jeq settimeofday 0010 (false 0011)
0010: 06 00 00 00050001 ret ERRNO(1)
0011: 15 00 01 0000009a jeq modify_ldt 0012 (false 0013)
0012: 06 00 00 00050001 ret ERRNO(1)
0013: 15 00 01 000000d4 jeq lookup_dcookie 0014 (false 0015)
0014: 06 00 00 00050001 ret ERRNO(1)
0015: 15 00 01 0000012a jeq perf_event_open 0016 (false 0017)
0016: 06 00 00 00050001 ret ERRNO(1)
0017: 15 00 01 00000137 jeq process_vm_writev 0018 (false 0019)
0018: 06 00 00 00050001 ret ERRNO(1)
0019: 15 00 01 000000b0 jeq delete_module 001a (false 001b)
001a: 06 00 00 00050001 ret ERRNO(1)
001b: 15 00 01 00000139 jeq finit_module 001c (false 001d)
001c: 06 00 00 00050001 ret ERRNO(1)
001d: 15 00 01 000000af jeq init_module 001e (false 001f)
001e: 06 00 00 00050001 ret ERRNO(1)
001f: 15 00 01 000000a1 jeq chroot 0020 (false 0021)
0020: 06 00 00 00050001 ret ERRNO(1)
0021: 15 00 01 000000a5 jeq mount 0022 (false 0023)
0022: 06 00 00 00050001 ret ERRNO(1)
0023: 15 00 01 0000009b jeq pivot_root 0024 (false 0025)
0024: 06 00 00 00050001 ret ERRNO(1)
0025: 15 00 01 000000a6 jeq umount2 0026 (false 0027)
0026: 06 00 00 00050001 ret ERRNO(1)
0027: 15 00 01 0000009c jeq _sysctl 0028 (false 0029)
0028: 06 00 00 00050001 ret ERRNO(1)
0029: 15 00 01 000000b7 jeq afs_syscall 002a (false 002b)
002a: 06 00 00 00050001 ret ERRNO(1)
002b: 15 00 01 000000ae jeq create_module 002c (false 002d)
002c: 06 00 00 00050001 ret ERRNO(1)
002d: 15 00 01 000000b1 jeq get_kernel_syms 002e (false 002f)
002e: 06 00 00 00050001 ret ERRNO(1)
002f: 15 00 01 000000b5 jeq getpmsg 0030 (false 0031)
0030: 06 00 00 00050001 ret ERRNO(1)
0031: 15 00 01 000000b6 jeq putpmsg 0032 (false 0033)
0032: 06 00 00 00050001 ret ERRNO(1)
0033: 15 00 01 000000b2 jeq query_module 0034 (false 0035)
0034: 06 00 00 00050001 ret ERRNO(1)
0035: 15 00 01 000000b9 jeq security 0036 (false 0037)
0036: 06 00 00 00050001 ret ERRNO(1)
0037: 15 00 01 0000008b jeq sysfs 0038 (false 0039)
0038: 06 00 00 00050001 ret ERRNO(1)
0039: 15 00 01 000000b8 jeq tuxcall 003a (false 003b)
003a: 06 00 00 00050001 ret ERRNO(1)
003b: 15 00 01 00000086 jeq uselib 003c (false 003d)
003c: 06 00 00 00050001 ret ERRNO(1)
003d: 15 00 01 00000088 jeq ustat 003e (false 003f)
003e: 06 00 00 00050001 ret ERRNO(1)
003f: 15 00 01 000000ec jeq vserver 0040 (false 0041)
0040: 06 00 00 00050001 ret ERRNO(1)
0041: 15 00 01 000000ad jeq ioperm 0042 (false 0043)
0042: 06 00 00 00050001 ret ERRNO(1)
0043: 15 00 01 000000ac jeq iopl 0044 (false 0045)
0044: 06 00 00 00050001 ret ERRNO(1)
0045: 15 00 01 000000f6 jeq kexec_load 0046 (false 0047)
0046: 06 00 00 00050001 ret ERRNO(1)
0047: 15 00 01 00000140 jeq kexec_file_load 0048 (false 0049)
0048: 06 00 00 00050001 ret ERRNO(1)
0049: 15 00 01 000000a9 jeq reboot 004a (false 004b)
004a: 06 00 00 00050001 ret ERRNO(1)
004b: 15 00 01 000000a7 jeq swapon 004c (false 004d)
004c: 06 00 00 00050001 ret ERRNO(1)
004d: 15 00 01 000000a8 jeq swapoff 004e (false 004f)
004e: 06 00 00 00050001 ret ERRNO(1)
004f: 15 00 01 00000130 jeq open_by_handle_at 0050 (false 0051)
0050: 06 00 00 00050001 ret ERRNO(1)
0051: 15 00 01 0000012f jeq name_to_handle_at 0052 (false 0053)
0052: 06 00 00 00050001 ret ERRNO(1)
0053: 15 00 01 000000fb jeq ioprio_set 0054 (false 0055)
0054: 06 00 00 00050001 ret ERRNO(1)
0055: 15 00 01 00000067 jeq syslog 0056 (false 0057)
0056: 06 00 00 00050001 ret ERRNO(1)
0057: 15 00 01 0000012c jeq fanotify_init 0058 (false 0059)
0058: 06 00 00 00050001 ret ERRNO(1)
0059: 15 00 01 00000138 jeq kcmp 005a (false 005b)
005a: 06 00 00 00050001 ret ERRNO(1)
005b: 15 00 01 000000f8 jeq add_key 005c (false 005d)
005c: 06 00 00 00050001 ret ERRNO(1)
005d: 15 00 01 000000f9 jeq request_key 005e (false 005f)
005e: 06 00 00 00050001 ret ERRNO(1)
005f: 15 00 01 000000ed jeq mbind 0060 (false 0061)
0060: 06 00 00 00050001 ret ERRNO(1)
0061: 15 00 01 00000100 jeq migrate_pages 0062 (false 0063)
0062: 06 00 00 00050001 ret ERRNO(1)
0063: 15 00 01 00000117 jeq move_pages 0064 (false 0065)
0064: 06 00 00 00050001 ret ERRNO(1)
0065: 15 00 01 000000fa jeq keyctl 0066 (false 0067)
0066: 06 00 00 00050001 ret ERRNO(1)
0067: 15 00 01 000000ce jeq io_setup 0068 (false 0069)
0068: 06 00 00 00050001 ret ERRNO(1)
0069: 15 00 01 000000cf jeq io_destroy 006a (false 006b)
006a: 06 00 00 00050001 ret ERRNO(1)
006b: 15 00 01 000000d0 jeq io_getevents 006c (false 006d)
006c: 06 00 00 00050001 ret ERRNO(1)
006d: 15 00 01 000000d1 jeq io_submit 006e (false 006f)
006e: 06 00 00 00050001 ret ERRNO(1)
006f: 15 00 01 000000d2 jeq io_cancel 0070 (false 0071)
0070: 06 00 00 00050001 ret ERRNO(1)
0071: 15 00 01 000000d8 jeq remap_file_pages 0072 (false 0073)
0072: 06 00 00 00050001 ret ERRNO(1)
0073: 15 00 01 00000143 jeq userfaultfd 0074 (false 0075)
0074: 06 00 00 00050001 ret ERRNO(1)
0075: 15 00 01 000000a3 jeq acct 0076 (false 0077)
0076: 06 00 00 00050001 ret ERRNO(1)
0077: 15 00 01 00000141 jeq bpf 0078 (false 0079)
0078: 06 00 00 00050001 ret ERRNO(1)
0079: 15 00 01 000000b4 jeq nfsservctl 007a (false 007b)
007a: 06 00 00 00050001 ret ERRNO(1)
007b: 15 00 01 000000ab jeq setdomainname 007c (false 007d)
007c: 06 00 00 00050001 ret ERRNO(1)
007d: 15 00 01 000000aa jeq sethostname 007e (false 007f)
007e: 06 00 00 00050001 ret ERRNO(1)
007f: 15 00 01 00000099 jeq vhangup 0080 (false 0081)
0080: 06 00 00 00050001 ret ERRNO(1)
0081: 15 00 01 00000065 jeq ptrace 0082 (false 0083)
0082: 06 00 00 00050001 ret ERRNO(1)
0083: 15 00 01 00000087 jeq personality 0084 (false 0085)
0084: 06 00 00 00050001 ret ERRNO(1)
0085: 15 00 01 00000136 jeq process_vm_readv 0086 (false 0087)
0086: 06 00 00 00050001 ret ERRNO(1)
0087: 06 00 00 7fff0000 ret ALLOW
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
1848 1278 0:66 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1848 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root root 160 .
drwxr-xr-x root root 380 ..
-rw-r--r-- 1000 users 1088 seccomp
-rw-r--r-- 1000 users 808 seccomp.32
-rw-r--r-- 1000 users 114 seccomp.list
-rw-r--r-- 1000 users 0 seccomp.postexec
-rw-r--r-- 1000 users 0 seccomp.postexec32
-rw-r--r-- 1000 users 176 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
Running 'discord' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'discord'
Child process initialized in 815.66 ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 39

[39:1114/235127.042627:FATAL:setuid_sandbox_host.cc(157)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/discord/chrome-sandbox is owned by root and has mode 4755.
Sandbox monitor: waitpid 39 retval 39 status 133

Parent is shutting down, bye...

```

picture seonwoolee

Most helpful comment

I suggest going with (B) because:

  1. Reduce profile maintenance since all electron applications will be affected.

  2. Enjoy advantage of both Firejail and chromium-sandbox.

But do know that while no mainline distro kernels except Debian and RHEL(see below) ship with that patch there are security reasons for enabling it. That's why non-mainline/hardened kernels have it. You can find information on Security SE and LWN threads. Here are some newer CVEs (older on SSE threads) relating to it:

(1) https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14386.html

(2) https://nvd.nist.gov/vuln/detail/CVE-2019-20794

(3) https://security.archlinux.org/CVE-2020-16120

  • The arch linux bug thread in the first firejail link below.

Bottomline: (+) With that any container or sandbox won't work; browser sandbox take advantage of it; reduces usability.
(-) Priv esc/root exploit vulns..

Debian is going to reconsider that patch in the next year since at the time of enabling it 5-6 years it was said to be a temporary mitigation.

Kernel thread: https://lkml.org/lkml/2016/1/22/7

Firejail thread: https://github.com/netblue30/firejail/issues/ 1347

About --no-sandbox it disables chromium's internal sandbox; you rely entirely on Firejail to sandbox. Comparison between the two:
https://github.com/netblue30/firejail/issues/ 554

  • Look at chromium googlesource>sandbox>Linux implementation guide.

Firejail offers more granular permissions like directory restrictions,dbus restrictions, apparmor,selinux,shell/lib/bin/program restrictions etc. Bottomline here: I recommend not disabling the internal sandbox of chromium if you are able.

Feel free to correct me/add.

On November 17, 2020 3:45:47 AM UTC, Seonwoo Lee notifications@github.com wrote:

A) Nothing
C) Gotcha. --no-sandbox works, --disable-setuid-sandbox does not

--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/3754#issuecomment-728667628

picture bbhtt on 17 Nov 2020
👍31 🎉1

All 8 comments

How can I determine what kernel parameter I need to change to make this work while using the hardened kernel?

What does cat /proc/sys/kernel/unprivileged_userns_clone say?

Your options:

A) Try commenting caps.drop all, noroot, nonewprivs, protocol and seccomp in /etc/firejail/discord-common.profileif it works with that only that it's good but Firejail's sandbox becomes loose. The caps.drop all can be changed to caps.keep and similarly seccomp if it works.

B) Turn that sysctl knob and use firejail.

C) Disable internal sandbox of chromium with --no-sandbox. (This might not work with recent electron versions)

I suggest B and C as a last resort since both have security implications.

bbhtt picture bbhtt on 15 Nov 2020
👍2

Additions:

A) The caps.keep line would be caps.keep sys_admin,sys_chroot.

C) There is also a --disable-setuid-sandbox switch AFAICTY.

rusty-snake picture rusty-snake on 15 Nov 2020

A) didn't work at all unfortunately.
B) works
C) Did you mean firejail --no-sandbox discord and firejail --disable-setuid-sandbox discord? Because neither of them are recognized as valid parameters to firejail

seonwoolee picture seonwoolee on 15 Nov 2020

A) What's in your globals.local?
C) To "Disable [the] internal sandbox of chromium" you need to add these parameters to discord: firejail discord --no-sandbox or firejail discord --disable-setuid-sandbox.

rusty-snake picture rusty-snake on 16 Nov 2020

A) Nothing
C) Gotcha. --no-sandbox works, --disable-setuid-sandbox does not

seonwoolee picture seonwoolee on 17 Nov 2020

I suggest going with (B) because:

  1. Reduce profile maintenance since all electron applications will be affected.

  2. Enjoy advantage of both Firejail and chromium-sandbox.

But do know that while no mainline distro kernels except Debian and RHEL(see below) ship with that patch there are security reasons for enabling it. That's why non-mainline/hardened kernels have it. You can find information on Security SE and LWN threads. Here are some newer CVEs (older on SSE threads) relating to it:

(1) https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-14386.html

(2) https://nvd.nist.gov/vuln/detail/CVE-2019-20794

(3) https://security.archlinux.org/CVE-2020-16120

  • The arch linux bug thread in the first firejail link below.

Bottomline: (+) With that any container or sandbox won't work; browser sandbox take advantage of it; reduces usability.
(-) Priv esc/root exploit vulns..

Debian is going to reconsider that patch in the next year since at the time of enabling it 5-6 years it was said to be a temporary mitigation.

Kernel thread: https://lkml.org/lkml/2016/1/22/7

Firejail thread: https://github.com/netblue30/firejail/issues/ 1347

About --no-sandbox it disables chromium's internal sandbox; you rely entirely on Firejail to sandbox. Comparison between the two:
https://github.com/netblue30/firejail/issues/ 554

  • Look at chromium googlesource>sandbox>Linux implementation guide.

Firejail offers more granular permissions like directory restrictions,dbus restrictions, apparmor,selinux,shell/lib/bin/program restrictions etc. Bottomline here: I recommend not disabling the internal sandbox of chromium if you are able.

Feel free to correct me/add.

On November 17, 2020 3:45:47 AM UTC, Seonwoo Lee notifications@github.com wrote:

A) Nothing
C) Gotcha. --no-sandbox works, --disable-setuid-sandbox does not

--
You are receiving this because you commented.
Reply to this email directly or view it on GitHub:
https://github.com/netblue30/firejail/issues/3754#issuecomment-728667628

bbhtt picture bbhtt on 17 Nov 2020
👍31 🎉1

I suggest going with (B) because:

  1. You can set force-nonewprivs yes in /etc/firejail/firejail.config
  1. Reduce profile maintenance since all electron applications will be affected.

Since we need to fix such things upstream anyway, you need to add nonewprivs, caps.drop all, ... after the next firejail update manualy

But do know that while no mainline distro kernels except Debian and RHEL ship with that patch

AFAIK only Debian and ArchLinux have this patch (Arch: linux has it opt-in via sysctl and linux-hardened has it opt-out via sysctl Debian: always opt-out).

Mainline/Fedora/RHEL: Don't have this patch. However RHEL (but not Fedora) disables userns completely by default via user.max_user_namespaces=0 AFAIK (is there a difference between 7 and 8?).

there are security reasons for enabling it.

The main argument is that some exploits (user to root) require unprivileged userns. On the other hand you can remove the setuid bit from bwrap, chrome-sandbox and vivaldi-sandbox if you enable unprivileged userns. This prevents other user to root exploits which are unrelated to userns but require suid.

A) Nothing

The debug log says ~.config/firejail/globals.local is read. If this file is empty, you can remove it for performance reasons (less disk I/O on sandbox startup).

Have you set force-nonewprivs yes in /etc/firejail/firejail.config?

rusty-snake picture rusty-snake on 17 Nov 2020
👍1

Gotcha, I'll go with B) then.

I hadn't set force-nonewprivs yes, doing that now

seonwoolee picture seonwoolee on 20 Nov 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

semente picture semente  路  4Comments
nuxwin picture nuxwin  路  3Comments
ghost picture ghost  路  3Comments
ericschdt picture ericschdt  路  3Comments
crass picture crass  路  3Comments