netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.8k stars 567 forks source link

Cannot run palemoon in firejail #1364

Closed kadogo closed 6 years ago

kadogo commented 7 years ago

Hello, I use the last firejail git version on Debian Jessie in the prefix $HOME/.local

I installed palemoon with the repository but I have the following error when I try to run it with firejail.

firejail --private palemoon
Reading profile /home/user/.local/etc/firejail/palemoon.profile
Reading profile /home/user/.local/etc/firejail/disable-common.inc
Reading profile /home/user/.local/etc/firejail/disable-programs.inc
Reading profile /home/user/.local/etc/firejail/disable-devel.inc
Reading profile /home/user/.local/etc/firejail/whitelist-common.inc
Parent pid 21380, child pid 21381
Warning: skipping palemoon for private /opt
execl: No such file or directory
Error: failed to run /home/user/.local/lib/firejail/fcopy
Error: proc 21380 cannot sync with peer: unexpected EOF
Peer 21381 unexpectedly exited with status 1

In case palemoon is une /usr/lib and /usr/bin

whereis palemoon
palemoon: /usr/bin/palemoon /usr/lib/palemoon

If you need more informations, don't hesitate to ask. Cheers

netblue30 commented 7 years ago

Warning: skipping palemoon for private /opt

Probably you have palemoon installed in /opt. private-opt doesn't find the directory under /opt where you installed it.

kadogo commented 7 years ago

I don't have palemoon in /opt

dpkg -L palemoon
/.
/usr
/usr/lib
/usr/lib/palemoon
/usr/lib/palemoon/libsmime3.so
/usr/lib/palemoon/libsoftokn3.chk
/usr/lib/palemoon/run-mozilla.sh
/usr/lib/palemoon/libsoftokn3.so
/usr/lib/palemoon/defaults
/usr/lib/palemoon/defaults/pref
/usr/lib/palemoon/defaults/pref/channel-prefs.js
/usr/lib/palemoon/libnssdbm3.chk
/usr/lib/palemoon/removed-files
/usr/lib/palemoon/plugin-container
/usr/lib/palemoon/libnssckbi.so
/usr/lib/palemoon/browser
/usr/lib/palemoon/browser/blocklist.xml
/usr/lib/palemoon/browser/extensions
/usr/lib/palemoon/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
/usr/lib/palemoon/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/icon.png
/usr/lib/palemoon/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}/install.rdf
/usr/lib/palemoon/browser/icons
/usr/lib/palemoon/browser/icons/mozicon128.png
/usr/lib/palemoon/browser/searchplugins
/usr/lib/palemoon/browser/searchplugins/bing.xml
/usr/lib/palemoon/browser/searchplugins/twitter.xml
/usr/lib/palemoon/browser/searchplugins/duckduckgo-palemoon.xml
/usr/lib/palemoon/browser/searchplugins/ecosia.xml
/usr/lib/palemoon/browser/searchplugins/yahoo.xml
/usr/lib/palemoon/browser/searchplugins/wikipedia.xml
/usr/lib/palemoon/browser/components
/usr/lib/palemoon/browser/components/components.manifest
/usr/lib/palemoon/browser/components/libbrowsercomps.so
/usr/lib/palemoon/browser/chrome
/usr/lib/palemoon/browser/chrome/icons
/usr/lib/palemoon/browser/chrome/icons/default
/usr/lib/palemoon/browser/chrome/icons/default/default16.png
/usr/lib/palemoon/browser/chrome/icons/default/default48.png
/usr/lib/palemoon/browser/chrome/icons/default/default32.png
/usr/lib/palemoon/browser/omni.ja
/usr/lib/palemoon/browser/chrome.manifest
/usr/lib/palemoon/palemoon
/usr/lib/palemoon/libmozjs.so
/usr/lib/palemoon/libfreeblpriv3.chk
/usr/lib/palemoon/libnssdbm3.so
/usr/lib/palemoon/libssl3.so
/usr/lib/palemoon/libicui18n.so.58
/usr/lib/palemoon/libmozsqlite3.so
/usr/lib/palemoon/libmozalloc.so
/usr/lib/palemoon/libplds4.so
/usr/lib/palemoon/dictionaries
/usr/lib/palemoon/dictionaries/en-US.aff
/usr/lib/palemoon/dictionaries/en-US.dic
/usr/lib/palemoon/libfreeblpriv3.so
/usr/lib/palemoon/components
/usr/lib/palemoon/components/components.manifest
/usr/lib/palemoon/components/libmozgnome.so
/usr/lib/palemoon/components/libdbusservice.so
/usr/lib/palemoon/dependentlibs.list
/usr/lib/palemoon/libicuuc.so.58
/usr/lib/palemoon/application.ini
/usr/lib/palemoon/libplc4.so
/usr/lib/palemoon/libnss3.so
/usr/lib/palemoon/libxul.so
/usr/lib/palemoon/libicudata.so.58
/usr/lib/palemoon/libnssutil3.so
/usr/lib/palemoon/omni.ja
/usr/lib/palemoon/platform.ini
/usr/lib/palemoon/libnspr4.so
/usr/lib/palemoon/chrome.manifest
/usr/share
/usr/share/lintian
/usr/share/lintian/overrides
/usr/share/lintian/overrides/palemoon
/usr/share/applications
/usr/share/applications/palemoon.desktop
/usr/share/icons
/usr/share/icons/hicolor
/usr/share/icons/hicolor/16x16
/usr/share/icons/hicolor/16x16/apps
/usr/share/icons/hicolor/32x32
/usr/share/icons/hicolor/32x32/apps
/usr/share/icons/hicolor/128x128
/usr/share/icons/hicolor/128x128/apps
/usr/share/icons/hicolor/48x48
/usr/share/icons/hicolor/48x48/apps
/usr/share/doc
/usr/share/doc/palemoon
/usr/share/doc/palemoon/copyright
/usr/share/doc/palemoon/changelog.Debian.gz
/usr/share/pixmaps
/usr/bin
/usr/share/icons/hicolor/16x16/apps/palemoon.png
/usr/share/icons/hicolor/32x32/apps/palemoon.png
/usr/share/icons/hicolor/128x128/apps/palemoon.png
/usr/share/icons/hicolor/48x48/apps/palemoon.png
/usr/share/pixmaps/palemoon.png
/usr/bin/palemoon
netblue30 commented 7 years ago

What happens if you install firejail under /opt/firejail?

kadogo commented 7 years ago

It look like it's the same.

/opt/firejail/bin/firejail --private palemoon
Reading profile /opt/firejail/etc/firejail/palemoon.profile
Reading profile /opt/firejail/etc/firejail/disable-common.inc
Reading profile /opt/firejail/etc/firejail/disable-programs.inc
Reading profile /opt/firejail/etc/firejail/disable-devel.inc
Reading profile /opt/firejail/etc/firejail/whitelist-common.inc
Parent pid 28363, child pid 28364
Warning: skipping palemoon for private /opt
execl: No such file or directory
Error: failed to run /opt/firejail/lib/firejail/fcopy
Error: proc 28363 cannot sync with peer: unexpected EOF
Peer 28364 unexpectedly exited with status 1

You want that I try the deb package maybe ?

netblue30 commented 7 years ago

What package did you install? Also run with --debug (/opt/firejail/bin/firejail --debug --private palemoon) and put the output here.

kadogo commented 7 years ago

I build firejail from the GIT directly with the followings commands

./configure --prefix /opt/firejail
make
sudo make install

The debug output

/opt/firejail/bin/firejail --debug --private palemoon
Autoselecting /bin/bash as shell
Building quoted command line: 'palemoon' 
Command name #palemoon#
Found palemoon profile in /opt/firejail/etc/firejail directory
Reading profile /opt/firejail/etc/firejail/palemoon.profile
Reading profile /opt/firejail/etc/firejail/disable-common.inc
Reading profile /opt/firejail/etc/firejail/disable-programs.inc
Reading profile /opt/firejail/etc/firejail/disable-devel.inc
Reading profile /opt/firejail/etc/firejail/whitelist-common.inc
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 32397, child pid 32398
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /opt/firejail/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
sbox file descriptors:
total 0
lrwx------ 1 root root 64 Jul  4 15:03 0 -> /dev/null
lrwx------ 1 root root 64 Jul  4 15:03 1 -> /dev/pts/8
lrwx------ 1 root root 64 Jul  4 15:03 2 -> /dev/pts/8
lr-x------ 1 root root 64 Jul  4 15:03 3 -> /proc/32402/fd
Dropping all capabilities
Username user, no supplementary groups
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Username user, groups 1000, 24, 25, 27, 29, 30, 44, 46, 60, 108, 114, 
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Username user, groups 1000, 24, 25, 27, 29, 30, 44, 46, 60, 108, 114, 
Username user, groups 1000, 24, 25, 27, 29, 30, 44, 46, 60, 108, 114, 
Copying files in the new /opt directory:
Warning: file /opt/palemoon not found.
Warning: skipping palemoon for private /opt
Mount-bind /run/firejail/mnt/opt on top of /opt
Copying files in the new bin directory
Checking /usr/local/bin/palemoon
Checking /usr/bin/palemoon
sbox run: /opt/firejail/lib/firejail/fcopy /usr/bin/palemoon /run/firejail/mnt/bin (null) 
sbox file descriptors:
total 0
lrwx------ 1 root root 64 Jul  4 15:03 0 -> /dev/null
lrwx------ 1 root root 64 Jul  4 15:03 1 -> /dev/pts/8
lrwx------ 1 root root 64 Jul  4 15:03 2 -> /dev/pts/8
lr-x------ 1 root root 64 Jul  4 15:03 3 -> /proc/32408/fd
execl: No such file or directory
Error: failed to run /opt/firejail/lib/firejail/fcopy
Error: proc 32397 cannot sync with peer: unexpected EOF
Peer 32398 unexpectedly exited with status 1
netblue30 commented 7 years ago

I just put in git a fix in palemon.profile file, commenting out private-bin and private-opt. Do a git pull and compile it again. private-opt was hiding firejail files and disabled some sandbox features. I'll have to check if this problem is not in other applications also.

Are you using the deb package for palemoon?

Do a "ls -l /usr/bin/palemoon".

kadogo commented 7 years ago

It's working with the last fix but it look like firejail shutdown after launcher palemoon, is that normal ?

Reading profile /opt/firejail/etc/firejail/palemoon.profile
Reading profile /opt/firejail/etc/firejail/disable-common.inc
Reading profile /opt/firejail/etc/firejail/disable-programs.inc
Reading profile /opt/firejail/etc/firejail/disable-devel.inc
Reading profile /opt/firejail/etc/firejail/whitelist-common.inc
DISPLAY=:0 parsed as 0
Autoselecting /bin/bash as shell
Building quoted command line: 'palemoon' 
Command name #palemoon#
Found palemoon profile in /opt/firejail/etc/firejail directory
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
total 0
lrwx------ 1 root root 64 Jul  5 10:00 0 -> /dev/null
l-wx------ 1 root root 64 Jul  5 10:00 1 -> /home/user/debug
l-wx------ 1 root root 64 Jul  5 10:00 2 -> /home/user/debug
lr-x------ 1 root root 64 Jul  5 10:00 3 -> /proc/18381/fd
Creating empty /run/firejail/mnt/seccomp.protocol file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /opt/firejail/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Username user, groups 1000, 24, 25, 27, 29, 30, 44, 46, 60, 108, 114, 
Creating empty /run/firejail/mnt/seccomp.protocol file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /opt/firejail/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Username user, groups 1000, 24, 25, 27, 29, 30, 44, 46, 60, 108, 114, 
Creating empty /run/firejail/mnt/seccomp.protocol file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /opt/firejail/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Username user, groups 1000, 24, 25, 27, 29, 30, 44, 46, 60, 108, 114, 
Debug 372: new_name #/home/user/.XCompose#, whitelist
Creating empty /run/firejail/mnt/seccomp.protocol file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /opt/firejail/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Mounting tmpfs on /var/cache/apache2
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/user/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/timer_stats
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Removed whitelist/nowhitelist path: whitelist ~/.XCompose
    expanded: /home/user/.XCompose
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/mimeapps.list#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/mimeapps.list
    expanded: /home/user/.config/mimeapps.list
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.icons
    expanded: /home/user/.icons
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.local/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.local/share/icons
    expanded: /home/user/.local/share/icons
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/user-dirs.dirs#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/user-dirs.dirs
    expanded: /home/user/.config/user-dirs.dirs
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.asoundrc
    expanded: /home/user/.asoundrc
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/Trolltech.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/Trolltech.conf
    expanded: /home/user/.config/Trolltech.conf
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.fonts
    expanded: /home/user/.fonts
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.fonts.d
    expanded: /home/user/.fonts.d
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.fontconfig
    expanded: /home/user/.fontconfig
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.fonts.conf
    expanded: /home/user/.fonts.conf
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.fonts.conf.d
    expanded: /home/user/.fonts.conf.d
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.local/share/fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.local/share/fonts
    expanded: /home/user/.local/share/fonts
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/fontconfig
    expanded: /home/user/.config/fontconfig
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.cache/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.cache/fontconfig
    expanded: /home/user/.cache/fontconfig
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.gtkrc
    expanded: /home/user/.gtkrc
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.gtkrc-2.0
    expanded: /home/user/.gtkrc-2.0
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/gtk-2.0
    expanded: /home/user/.config/gtk-2.0
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/gtk-3.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/gtk-3.0
    expanded: /home/user/.config/gtk-3.0
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.themes
    expanded: /home/user/.themes
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.kde/share/config/gtkrc
    expanded: /home/user/.kde/share/config/gtkrc
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.kde/share/config/gtkrc-2.0
    expanded: /home/user/.kde/share/config/gtkrc-2.0
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.gnome2#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.gnome2
    expanded: /home/user/.gnome2
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.gnome2-private
    expanded: /home/user/.gnome2-private
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/dconf#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/dconf
    expanded: /home/user/.config/dconf
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.config/kdeglobals
    expanded: /home/user/.config/kdeglobals
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.kde/share/config/oxygenrc
    expanded: /home/user/.kde/share/config/oxygenrc
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.kde/share/config/kdeglobals
    expanded: /home/user/.kde/share/config/kdeglobals
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.kde/share/icons
    expanded: /home/user/.kde/share/icons
    real path: (null)
    realpath: No such file or directory
***
*** Warning: cannot whitelist Downloads directory
***     Any file saved will be lost when the sandbox is closed.
***     Please create a proper Downloads directory for your application.
***
Debug 372: new_name #/home/user/.moonchild productions#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.moonchild productions
    expanded: /home/user/.moonchild productions
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/home/user/.cache/moonchild productions/pale moon#, whitelist
Removed whitelist/nowhitelist path: whitelist ~/.cache/moonchild productions/pale moon
    expanded: /home/user/.cache/moonchild productions/pale moon
    real path: (null)
    realpath: No such file or directory
Debug 372: new_name #/tmp/.X11-unix#, whitelist
Debug 372: new_name #/tmp/pulse-PKdhtXMmr18n#, whitelist
Mounting tmpfs on /tmp directory
Whitelisting /tmp/.X11-unix
Whitelisting /tmp/pulse-PKdhtXMmr18n
Not blacklist /home/user/.history
Not blacklist /home/user/.*_history
Not blacklist /home/user/.bash_history
Not blacklist /home/user/.local/share/fish/fish_history
Not blacklist /home/user/.adobe
Not blacklist /home/user/.macromedia
Not blacklist /home/user/.xinitrc
Not blacklist /home/user/.xserverrc
Disable /etc/X11/Xsession.d
Not blacklist /home/user/.Xsession
Not blacklist /home/user/.xsession
Not blacklist /home/user/.xsessionrc
Not blacklist /home/user/.xprofile
Not blacklist /home/user/.gnomerc
Disable /etc/xdg/autostart
Not blacklist /home/user/.config/autostart
Not blacklist /home/user/.local/share/autostart
Not blacklist /home/user/.kde4/share/config/startupconfig
Not blacklist /home/user/.kde4/env
Not blacklist /home/user/.kde4/Autostart
Not blacklist /home/user/.kde4/share/autostart
Not blacklist /home/user/.kde4/shutdown
Not blacklist /home/user/.kde/share/config/startupconfig
Not blacklist /home/user/.kde/env
Not blacklist /home/user/.kde/Autostart
Not blacklist /home/user/.kde/share/autostart
Not blacklist /home/user/.kde/shutdown
Not blacklist /home/user/.config/startupconfig
Not blacklist /home/user/.config/autostart-scripts
Not blacklist /home/user/.config/plasma-workspace/env
Not blacklist /home/user/.config/plasma-workspace/shutdown
Not blacklist /home/user/.config/lxsession/LXDE/autostart
Not blacklist /home/user/.config/openbox/autostart
Not blacklist /home/user/.config/openbox/environment
Not blacklist /home/user/.fluxbox/startup
Not blacklist /home/user/.kde4/share/apps/konsole
Not blacklist /home/user/.kde4/share/apps/kwin
Not blacklist /home/user/.kde4/share/apps/plasma
Not blacklist /home/user/.kde4/share/apps/solid
Not blacklist /home/user/.kde4/share/config/*.notifyrc
Not blacklist /home/user/.kde4/share/config/kdeglobals
Not blacklist /home/user/.kde4/share/config/khotkeysrc
Not blacklist /home/user/.kde4/share/config/krunnerrc
Not blacklist /home/user/.kde4/share/config/plasma-desktop-appletsrc
Not blacklist /home/user/.kde4/share/kde4/services
Not blacklist /home/user/.kde/share/apps/konsole
Not blacklist /home/user/.kde/share/apps/kwin
Not blacklist /home/user/.kde/share/apps/plasma
Not blacklist /home/user/.kde/share/apps/solid
Not blacklist /home/user/.kde/share/config/*.notifyrc
Not blacklist /home/user/.kde/share/config/kdeglobals
Not blacklist /home/user/.kde/share/config/khotkeysrc
Not blacklist /home/user/.kde/share/config/krunnerrc
Not blacklist /home/user/.kde/share/config/plasma-desktop-appletsrc
Not blacklist /home/user/.kde/share/kde4/services
Not blacklist /home/user/.config/*.notifyrc
Not blacklist /home/user/.config/kdeglobals
Not blacklist /home/user/.config/khotkeysrc
Not blacklist /home/user/.config/krunnerrc
Not blacklist /home/user/.config/plasma-org.kde.plasma.desktop-appletsrc
Not blacklist /home/user/.local/share/kglobalaccel
Not blacklist /home/user/.local/share/konsole
Not blacklist /home/user/.local/share/kservices5
Not blacklist /home/user/.local/share/kwin
Not blacklist /home/user/.local/share/plasma
Not blacklist /home/user/.local/share/solid
Not blacklist /home/user/.local/share/systemd
Not blacklist /home/user/.config/systemd
Not blacklist /home/user/.VirtualBox
Not blacklist /home/user/VirtualBox VMs
Not blacklist /home/user/.config/VirtualBox
Not blacklist /home/user/.local/bin/veracrypt
Not blacklist /home/user/.local/bin/veracrypt-uninstall.sh
Not blacklist /home/user/.VeraCrypt
Not blacklist /home/user/.local/bin/truecrypt
Not blacklist /home/user/.local/bin/truecrypt-uninstall.sh
Not blacklist /home/user/.TrueCrypt
Not blacklist /home/user/.zuluCrypt
Not blacklist /home/user/.zuluCrypt-socket
Not blacklist /home/user/.local/bin/zuluCrypt-cli
Not blacklist /home/user/.local/bin/zuluMount-cli
Disable /var/spool/cron
Disable /var/spool/anacron
Disable /var/mail
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/minissdpd.sock (requested /var/run/minissdpd.sock)
Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock)
Disable /etc/cron.d
Disable /etc/cron.hourly
Disable /etc/cron.monthly
Disable /etc/crontab
Disable /etc/cron.weekly
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/anacrontab
Not blacklist /home/user/.antigen
Not blacklist /home/user/.bash_login
Not blacklist /home/user/.bashrc
Not blacklist /home/user/.bash_aliases
Not blacklist /home/user/.bash_profile
Not blacklist /home/user/.bash_logout
Not blacklist /home/user/.zsh.d
Not blacklist /home/user/.zshenv
Not blacklist /home/user/.zshrc
Not blacklist /home/user/.zshrc.local
Not blacklist /home/user/.zlogin
Not blacklist /home/user/.zprofile
Not blacklist /home/user/.zlogout
Not blacklist /home/user/.zsh_files
Not blacklist /home/user/.tcshrc
Not blacklist /home/user/.cshrc
Not blacklist /home/user/.csh_files
Not blacklist /home/user/.config/fish
Not blacklist /home/user/.local/share/fish
Not blacklist /home/user/.profile
Not blacklist /home/user/.forward
Not blacklist /home/user/.login
Not blacklist /home/user/.logout
Not blacklist /home/user/.pgpkey
Not blacklist /home/user/.plan
Not blacklist /home/user/.project
Not blacklist /home/user/.pam_environment
Not blacklist /home/user/.caffrc
Not blacklist /home/user/.dotfiles
Not blacklist /home/user/dotfiles
Not blacklist /home/user/.mailcap
Not blacklist /home/user/.muttrc
Not blacklist /home/user/.mutt/muttrc
Not blacklist /home/user/.msmtprc
Not blacklist /home/user/.exrc
Not blacklist /home/user/_exrc
Not blacklist /home/user/.vimrc
Not blacklist /home/user/_vimrc
Not blacklist /home/user/.gvimrc
Not blacklist /home/user/_gvimrc
Not blacklist /home/user/.vim
Not blacklist /home/user/.emacs
Not blacklist /home/user/.emacs.d
Not blacklist /home/user/.nano
Not blacklist /home/user/.tmux.conf
Not blacklist /home/user/.iscreenrc
Not blacklist /home/user/.reportbugrc
Not blacklist /home/user/.xmonad
Not blacklist /home/user/.xscreensaver
Not blacklist /home/user/bin
Not blacklist /home/user/.gem
Not blacklist /home/user/.luarocks
Not blacklist /home/user/.npm-packages
Not blacklist /home/user/.local/share/Trash
Not blacklist /home/user/.local/share/applications
Not blacklist /home/user/.ecryptfs
Not blacklist /home/user/.Private
Not blacklist /home/user/.ssh
Not blacklist /home/user/.cert
Not blacklist /home/user/.gnome2/keyrings
Not blacklist /home/user/.local/share/keyrings
Not blacklist /home/user/.kde4/share/apps/kwallet
Not blacklist /home/user/.kde/share/apps/kwallet
Not blacklist /home/user/.local/share/kwalletd
Not blacklist /home/user/.config/keybase
Not blacklist /home/user/.netrc
Not blacklist /home/user/.gnupg
Not blacklist /home/user/.caff
Not blacklist /home/user/.smbcredentials
Not blacklist /home/user/*.kdbx
Not blacklist /home/user/*.kdb
Not blacklist /home/user/*.key
Not blacklist /home/user/.muttrc
Not blacklist /home/user/.mutt/muttrc
Not blacklist /home/user/.msmtprc
Not blacklist /home/user/.pki
Disable /etc/shadow
Disable /etc/gshadow
Disable /etc/passwd-
Disable /etc/group-
Disable /etc/shadow-
Disable /etc/gshadow-
Disable /etc/ssh
Disable /sbin
Disable /usr/sbin
Disable /usr/local/sbin
Not blacklist /home/user/.local/bin/umount
Disable /bin/umount
Not blacklist /home/user/.local/bin/mount
Disable /bin/mount
Not blacklist /home/user/.local/bin/fusermount
Disable /bin/fusermount
Not blacklist /home/user/.local/bin/ntfs-3g
Disable /bin/ntfs-3g
Not blacklist /home/user/.local/bin/at
Disable /usr/bin/at
Not blacklist /home/user/.local/bin/su
Disable /bin/su
Not blacklist /home/user/.local/bin/sudo
Disable /usr/bin/sudo
Not blacklist /home/user/.local/bin/xinput
Not blacklist /home/user/.local/bin/evtest
Not blacklist /home/user/.local/bin/xev
Disable /usr/bin/xev
Not blacklist /home/user/.local/bin/strace
Not blacklist /home/user/.local/bin/nc
Disable /bin/nc.traditional (requested /bin/nc)
Not blacklist /home/user/.local/bin/ncat
Disable /usr/bin/ncat
Not blacklist /home/user/.local/bin/gpasswd
Disable /usr/bin/gpasswd
Not blacklist /home/user/.local/bin/newgidmap
Not blacklist /home/user/.local/bin/newgrp
Disable /usr/bin/newgrp
Not blacklist /home/user/.local/bin/newuidmap
Not blacklist /home/user/.local/bin/pkexec
Disable /usr/bin/pkexec
Not blacklist /home/user/.local/bin/sg
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Not blacklist /home/user/.local/bin/crontab
Disable /usr/bin/crontab
Not blacklist /home/user/.local/bin/ksu
Not blacklist /home/user/.local/bin/chsh
Disable /usr/bin/chsh
Not blacklist /home/user/.local/bin/chfn
Disable /usr/bin/chfn
Not blacklist /home/user/.local/bin/chage
Disable /usr/bin/chage
Not blacklist /home/user/.local/bin/expiry
Disable /usr/bin/expiry
Not blacklist /home/user/.local/bin/unix_chkpwd
Not blacklist /home/user/.local/bin/procmail
Disable /usr/bin/procmail
Not blacklist /home/user/.local/bin/mount.ecryptfs_private
Disable /usr/lib/virtualbox
Not blacklist /home/user/.local/bin/gnome-terminal
Not blacklist /home/user/.local/bin/gnome-terminal.wrapper
Not blacklist /home/user/.local/bin/xfce4-terminal
Not blacklist /home/user/.local/bin/xfce4-terminal.wrapper
Not blacklist /home/user/.local/bin/mate-terminal
Disable /usr/bin/mate-terminal
Not blacklist /home/user/.local/bin/mate-terminal.wrapper
Disable /usr/bin/mate-terminal.wrapper
Not blacklist /home/user/.local/bin/lilyterm
Not blacklist /home/user/.local/bin/pantheon-terminal
Not blacklist /home/user/.local/bin/roxterm
Not blacklist /home/user/.local/bin/roxterm-config
Not blacklist /home/user/.local/bin/terminix
Not blacklist /home/user/.local/bin/tilix
Not blacklist /home/user/.local/bin/urxvtc
Not blacklist /home/user/.local/bin/urxvtcd
Not blacklist /home/user/.config/pulse
Mounting noexec /tmp/.X11-unix
Not blacklist /home/user/.*coin
Not blacklist /home/user/.8pecxstudios
Not blacklist /home/user/.Atom
Not blacklist /home/user/.FBReader
Not blacklist /home/user/.LuminanceHDR
Not blacklist /home/user/.Mathematica
Not blacklist /home/user/.Natron
Not blacklist /home/user/.Skype
Not blacklist /home/user/.Steam
Not blacklist /home/user/.Steampath
Not blacklist /home/user/.Steampid
Not blacklist /home/user/.TelegramDesktop
Not blacklist /home/user/.VirtualBox
Not blacklist /home/user/.Wolfram Research
Not blacklist /home/user/.arduino15
Not blacklist /home/user/.atom
Not blacklist /home/user/.attic
Not blacklist /home/user/.audacity-data
Not blacklist /home/user/.bcast5
Not blacklist /home/user/.bibletime
Not blacklist /home/user/.claws-mail
Not blacklist /home/user/.config/0ad
Not blacklist /home/user/.config/2048-qt
Not blacklist /home/user/.config/akregatorrc
Not blacklist /home/user/.config/Atom
Not blacklist /home/user/.config/Audaciousrc
Not blacklist /home/user/.config/Brackets
Not blacklist /home/user/.config/Cryptocat
Not blacklist /home/user/.config/Franz
Not blacklist /home/user/.config/Gitter
Not blacklist /home/user/.config/Google
Not blacklist /home/user/.config/Gpredict
Not blacklist /home/user/.config/INRIA
Not blacklist /home/user/.config/InSilmaril
Not blacklist /home/user/.config/Luminance
Not blacklist /home/user/.config/Meltytech
Not blacklist /home/user/.config/Mousepad
Not blacklist /home/user/.config/Mumble
Not blacklist /home/user/.config/Nylas Mail
Not blacklist /home/user/.config/Qlipper
Not blacklist /home/user/.config/QuiteRss
Not blacklist /home/user/.config/QuiteRssrc
Not blacklist /home/user/.config/Slack
Not blacklist /home/user/.config/Thunar
Not blacklist /home/user/.config/VirtualBox
Not blacklist /home/user/.config/Wire
Not blacklist /home/user/.config/ardour4
Not blacklist /home/user/.config/ardour5
Not blacklist /home/user/.config/arkrc
Not blacklist /home/user/.config/atril
Not blacklist /home/user/.config/audacious
Not blacklist /home/user/.config/aweather
Not blacklist /home/user/.config/baloofilerc
Not blacklist /home/user/.config/baloorc
Not blacklist /home/user/.config/blender
Not blacklist /home/user/.config/bless
Not blacklist /home/user/.config/borg
Not blacklist /home/user/.config/brasero
Not blacklist /home/user/.config/brave
Not blacklist /home/user/.config/caja
Not blacklist /home/user/.config/calibre
Not blacklist /home/user/.config/catfish
Not blacklist /home/user/.config/cherrytree
Not blacklist /home/user/.config/chromium
Not blacklist /home/user/.config/chromium-dev
Not blacklist /home/user/.config/chromium-flags.conf
Not blacklist /home/user/.config/clipit
Not blacklist /home/user/.config/cmus
Not blacklist /home/user/.config/darktable
Not blacklist /home/user/.config/deadbeef
Not blacklist /home/user/.config/deluge
Not blacklist /home/user/.config/digikam
Not blacklist /home/user/.config/dolphinrc
Not blacklist /home/user/.config/dragonplayerrc
Not blacklist /home/user/.config/enchant
Not blacklist /home/user/.config/eog
Not blacklist /home/user/.config/epiphany
Not blacklist /home/user/.config/evince
Not blacklist /home/user/.config/evolution
Not blacklist /home/user/.config/filezilla
Not blacklist /home/user/.config/flowblade
Not blacklist /home/user/.config/gajim
Not blacklist /home/user/.config/galculator
Not blacklist /home/user/.config/geany
Not blacklist /home/user/.config/geeqie
Not blacklist /home/user/.config/gedit
Not blacklist /home/user/.config/ghb
Not blacklist /home/user/.config/globaltime
Not blacklist /home/user/.config/google-chrome
Not blacklist /home/user/.config/google-chrome-beta
Not blacklist /home/user/.config/google-chrome-unstable
Not blacklist /home/user/.config/gpicview
Not blacklist /home/user/.config/gthumb
Not blacklist /home/user/.config/gwenviewrc
Not blacklist /home/user/.config/hexchat
Not blacklist /home/user/.config/inox
Not blacklist /home/user/.config/jd-gui.cfg
Not blacklist /home/user/.config/k3brc
Not blacklist /home/user/.config/katepartrc
Not blacklist /home/user/.config/katerc
Not blacklist /home/user/.config/kateschemarc
Not blacklist /home/user/.config/katesyntaxhighlightingrc
Not blacklist /home/user/.config/katevirc
Not blacklist /home/user/.config/kdeconnect
Not blacklist /home/user/.config/knotesrc
Not blacklist /home/user/.config/ktorrentrc
Not blacklist /home/user/.config/leafpad
Not blacklist /home/user/.config/libreoffice
Not blacklist /home/user/.config/lximage-qt
Not blacklist /home/user/.config/mate/eom
Not blacklist /home/user/.config/mate/mate-dictionary
Not blacklist /home/user/.config/mate-calc
Not blacklist /home/user/.config/midori
Not blacklist /home/user/.config/mpv
Not blacklist /home/user/.config/mupen64plus
Not blacklist /home/user/.config/nautilus
Not blacklist /home/user/.config/nemo
Not blacklist /home/user/.config/netsurf
Not blacklist /home/user/.config/okularpartrc
Not blacklist /home/user/.config/okularrc
Not blacklist /home/user/.config/opera
Not blacklist /home/user/.config/opera-beta
Not blacklist /home/user/.config/orage
Not blacklist /home/user/.config/org.kde.gwenviewrc
Not blacklist /home/user/.config/pcmanfm
Not blacklist /home/user/.config/pix
Not blacklist /home/user/.config/pluma
Not blacklist /home/user/.config/psi+
Not blacklist /home/user/.config/ristretto
Not blacklist /home/user/.config/qBittorrent
Not blacklist /home/user/.config/qpdfview
Not blacklist /home/user/.config/qt5ct
Not blacklist /home/user/.config/qupzilla
Not blacklist /home/user/.config/qutebrowser
Not blacklist /home/user/.config/ranger
Not blacklist /home/user/.config/redshift.conf
Not blacklist /home/user/.config/scribus
Not blacklist /home/user/.config/skypeforlinux
Not blacklist /home/user/.config/slimjet
Not blacklist /home/user/.config/smplayer
Not blacklist /home/user/.config/spotify
Not blacklist /home/user/.config/stellarium
Not blacklist /home/user/.config/synfig
Not blacklist /home/user/.config/telepathy-account-widgets
Not blacklist /home/user/.config/torbrowser
Not blacklist /home/user/.config/totem
Not blacklist /home/user/.config/tox
Not blacklist /home/user/.config/transmission
Not blacklist /home/user/.config/uGet
Not blacklist /home/user/.config/viewnior
Not blacklist /home/user/.config/vivaldi
Not blacklist /home/user/.config/vlc
Not blacklist /home/user/.config/wesnoth
Not blacklist /home/user/.config/wire
Not blacklist /home/user/.config/wireshark
Not blacklist /home/user/.config/xchat
Not blacklist /home/user/.config/xed
Not blacklist /home/user/.config/xfburn
Not blacklist /home/user/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
Not blacklist /home/user/.config/xfce4/xfce4-notes.rc
Not blacklist /home/user/.config/xfce4/xfce4-notes.gtkrc
Not blacklist /home/user/.config/xfce4-dict
Not blacklist /home/user/.config/xiaoyong
Not blacklist /home/user/.config/xmms2
Not blacklist /home/user/.config/xplayer
Not blacklist /home/user/.config/xreader
Not blacklist /home/user/.config/xviewer
Not blacklist /home/user/.config/zathura
Not blacklist /home/user/.config/zoomus.conf
Not blacklist /home/user/.conkeror.mozdev.org
Not blacklist /home/user/.curlrc
Not blacklist /home/user/.dia
Not blacklist /home/user/.dillo
Not blacklist /home/user/.dosbox
Not blacklist /home/user/.dropbox-dist
Not blacklist /home/user/.electrum*
Not blacklist /home/user/.elinks
Not blacklist /home/user/.emacs
Not blacklist /home/user/.emacs.d
Not blacklist /home/user/.filezilla
Not blacklist /home/user/.flowblade
Not blacklist /home/user/.fltk
Not blacklist /home/user/.FontForge
Not blacklist /home/user/.gimp*
Not blacklist /home/user/.git-credential-cache
Not blacklist /home/user/.gitconfig
Not blacklist /home/user/.googleearth/Cache
Not blacklist /home/user/.googleearth/Temp
Not blacklist /home/user/.googleearth/myplaces.backup.kml
Not blacklist /home/user/.googleearth/myplaces.kml
Not blacklist /home/user/.guayadeque
Not blacklist /home/user/.hedgewars
Not blacklist /home/user/.hugin
Not blacklist /home/user/.icedove
Not blacklist /home/user/.inkscape
Not blacklist /home/user/.jitsi
Not blacklist /home/user/.kde4/share/apps/gwenview
Not blacklist /home/user/.kde4/share/apps/kcookiejar
Not blacklist /home/user/.kde4/share/apps/khtml
Not blacklist /home/user/.kde4/share/apps/konqsidebartng
Not blacklist /home/user/.kde4/share/apps/konqueror
Not blacklist /home/user/.kde4/share/apps/okular
Not blacklist /home/user/.kde4/share/config/baloofilerc
Not blacklist /home/user/.kde4/share/config/baloorc
Not blacklist /home/user/.kde4/share/config/gwenviewrc
Not blacklist /home/user/.kde4/share/config/digikam
Not blacklist /home/user/.kde4/share/config/k3brc
Not blacklist /home/user/.kde4/share/config/kcookiejarrc
Not blacklist /home/user/.kde4/share/config/khtmlrc
Not blacklist /home/user/.kde4/share/config/konq_history
Not blacklist /home/user/.kde4/share/config/konqsidebartngrc
Not blacklist /home/user/.kde4/share/config/konquerorrc
Not blacklist /home/user/.kde4/share/config/okularpartrc
Not blacklist /home/user/.kde4/share/config/okularrc
Not blacklist /home/user/.kde4/share/config/ktorrentrc
Not blacklist /home/user/.kde/share/apps/gwenview
Not blacklist /home/user/.kde/share/apps/kcookiejar
Not blacklist /home/user/.kde/share/apps/khtml
Not blacklist /home/user/.kde/share/apps/konqsidebartng
Not blacklist /home/user/.kde/share/apps/konqueror
Not blacklist /home/user/.kde/share/apps/okular
Not blacklist /home/user/.kde/share/config/baloofilerc
Not blacklist /home/user/.kde/share/config/baloorc
Not blacklist /home/user/.kde/share/config/digikam
Not blacklist /home/user/.kde/share/config/gwenviewrc
Not blacklist /home/user/.kde/share/config/k3brc
Not blacklist /home/user/.kde/share/config/kcookiejarrc
Not blacklist /home/user/.kde/share/config/khtmlrc
Not blacklist /home/user/.kde/share/config/konq_history
Not blacklist /home/user/.kde/share/config/konqsidebartngrc
Not blacklist /home/user/.kde/share/config/konquerorrc
Not blacklist /home/user/.kde/share/config/okularpartrc
Not blacklist /home/user/.kde/share/config/okularrc
Not blacklist /home/user/.kde/share/config/ktorrentrc
Not blacklist /home/user/.killingfloor
Not blacklist /home/user/.kino-history
Not blacklist /home/user/.kinorc
Not blacklist /home/user/.kodi
Not blacklist /home/user/.linphone-history.db
Not blacklist /home/user/.linphonerc
Not blacklist /home/user/.lmmsrc.xml
Not blacklist /home/user/.local/.share/maps-places.json
Not blacklist /home/user/.local/lib/python2.7/site-packages
Not blacklist /home/user/.local/share/0ad
Not blacklist /home/user/.local/share/3909/PapersPlease
Not blacklist /home/user/.local/share/akregator
Not blacklist /home/user/.local/share/Empathy
Not blacklist /home/user/.local/share/Mumble
Not blacklist /home/user/.local/share/QuiteRss
Not blacklist /home/user/.local/share/Ricochet
Not blacklist /home/user/.local/share/Steam
Not blacklist /home/user/.local/share/SuperHexagon
Not blacklist /home/user/.local/share/Terraria
Not blacklist /home/user/.local/share/TpLogger
Not blacklist /home/user/.local/share/aspyr-media
Not blacklist /home/user/.local/share/baloo
Not blacklist /home/user/.local/share/caja-python
Not blacklist /home/user/.local/share/cdprojektred
Not blacklist /home/user/.local/share/clipit
Not blacklist /home/user/.local/share/data/Mumble
Not blacklist /home/user/.local/share/dino
Not blacklist /home/user/.local/share/dolphin
Not blacklist /home/user/.local/share/epiphany
Not blacklist /home/user/.local/share/evolution
Not blacklist /home/user/.local/share/feral-interactive
Not blacklist /home/user/.local/share/gajim
Not blacklist /home/user/.local/share/geary
Not blacklist /home/user/.local/share/geeqie
Not blacklist /home/user/.local/share/gnome-2048
Not blacklist /home/user/.local/share/gnome-chess
Not blacklist /home/user/.local/share/gnome-music
Not blacklist /home/user/.local/share/gnome-photos
Not blacklist /home/user/.local/share/kate
Not blacklist /home/user/.local/share/kwrite
Not blacklist /home/user/.local/share/ktorrentrc
Not blacklist /home/user/.local/share/lollypop
Not blacklist /home/user/.local/share/meld
Not blacklist /home/user/.local/share/multimc5
Not blacklist /home/user/.local/share/mupen64plus
Not blacklist /home/user/.local/share/nautilus
Not blacklist /home/user/.local/share/nautilus-python
Not blacklist /home/user/.local/share/nemo
Not blacklist /home/user/.local/share/nemo-python
Not blacklist /home/user/.local/share/okular
Not blacklist /home/user/.local/share/orage
Not blacklist /home/user/.local/share/org.kde.gwenview
Not blacklist /home/user/.local/share/pix
Not blacklist /home/user/.local/share/psi+
Not blacklist /home/user/.local/share/qpdfview
Not blacklist /home/user/.local/share/scribus
Not blacklist /home/user/.local/share/spotify
Not blacklist /home/user/.local/share/steam
Not blacklist /home/user/.local/share/telepathy
Not blacklist /home/user/.local/share/torbrowser
Not blacklist /home/user/.local/share/totem
Not blacklist /home/user/.local/share/vpltd
Not blacklist /home/user/.local/share/vulkan
Not blacklist /home/user/.local/share/wesnoth
Not blacklist /home/user/.local/share/xplayer
Not blacklist /home/user/.local/share/notes
Not blacklist /home/user/.local/share/xreader
Not blacklist /home/user/.local/share/zathura
Not blacklist /home/user/.lv2
Not blacklist /home/user/.mcabber
Not blacklist /home/user/.mcabberrc
Not blacklist /home/user/.mediathek3
Not blacklist /home/user/.mozilla
Not blacklist /home/user/.mpdconf
Not blacklist /home/user/.mplayer
Not blacklist /home/user/.msmtprc
Not blacklist /home/user/.multimc5
Not blacklist /home/user/.mutt
Not blacklist /home/user/.mutt/muttrc
Not blacklist /home/user/.muttrc
Not blacklist /home/user/.nv
Not blacklist /home/user/.nylas-mail
Not blacklist /home/user/.openshot
Not blacklist /home/user/.openshot_qt
Not blacklist /home/user/.opera
Not blacklist /home/user/.opera-beta
Not blacklist /home/user/.purple
Not blacklist /home/user/.qemu-launcher
Not blacklist /home/user/.remmina
Not blacklist /home/user/.retroshare
Not blacklist /home/user/.scribus
Not blacklist /home/user/.scribusrc
Not blacklist /home/user/.steam
Not blacklist /home/user/.steampath
Not blacklist /home/user/.steampid
Not blacklist /home/user/.stellarium
Not blacklist /home/user/.subversion
Not blacklist /home/user/.sword
Not blacklist /home/user/.sylpheed-2.0
Not blacklist /home/user/.synfig
Not blacklist /home/user/.tconn
Not blacklist /home/user/.thunderbird
Not blacklist /home/user/.ts3client
Not blacklist /home/user/.viking
Not blacklist /home/user/.viking-maps
Not blacklist /home/user/.vst
Not blacklist /home/user/.w3m
Not blacklist /home/user/.warzone2100-3.*
Not blacklist /home/user/.weechat
Not blacklist /home/user/.wgetrc
Not blacklist /home/user/.wine
Not blacklist /home/user/.wine64
Not blacklist /home/user/.xiphos
Not blacklist /home/user/.xmms
Not blacklist /home/user/.xonotic
Not blacklist /home/user/.xpdfrc
Not blacklist /home/user/.zoom
Not blacklist /home/user/wallet.dat
Not blacklist /home/user/.cache/0ad
Not blacklist /home/user/.cache/8pecxstudios
Not blacklist /home/user/.cache/Franz
Not blacklist /home/user/.cache/INRIA
Not blacklist /home/user/.cache/QuiteRss
Not blacklist /home/user/.cache/attic
Not blacklist /home/user/.cache/borg
Not blacklist /home/user/.cache/calibre
Not blacklist /home/user/.cache/champlain
Not blacklist /home/user/.cache/chromium
Not blacklist /home/user/.cache/qupzilla
Not blacklist /home/user/.cache/chromium-dev
Not blacklist /home/user/.cache/darktable
Not blacklist /home/user/.cache/epiphany
Not blacklist /home/user/.cache/evolution
Not blacklist /home/user/.cache/gajim
Not blacklist /home/user/.cache/geeqie
Not blacklist /home/user/.cache/google-chrome
Not blacklist /home/user/.cache/google-chrome-beta
Not blacklist /home/user/.cache/google-chrome-unstable
Not blacklist /home/user/.cache/icedove
Not blacklist /home/user/.cache/inox
Not blacklist /home/user/.cache/libgweather
Not blacklist /home/user/.cache/midori
Not blacklist /home/user/.cache/mozilla
Not blacklist /home/user/.cache/mutt
Not blacklist /home/user/.cache/netsurf
Not blacklist /home/user/.cache/opera
Not blacklist /home/user/.cache/opera-beta
Not blacklist /home/user/.cache/org.gnome.Books
Not blacklist /home/user/.cache/qBittorrent
Not blacklist /home/user/.cache/qutebrowser
Not blacklist /home/user/.cache/simple-scan
Not blacklist /home/user/.cache/slimjet
Not blacklist /home/user/.cache/spotify
Not blacklist /home/user/.cache/telepathy
Not blacklist /home/user/.cache/thunderbird
Not blacklist /home/user/.cache/torbrowser
Not blacklist /home/user/.cache/transmission
Not blacklist /home/user/.cache/vivaldi
Not blacklist /home/user/.cache/wesnoth
Not blacklist /home/user/.cache/xreader
Not blacklist /home/user/.cache/xmms2
Disable /usr/include
Disable /usr/bin/gcc-4.9 (requested /usr/bin/gcc)
Disable /usr/bin/gcc-nm-4.9
Disable /usr/bin/gcc-ar-4.8
Disable /usr/bin/gcc-4.9
Disable /usr/bin/gcc-nm-4.8
Disable /usr/bin/gcc-4.8
Disable /usr/bin/gcc-ranlib-4.9
Disable /usr/bin/gcc-nm-4.9 (requested /usr/bin/gcc-nm)
Disable /usr/bin/gcc-ranlib-4.9 (requested /usr/bin/gcc-ranlib)
Disable /usr/bin/gcc-ranlib-4.8
Disable /usr/bin/gcc-ar-4.9
Disable /usr/bin/gcc-ar-4.9 (requested /usr/bin/gcc-ar)
Disable /usr/bin/cpp-4.8
Disable /usr/bin/cpp-4.9
Disable /usr/bin/cpp-4.9 (requested /usr/bin/cpp)
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc (requested /usr/bin/c99)
Disable /usr/bin/c89-gcc (requested /usr/bin/c89)
Disable /usr/bin/c89-gcc
Disable /usr/bin/g++-4.9 (requested /usr/bin/c++)
Disable /usr/bin/c++filt
Disable /usr/bin/as
Disable /usr/bin/ld.bfd (requested /usr/bin/ld)
Disable /usr/bin/gdb
Disable /usr/bin/g++-4.9 (requested /usr/bin/g++)
Disable /usr/bin/g++-4.9
Disable /usr/bin/g++-4.9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/g++-4.9 (requested /usr/bin/x86_64-linux-gnu-g++-4.9)
Disable /usr/bin/gcc-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/gcc-ar-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/gcc-nm-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/gcc-ar-4.8 (requested /usr/bin/x86_64-linux-gnu-gcc-ar-4.8)
Disable /usr/bin/gcc-ar-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar-4.9)
Disable /usr/bin/gcc-4.8 (requested /usr/bin/x86_64-linux-gnu-gcc-4.8)
Disable /usr/bin/gcc-ranlib-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib-4.9)
Disable /usr/bin/gcc-nm-4.8 (requested /usr/bin/x86_64-linux-gnu-gcc-nm-4.8)
Disable /usr/bin/gcc-nm-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm-4.9)
Disable /usr/bin/gcc-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-4.9)
Disable /usr/bin/gcc-ranlib-4.9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/gcc-ranlib-4.8 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib-4.8)
Disable /usr/lib/llvm-3.5/bin/clang-apply-replacements (requested /usr/bin/clang-apply-replacements-3.5)
Disable /usr/lib/llvm-3.5/bin/clang-check (requested /usr/bin/clang-check)
Disable /usr/lib/llvm-3.5/bin/clang-tidy (requested /usr/bin/clang-tidy)
Disable /usr/lib/llvm-3.5/bin/clang-tblgen (requested /usr/bin/clang-tblgen-3.5)
Disable /usr/lib/llvm-3.5/bin/clang-check (requested /usr/bin/clang-check-3.5)
Disable /usr/lib/llvm-3.5/bin/clang-tidy (requested /usr/bin/clang-tidy-3.5)
Disable /usr/lib/llvm-3.5/bin/clang-query (requested /usr/bin/clang-query-3.5)
Disable /usr/lib/llvm-3.5/bin/clang (requested /usr/bin/clang)
Disable /usr/lib/llvm-3.5/bin/clang (requested /usr/bin/clang++)
Disable /usr/lib/llvm-3.5/bin/clang-tblgen (requested /usr/bin/clang-tblgen)
Disable /usr/lib/llvm-3.5/bin/clang (requested /usr/bin/clang++-3.5)
Disable /usr/lib/llvm-3.5/bin/clang-query (requested /usr/bin/clang-query)
Disable /usr/lib/llvm-3.5/bin/clang-apply-replacements (requested /usr/bin/clang-apply-replacements)
Disable /usr/lib/llvm-3.5/bin/clang (requested /usr/bin/clang-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-as (requested /usr/bin/llvm-as-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-mcmarkup (requested /usr/bin/llvm-mcmarkup-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-ar (requested /usr/bin/llvm-ranlib-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-diff (requested /usr/bin/llvm-diff-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-cov (requested /usr/bin/llvm-cov-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-profdata (requested /usr/bin/llvm-profdata-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-mc (requested /usr/bin/llvm-mc-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-dwarfdump (requested /usr/bin/llvm-dwarfdump-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-rtdyld (requested /usr/bin/llvm-rtdyld-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-objdump (requested /usr/bin/llvm-objdump-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-readobj (requested /usr/bin/llvm-readobj-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-nm (requested /usr/bin/llvm-nm-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-tblgen (requested /usr/bin/llvm-tblgen-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-size (requested /usr/bin/llvm-size-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-stress (requested /usr/bin/llvm-stress-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-link (requested /usr/bin/llvm-link-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-symbolizer (requested /usr/bin/llvm-symbolizer-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-dis (requested /usr/bin/llvm-dis-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-ar (requested /usr/bin/llvm-ar-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-config (requested /usr/bin/llvm-config-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-extract (requested /usr/bin/llvm-extract-3.5)
Disable /usr/lib/llvm-3.5/bin/llvm-bcanalyzer (requested /usr/bin/llvm-bcanalyzer-3.5)
Disable /usr/lib/llvm-3.5
Disable /usr/lib/valgrind
Disable /usr/bin/perl
Disable /usr/bin/cpan
Disable /usr/bin/cpansign
Disable /usr/share/perl5
Disable /usr/share/perl
Disable /usr/lib/perl5
Disable /usr/bin/php5
Disable /usr/bin/php5 (requested /usr/bin/php)
Disable /usr/share/php5
Disable /usr/lib/php5
Disable /usr/bin/ruby2.1 (requested /usr/bin/ruby)
Disable /usr/lib/ruby
Disable /usr/bin/go
Disable /usr/bin/gofmt
Disable /usr/bin/openssl
Not blacklist /home/user/.config/user-dirs.dirs
Disable /sys/fs
DISPLAY=:0 parsed as 0
total 0
lrwx------ 1 user user 64 Jul  5 10:00 0 -> /dev/null
l-wx------ 1 user user 64 Jul  5 10:00 1 -> /home/user/debug
l-wx------ 1 user user 64 Jul  5 10:00 2 -> /home/user/debug
lr-x------ 1 user user 64 Jul  5 10:00 3 -> /proc/14/fd
SECCOMP Filter:
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  BLACKLIST 165 mount
  BLACKLIST 166 umount2
  BLACKLIST 101 ptrace
  BLACKLIST 246 kexec_load
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 175 init_module
  BLACKLIST 313 finit_module
  BLACKLIST 174 create_module
  BLACKLIST 176 delete_module
  BLACKLIST 172 iopl
  BLACKLIST 173 ioperm
  BLACKLIST 251 ioprio_set
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 103 syslog
  BLACKLIST 310 process_vm_readv
  BLACKLIST 311 process_vm_writev
  BLACKLIST 139 sysfs
  BLACKLIST 156 _sysctl
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 134 uselib
  BLACKLIST 163 acct
  BLACKLIST 154 modify_ldt
  BLACKLIST 155 pivot_root
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 237 mbind
  BLACKLIST 239 get_mempolicy
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 161 chroot
  BLACKLIST 184 tuxcall
  BLACKLIST 169 reboot
  BLACKLIST 180 nfsservctl
  BLACKLIST 177 get_kernel_syms
  BLACKLIST 227 clock_settime
  BLACKLIST 135 personality
  BLACKLIST 311 process_vm_writev
  BLACKLIST 178 query_module
  BLACKLIST 164 settimeofday
  BLACKLIST 136 ustat
  RETURN_ALLOW
Create the new ld.so.preload file
Blacklist violations are logged to syslog
Mount the new ld.so.preload file
Current directory: /home/user
Dropping all capabilities
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries from /run/firejail/mnt/seccomp.protocol
configuring 103 seccomp entries from /run/firejail/mnt/seccomp.i386
Dual i386/amd64 seccomp filter configured
configuring 120 seccomp entries from /run/firejail/mnt/seccomp
seccomp filter configured
sbox run: /opt/firejail/lib/firejail/fseccomp print /run/firejail/mnt/seccomp (null) 
configuring 120 seccomp entries from /run/firejail/mnt/seccomp
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
]0;firejail palemoon Autoselecting /bin/bash as shell
Building quoted command line: 'palemoon' 
Command name #palemoon#
Found palemoon profile in /opt/firejail/etc/firejail directory
Using the local network stack
Parent pid 18376, child pid 18377

Parent is shutting down, bye...

I use the deb package for palemoon

The ls command give the following result

ls -l /usr/bin/palemoon
lrwxrwxrwx 1 root root 24 avr 30 05:17 /usr/bin/palemoon -> ../lib/palemoon/palemoon
netblue30 commented 7 years ago

I'll try it out and make it work for a firejail install in /opt. Installs under /home will always be problematic, because features as whitelist and private will hide files installed by firejail. But it should definitely work if it is installed in /opt.

kadogo commented 7 years ago

Ok, don't hesitate to ping me to try again.

I think that the deb package of firejail is not installed in /opt too Do you want that I test it with the deb package too ?

startx2017 commented 7 years ago

Yes, do a test on .deb package. -the one from the download site https://sourceforge.net/projects/firejail/files/firejail/ should work on Jessie. Even the one from jessie-backports should do it, although this is an older version.

Fred-Barclay commented 7 years ago

@kadogo Were you able to test with the deb package? Also, from what repo did you install palemoon? Cheers! Fred

kadogo commented 7 years ago

@startx2017 sorry between i'm passed to stretch, but I need to check it again with the latest manually build version maybe it work better.

@Fred-Barclay I didn't test it again for now, I use the next repo to install palemoon on debian stretch (deb http://download.opensuse.org/repositories/home:/stevenpusser/Debian_9.0/ /)

Fred-Barclay commented 6 years ago

Closing for now as OP is using Stretch.