Firefox using 100% CPU with firejail when downloading files

mkkot commented 5 years ago

Firefox 64.0 is using 100% CPU when downloading files via built-in mechanism. To reproduce: firejail /usr/bin/firefox

Then go to https://www.kernel.org/ or to some other source of big files and simultaneously download as many files as the number of your CPU cores is. Open top or htop and see that Firefox is eating all your cores.

For me downloading on 4 cores without firejail takes about 30% of CPU but with firejail it takes 370%.

Of course it doesn't happen when not paired with firejail. It also works correctly with --noprofile option.

[mk@linux ~]$ firejail --version
firejail version 0.9.56

Compile time support:
    - AppArmor support is disabled
    - AppImage support is enabled
    - chroot support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - networking support is enabled
    - overlayfs support is enabled
    - private-home support is enabled
    - seccomp-bpf support is enabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

I also tested with /etc/firejail/firefox.local removed but there was no difference.

[mk@linux ~]$ firejail --debug /usr/bin/firefox 
Autoselecting /bin/bash as shell
Building quoted command line: '/usr/bin/firefox' 
Command name #firefox#
Found firefox profile in /etc/firejail directory
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox.local
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 11262, child pid 11263
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /usr/lib/firejail/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 100, nogroups 1
No supplementary groups
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mk/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/hidraw0 file
mounting /run/firejail/mnt/dev/hidraw1 file
mounting /run/firejail/mnt/dev/usb directory
Process /dev/shm directory
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/config.gz
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Disable /mnt
Disable /media
Disable /run/mount
Directory ${DOWNLOADS} resolved as Pobrane
Debug 405: new_name #/home/mk/Pobrane#, whitelist
Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Pobrane
Debug 405: new_name #/home/mk/Downloads#, whitelist
Debug 505: fname #/home/mk/Downloads#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Downloads
Debug 405: new_name #/home/mk/.cache/mozilla/firefox#, whitelist
Debug 505: fname #/home/mk/.cache/mozilla/firefox#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.cache/mozilla/firefox
Debug 405: new_name #/home/mk/.mozilla#, whitelist
Debug 505: fname #/home/mk/.mozilla#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.mozilla
Directory ${DOWNLOADS} resolved as Pobrane
Debug 405: new_name #/home/mk/Pobrane#, whitelist
Debug 505: fname #/home/mk/Pobrane#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/Pobrane
Debug 405: new_name #/home/mk/.pki#, whitelist
Debug 505: fname #/home/mk/.pki#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.pki
Debug 405: new_name #/home/mk/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
    expanded: /home/mk/.XCompose
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
    expanded: /home/mk/.asoundrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/ibus#, whitelist
Debug 505: fname #/home/mk/.config/ibus#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/ibus
Debug 405: new_name #/home/mk/.config/mimeapps.list#, whitelist
Debug 505: fname #/home/mk/.config/mimeapps.list#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/mimeapps.list
Debug 405: new_name #/home/mk/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
    expanded: /home/mk/.config/pkcs11
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/user-dirs.dirs#, whitelist
Debug 505: fname #/home/mk/.config/user-dirs.dirs#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/user-dirs.dirs
Debug 405: new_name #/home/mk/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
    expanded: /home/mk/.drirc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
    expanded: /home/mk/.icons
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/applications#, whitelist
Debug 505: fname #/home/mk/.local/share/applications#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/applications
Debug 405: new_name #/home/mk/.local/share/icons#, whitelist
Debug 505: fname #/home/mk/.local/share/icons#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/icons
Debug 405: new_name #/home/mk/.local/share/mime#, whitelist
Debug 505: fname #/home/mk/.local/share/mime#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/mime
Debug 405: new_name #/home/mk/.mime.types#, whitelist
Debug 505: fname #/home/mk/.mime.types#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.mime.types
Debug 405: new_name #/home/mk/.cache/fontconfig#, whitelist
Debug 505: fname #/home/mk/.cache/fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.cache/fontconfig
Debug 405: new_name #/home/mk/.config/fontconfig#, whitelist
Debug 505: fname #/home/mk/.config/fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/fontconfig
Debug 405: new_name #/home/mk/.fontconfig#, whitelist
Debug 505: fname #/home/mk/.fontconfig#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.fontconfig
Debug 405: new_name #/home/mk/.fonts#, whitelist
Debug 505: fname #/home/mk/.fonts#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.fonts
Debug 405: new_name #/home/mk/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
    expanded: /home/mk/.fonts.conf
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
    expanded: /home/mk/.fonts.conf.d
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
    expanded: /home/mk/.fonts.d
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/fonts#, whitelist
Debug 505: fname #/home/mk/.local/share/fonts#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.local/share/fonts
Debug 405: new_name #/home/mk/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
    expanded: /home/mk/.pangorc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/gtk-2.0#, whitelist
Debug 505: fname #/home/mk/.config/gtk-2.0#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/gtk-2.0
Debug 405: new_name #/home/mk/.config/gtk-3.0#, whitelist
Debug 505: fname #/home/mk/.config/gtk-3.0#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/gtk-3.0
Debug 405: new_name #/home/mk/.config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
    expanded: /home/mk/.config/gtkrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
    expanded: /home/mk/.config/gtkrc-2.0
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.gnome2#, whitelist
Debug 505: fname #/home/mk/.gnome2#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.gnome2
Debug 405: new_name #/home/mk/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
    expanded: /home/mk/.gnome2-private
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
    expanded: /home/mk/.gtk-2.0
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
    expanded: /home/mk/.gtkrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0
    expanded: /home/mk/.gtkrc-2.0
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
    expanded: /home/mk/.kde/share/config/gtkrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
    expanded: /home/mk/.kde/share/config/gtkrc-2.0
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
    expanded: /home/mk/.kde4/share/config/gtkrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
    expanded: /home/mk/.kde4/share/config/gtkrc-2.0
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
    expanded: /home/mk/.local/share/themes
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.themes#, whitelist
Debug 505: fname #/home/mk/.themes#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.themes
Debug 405: new_name #/home/mk/.config/dconf#, whitelist
Debug 505: fname #/home/mk/.config/dconf#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/dconf
Debug 405: new_name #/home/mk/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
    expanded: /home/mk/.config/Kvantum
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/Trolltech.conf#, whitelist
Debug 505: fname #/home/mk/.config/Trolltech.conf#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/Trolltech.conf
Debug 405: new_name #/home/mk/.config/kdeglobals#, whitelist
Debug 505: fname #/home/mk/.config/kdeglobals#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/kdeglobals
Debug 405: new_name #/home/mk/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
    expanded: /home/mk/.config/kio_httprc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/kioslaverc#, whitelist
Debug 505: fname #/home/mk/.config/kioslaverc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/kioslaverc
Debug 405: new_name #/home/mk/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
    expanded: /home/mk/.config/ksslcablacklist
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.config/qt5ct#, whitelist
Debug 505: fname #/home/mk/.config/qt5ct#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.config/qt5ct
Debug 405: new_name #/home/mk/.kde/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
    expanded: /home/mk/.kde/share/config/kdeglobals
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
    expanded: /home/mk/.kde/share/config/kio_httprc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
    expanded: /home/mk/.kde/share/config/kioslaverc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
    expanded: /home/mk/.kde/share/config/ksslcablacklist
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
    expanded: /home/mk/.kde/share/config/oxygenrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
    expanded: /home/mk/.kde/share/icons
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/kdeglobals#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kdeglobals#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kdeglobals
Debug 405: new_name #/home/mk/.kde4/share/config/kio_httprc#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kio_httprc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kio_httprc
Debug 405: new_name #/home/mk/.kde4/share/config/kioslaverc#, whitelist
Debug 505: fname #/home/mk/.kde4/share/config/kioslaverc#, cfg.homedir #/home/mk#
Replaced whitelist path: whitelist /home/mk/.kde4/share/config/kioslaverc
Debug 405: new_name #/home/mk/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
    expanded: /home/mk/.kde4/share/config/ksslcablacklist
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
    expanded: /home/mk/.kde4/share/config/oxygenrc
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
    expanded: /home/mk/.kde4/share/icons
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
    expanded: /home/mk/.local/share/qt5ct
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/home/mk/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
    expanded: /home/mk/.cache/kioexec/krun
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/var/lib/dbus#, whitelist
Debug 405: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
    expanded: /var/lib/menu-xdg
    real path: (null)
    realpath: No such file or directory
Debug 405: new_name #/var/cache/fontconfig#, whitelist
Debug 405: new_name #/var/tmp#, whitelist
Debug 405: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 405: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Drop privileges: pid 3, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Drop privileges: pid 4, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
Drop privileges: pid 5, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
Mounting tmpfs on /var directory
Whitelisting /home/mk/Pobrane
634 627 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4
Whitelisting /home/mk/Downloads
635 627 8:3 /mk/Downloads /home/mk/Downloads rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Downloads dir=/home/mk/Downloads fstype=ext4
Whitelisting /home/mk/.cache/mozilla/firefox
636 627 0:46 /mozilla/firefox /home/mk/.cache/mozilla/firefox rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k
fsname=/mozilla/firefox dir=/home/mk/.cache/mozilla/firefox fstype=tmpfs
Whitelisting /home/mk/.mozilla
637 627 8:3 /mk/.mozilla /home/mk/.mozilla rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.mozilla dir=/home/mk/.mozilla fstype=ext4
Whitelisting /home/mk/Pobrane
638 634 8:3 /mk/Pobrane /home/mk/Pobrane rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/Pobrane dir=/home/mk/Pobrane fstype=ext4
Whitelisting /home/mk/.pki
639 627 8:3 /mk/.pki /home/mk/.pki rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.pki dir=/home/mk/.pki fstype=ext4
Whitelisting /home/mk/.config/ibus
640 627 8:3 /mk/.config/ibus /home/mk/.config/ibus rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/ibus dir=/home/mk/.config/ibus fstype=ext4
Whitelisting /home/mk/.config/mimeapps.list
641 627 8:3 /mk/.config/mimeapps.list /home/mk/.config/mimeapps.list rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/mimeapps.list dir=/home/mk/.config/mimeapps.list fstype=ext4
Whitelisting /home/mk/.config/user-dirs.dirs
642 627 8:3 /mk/.config/user-dirs.dirs /home/mk/.config/user-dirs.dirs rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/user-dirs.dirs dir=/home/mk/.config/user-dirs.dirs fstype=ext4
Whitelisting /home/mk/.local/share/applications
643 627 8:3 /mk/.local/share/applications /home/mk/.local/share/applications rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/applications dir=/home/mk/.local/share/applications fstype=ext4
Whitelisting /home/mk/.local/share/icons
644 627 8:3 /mk/.local/share/icons /home/mk/.local/share/icons rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/icons dir=/home/mk/.local/share/icons fstype=ext4
Whitelisting /home/mk/.local/share/mime
645 627 8:3 /mk/.local/share/mime /home/mk/.local/share/mime rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/mime dir=/home/mk/.local/share/mime fstype=ext4
Whitelisting /home/mk/.mime.types
646 627 8:3 /mk/.mime.types /home/mk/.mime.types rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.mime.types dir=/home/mk/.mime.types fstype=ext4
Whitelisting /home/mk/.cache/fontconfig
647 627 0:46 /fontconfig /home/mk/.cache/fontconfig rw,nosuid,nodev,relatime master:69 - tmpfs tmpfs rw,size=102400k
fsname=/fontconfig dir=/home/mk/.cache/fontconfig fstype=tmpfs
Whitelisting /home/mk/.config/fontconfig
648 627 8:3 /mk/.config/fontconfig /home/mk/.config/fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/fontconfig dir=/home/mk/.config/fontconfig fstype=ext4
Whitelisting /home/mk/.fontconfig
649 627 8:3 /mk/.fontconfig /home/mk/.fontconfig rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.fontconfig dir=/home/mk/.fontconfig fstype=ext4
Whitelisting /home/mk/.fonts
650 627 8:3 /mk/.fonts /home/mk/.fonts rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.fonts dir=/home/mk/.fonts fstype=ext4
Whitelisting /home/mk/.local/share/fonts
651 627 8:3 /mk/.local/share/fonts /home/mk/.local/share/fonts rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.local/share/fonts dir=/home/mk/.local/share/fonts fstype=ext4
Whitelisting /home/mk/.config/gtk-2.0
652 627 8:3 /mk/.config/gtk-2.0 /home/mk/.config/gtk-2.0 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/gtk-2.0 dir=/home/mk/.config/gtk-2.0 fstype=ext4
Whitelisting /home/mk/.config/gtk-3.0
653 627 8:3 /mk/.config/gtk-3.0 /home/mk/.config/gtk-3.0 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/gtk-3.0 dir=/home/mk/.config/gtk-3.0 fstype=ext4
Whitelisting /home/mk/.gnome2
654 627 8:3 /mk/.gnome2 /home/mk/.gnome2 rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.gnome2 dir=/home/mk/.gnome2 fstype=ext4
Whitelisting /home/mk/.themes
655 627 8:3 /mk/.themes /home/mk/.themes rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.themes dir=/home/mk/.themes fstype=ext4
Whitelisting /home/mk/.config/dconf
656 627 8:3 /mk/.config/dconf /home/mk/.config/dconf rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/dconf dir=/home/mk/.config/dconf fstype=ext4
Whitelisting /home/mk/.config/Trolltech.conf
657 627 8:3 /mk/.config/Trolltech.conf /home/mk/.config/Trolltech.conf rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/Trolltech.conf dir=/home/mk/.config/Trolltech.conf fstype=ext4
Whitelisting /home/mk/.config/kdeglobals
658 627 8:3 /mk/.config/kdeglobals /home/mk/.config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/kdeglobals dir=/home/mk/.config/kdeglobals fstype=ext4
Whitelisting /home/mk/.config/kioslaverc
659 627 8:3 /mk/.config/kioslaverc /home/mk/.config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/kioslaverc dir=/home/mk/.config/kioslaverc fstype=ext4
Whitelisting /home/mk/.config/qt5ct
660 627 8:3 /mk/.config/qt5ct /home/mk/.config/qt5ct rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.config/qt5ct dir=/home/mk/.config/qt5ct fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kdeglobals
661 627 8:3 /mk/.kde4/share/config/kdeglobals /home/mk/.kde4/share/config/kdeglobals rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kdeglobals dir=/home/mk/.kde4/share/config/kdeglobals fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kio_httprc
662 627 8:3 /mk/.kde4/share/config/kio_httprc /home/mk/.kde4/share/config/kio_httprc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kio_httprc dir=/home/mk/.kde4/share/config/kio_httprc fstype=ext4
Whitelisting /home/mk/.kde4/share/config/kioslaverc
663 627 8:3 /mk/.kde4/share/config/kioslaverc /home/mk/.kde4/share/config/kioslaverc rw,noatime master:61 - ext4 /dev/sda3 rw
fsname=/mk/.kde4/share/config/kioslaverc dir=/home/mk/.kde4/share/config/kioslaverc fstype=ext4
Whitelisting /var/lib/dbus
664 633 8:2 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw
fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4
Whitelisting /var/cache/fontconfig
665 633 8:2 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime master:63 - ext4 /dev/sda2 rw
fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4
Whitelisting /var/tmp
666 633 0:70 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw
fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Directory ${DOWNLOADS} resolved as Pobrane
Mounting noexec /home/mk/Pobrane
Mounting noexec /home/mk/Downloads
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/mk/.Xauthority
Mounting read-only /home/mk/.config/kdeglobals
Mounting read-only /home/mk/.config/kioslaverc
Mounting read-only /home/mk/.kde4/share/config/kdeglobals
Mounting read-only /home/mk/.kde4/share/config/kio_httprc
Mounting read-only /home/mk/.kde4/share/config/kioslaverc
Disable /etc/anacrontab
Disable /etc/cron.daily
Disable /etc/cron.hourly
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/cron.d
Disable /etc/cron.deny
Disable /etc/profile.d
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/modules-load.d
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Mounting read-only /home/mk/.bashrc
Mounting read-only /home/mk/.local/share/applications
Not blacklist /home/mk/.pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Disable /usr/bin/chage
Disable /usr/bin/chfn
Disable /usr/bin/chsh
Disable /usr/bin/crontab
Disable /usr/bin/expiry
Disable /usr/bin/fusermount
Disable /usr/bin/gpasswd
Disable /usr/bin/ksu
Disable /usr/bin/mount
Disable /usr/bin/ncat
Disable /usr/bin/newgidmap
Disable /usr/bin/newgrp
Disable /usr/bin/newuidmap
Disable /usr/bin/ntfs-3g
Disable /usr/bin/pkexec
Disable /usr/bin/procmail
Disable /usr/bin/sg
Disable /usr/bin/strace
Disable /usr/bin/su
Disable /usr/bin/sudo
Disable /usr/bin/umount
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/xev
Disable /usr/bin/xinput
Disable /usr/bin/xfce4-terminal
Mounting noexec /tmp/.X11-unix
Disable /usr/bin/bwrap
Disable /usr/bin/as
Disable /usr/bin/gcc (requested /usr/bin/cc)
Disable /usr/bin/c++filt
Disable /usr/bin/c++
Disable /usr/bin/c89
Disable /usr/bin/c99
Disable /usr/bin/cpp
Disable /usr/bin/cpp2html
Disable /usr/bin/g++
Disable /usr/bin/gcc
Disable /usr/bin/gcc-ranlib
Disable /usr/bin/gcc-nm
Disable /usr/bin/gcc-ar
Disable /usr/bin/gccmakedep
Disable /usr/bin/ld
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ranlib
Disable /usr/bin/x86_64-pc-linux-gnu-gcc
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-8.2.1
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-nm
Disable /usr/bin/x86_64-pc-linux-gnu-gcc-ar
Disable /usr/bin/x86_64-pc-linux-gnu-g++
Disable /usr/include
Disable /usr/bin/clang-format
Disable /usr/bin/clang-include-fixer
Disable /usr/bin/clang-apply-replacements
Disable /usr/bin/clang-offload-bundler
Disable /usr/bin/clangd
Disable /usr/bin/clang-refactor
Disable /usr/bin/clang-reorder-fields
Disable /usr/bin/clang-7 (requested /usr/bin/clang)
Disable /usr/bin/clang-import-test
Disable /usr/bin/clang-func-mapping
Disable /usr/bin/clang-query
Disable /usr/bin/clang-7
Disable /usr/bin/clang-check
Disable /usr/bin/clang-tidy
Disable /usr/bin/clang-7 (requested /usr/bin/clang-cpp)
Disable /usr/bin/clang-7 (requested /usr/bin/clang++)
Disable /usr/bin/clang-rename
Disable /usr/bin/clang-change-namespace
Disable /usr/bin/clang-7 (requested /usr/bin/clang-cl)
Disable /usr/bin/llvm-tblgen
Disable /usr/bin/llvm-undname
Disable /usr/bin/llvm-cxxdump
Disable /usr/bin/llvm-c-test
Disable /usr/bin/llvm-nm
Disable /usr/bin/llvm-pdbutil
Disable /usr/bin/llvm-rtdyld
Disable /usr/bin/llvm-mca
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-dlltool)
Disable /usr/bin/llvm-cat
Disable /usr/bin/llvm-strings
Disable /usr/bin/llvm-stress
Disable /usr/bin/llvm-objcopy (requested /usr/bin/llvm-strip)
Disable /usr/bin/llvm-objcopy
Disable /usr/bin/llvm-dwarfdump
Disable /usr/bin/llvm-PerfectShuffle
Disable /usr/bin/llvm-exegesis
Disable /usr/bin/llvm-extract
Disable /usr/bin/llvm-size
Disable /usr/bin/llvm-ar
Disable /usr/bin/llvm-bcanalyzer
Disable /usr/bin/llvm-config
Disable /usr/bin/llvm-split
Disable /usr/bin/llvm-mc
Disable /usr/bin/llvm-diff
Disable /usr/bin/llvm-profdata
Disable /usr/bin/llvm-objdump
Disable /usr/bin/llvm-opt-report
Disable /usr/bin/llvm-rc
Disable /usr/bin/llvm-cfi-verify
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-lib)
Disable /usr/bin/llvm-mt
Disable /usr/bin/llvm-readobj (requested /usr/bin/llvm-readelf)
Disable /usr/bin/llvm-lto
Disable /usr/bin/llvm-symbolizer
Disable /usr/bin/llvm-link
Disable /usr/bin/llvm-cvtres
Disable /usr/bin/llvm-dwp
Disable /usr/bin/llvm-lto2
Disable /usr/bin/llvm-as
Disable /usr/bin/llvm-xray
Disable /usr/bin/llvm-readobj
Disable /usr/bin/llvm-ar (requested /usr/bin/llvm-ranlib)
Disable /usr/bin/llvm-dis
Disable /usr/bin/llvm-cov
Disable /usr/bin/llvm-cxxfilt
Disable /usr/bin/llvm-modextract
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/bin/java)
Disable /usr/lib/jvm/java-8-openjdk/jre/bin/java (requested /usr/lib/jvm/default/bin/java)
Disable /usr/share/java
Disable /usr/bin/rust-gdb
Disable /usr/bin/rust-lldb
Disable /usr/bin/rustc
Disable /usr/bin/openssl
Disable /usr/bin/openssl-1.0
Disable /usr/bin/luac5.2
Disable /usr/bin/lua
Disable /usr/bin/lua (requested /usr/bin/lua5.3)
Disable /usr/bin/luac5.1
Disable /usr/bin/luac (requested /usr/bin/luac5.3)
Disable /usr/bin/lua5.2
Disable /usr/bin/luac
Disable /usr/bin/lua5.1
Disable /usr/lib/lua
Disable /usr/bin/core_perl/cpan
Disable /usr/bin/core_perl
Disable /usr/bin/perl
Disable /usr/lib/perl5
Disable /usr/share/perl-image-exiftool
Disable /usr/share/perl5
Disable /usr/bin/ruby
Disable /usr/lib/ruby
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7-config (requested /usr/bin/python2-config)
Disable /usr/bin/python2-pylupdate5
Disable /usr/bin/python2-pyrcc5
Disable /usr/bin/python2.7-config
Disable /usr/bin/python2-pyuic5
Disable /usr/bin/python2.7
Disable /usr/lib/python2.6
Disable /usr/lib/python2.7
Disable /usr/bin/python3.7m-config (requested /usr/bin/python3.7-config)
Disable /usr/bin/python3.7 (requested /usr/bin/python3)
Disable /usr/bin/python3.7m-config (requested /usr/bin/python3-config)
Disable /usr/bin/python3.7m
Disable /usr/bin/python3.7m-config
Disable /usr/bin/python3.7
Disable /usr/lib/python3.6
Disable /usr/lib/python3.7
Not blacklist /home/mk/.mozilla
Disable /tmp/ssh-ZaxvlS8w0ta9
Not blacklist /home/mk/.cache/mozilla
Mounting read-only /home/mk/.config/user-dirs.dirs
Mounting read-only /home/mk/.local/share/applications
Mounting noexec /home/mk
Mounting noexec /tmp
Disable /sys/fs
Disable /sys/module
Drop privileges: pid 6, uid 1000, gid 100, nogroups 0
Supplementary groups: 50 
873 627 0:68 /pulse /home/mk/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755
fsname=/pulse dir=/home/mk/.config/pulse fstype=tmpfs
blacklist /dev/dvb
blacklist /dev/sr0
Create the new ld.so.preload file
Post-exec seccomp protector enabled
Mount the new ld.so.preload file
Current directory: /home/mk
DISPLAY=:0.0 parsed as 0
Dropping all capabilities
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp.protocol (null) 
Dropping all capabilities
Drop privileges: pid 7, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 01 00000010   jeq 10 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 06 00 00 0005005f   ret ERRNO(95)
Build drop seccomp filter
sbox run: /usr/lib/firejail/fseccomp drop /run/firejail/mnt/seccomp /run/firejail/mnt/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null) 
Dropping all capabilities
Drop privileges: pid 8, uid 1000, gid 100, nogroups 1
No supplementary groups
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
sbox run: /usr/lib/firejail/fsec-optimize /run/firejail/mnt/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 9, uid 1000, gid 100, nogroups 1
No supplementary groups
configuring 73 seccomp entries in /run/firejail/mnt/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp (null) 
Dropping all capabilities
Drop privileges: pid 10, uid 1000, gid 100, nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 40 00 0000009f   jeq adjtimex 0048 (false 0008)
 0008: 15 3f 00 00000131   jeq clock_adjtime 0048 (false 0009)
 0009: 15 3e 00 000000e3   jeq clock_settime 0048 (false 000a)
 000a: 15 3d 00 000000a4   jeq settimeofday 0048 (false 000b)
 000b: 15 3c 00 0000009a   jeq modify_ldt 0048 (false 000c)
 000c: 15 3b 00 000000d4   jeq lookup_dcookie 0048 (false 000d)
 000d: 15 3a 00 0000012a   jeq perf_event_open 0048 (false 000e)
 000e: 15 39 00 00000137   jeq process_vm_writev 0048 (false 000f)
 000f: 15 38 00 000000b0   jeq delete_module 0048 (false 0010)
 0010: 15 37 00 00000139   jeq finit_module 0048 (false 0011)
 0011: 15 36 00 000000af   jeq init_module 0048 (false 0012)
 0012: 15 35 00 0000009c   jeq _sysctl 0048 (false 0013)
 0013: 15 34 00 000000b7   jeq afs_syscall 0048 (false 0014)
 0014: 15 33 00 000000ae   jeq create_module 0048 (false 0015)
 0015: 15 32 00 000000b1   jeq get_kernel_syms 0048 (false 0016)
 0016: 15 31 00 000000b5   jeq getpmsg 0048 (false 0017)
 0017: 15 30 00 000000b6   jeq putpmsg 0048 (false 0018)
 0018: 15 2f 00 000000b2   jeq query_module 0048 (false 0019)
 0019: 15 2e 00 000000b9   jeq security 0048 (false 001a)
 001a: 15 2d 00 0000008b   jeq sysfs 0048 (false 001b)
 001b: 15 2c 00 000000b8   jeq tuxcall 0048 (false 001c)
 001c: 15 2b 00 00000086   jeq uselib 0048 (false 001d)
 001d: 15 2a 00 00000088   jeq ustat 0048 (false 001e)
 001e: 15 29 00 000000ec   jeq vserver 0048 (false 001f)
 001f: 15 28 00 000000ad   jeq ioperm 0048 (false 0020)
 0020: 15 27 00 000000ac   jeq iopl 0048 (false 0021)
 0021: 15 26 00 000000f6   jeq kexec_load 0048 (false 0022)
 0022: 15 25 00 00000140   jeq kexec_file_load 0048 (false 0023)
 0023: 15 24 00 000000a9   jeq reboot 0048 (false 0024)
 0024: 15 23 00 000000ee   jeq set_mempolicy 0048 (false 0025)
 0025: 15 22 00 00000100   jeq migrate_pages 0048 (false 0026)
 0026: 15 21 00 00000117   jeq move_pages 0048 (false 0027)
 0027: 15 20 00 000000ed   jeq mbind 0048 (false 0028)
 0028: 15 1f 00 000000a7   jeq swapon 0048 (false 0029)
 0029: 15 1e 00 000000a8   jeq swapoff 0048 (false 002a)
 002a: 15 1d 00 000000a3   jeq acct 0048 (false 002b)
 002b: 15 1c 00 000000f8   jeq add_key 0048 (false 002c)
 002c: 15 1b 00 00000141   jeq bpf 0048 (false 002d)
 002d: 15 1a 00 0000012c   jeq fanotify_init 0048 (false 002e)
 002e: 15 19 00 000000d2   jeq io_cancel 0048 (false 002f)
 002f: 15 18 00 000000cf   jeq io_destroy 0048 (false 0030)
 0030: 15 17 00 000000d0   jeq io_getevents 0048 (false 0031)
 0031: 15 16 00 000000ce   jeq io_setup 0048 (false 0032)
 0032: 15 15 00 000000d1   jeq io_submit 0048 (false 0033)
 0033: 15 14 00 000000fb   jeq ioprio_set 0048 (false 0034)
 0034: 15 13 00 00000138   jeq kcmp 0048 (false 0035)
 0035: 15 12 00 000000fa   jeq keyctl 0048 (false 0036)
 0036: 15 11 00 000000a5   jeq mount 0048 (false 0037)
 0037: 15 10 00 0000012f   jeq name_to_handle_at 0048 (false 0038)
 0038: 15 0f 00 000000b4   jeq nfsservctl 0048 (false 0039)
 0039: 15 0e 00 00000130   jeq open_by_handle_at 0048 (false 003a)
 003a: 15 0d 00 00000087   jeq personality 0048 (false 003b)
 003b: 15 0c 00 0000009b   jeq pivot_root 0048 (false 003c)
 003c: 15 0b 00 00000136   jeq process_vm_readv 0048 (false 003d)
 003d: 15 0a 00 00000065   jeq ptrace 0048 (false 003e)
 003e: 15 09 00 000000d8   jeq remap_file_pages 0048 (false 003f)
 003f: 15 08 00 000000f9   jeq request_key 0048 (false 0040)
 0040: 15 07 00 000000ab   jeq setdomainname 0048 (false 0041)
 0041: 15 06 00 000000aa   jeq sethostname 0048 (false 0042)
 0042: 15 05 00 00000067   jeq syslog 0048 (false 0043)
 0043: 15 04 00 000000a6   jeq umount2 0048 (false 0044)
 0044: 15 03 00 00000143   jeq userfaultfd 0048 (false 0045)
 0045: 15 02 00 00000099   jeq vhangup 0048 (false 0046)
 0046: 15 01 00 00000116   jeq vmsplice 0048 (false 0047)
 0047: 06 00 00 7fff0000   ret ALLOW
 0048: 06 00 00 00000000   ret KILL
seccomp filter configured
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/firefox
Child process initialized in 152.33 ms
Installing /run/firejail/mnt/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp.protocol seccomp filter
monitoring pid 11

Vincent43 commented 5 years ago

I've seen similar behavior o that site. You may try with firejail --ignore=seccomp.

Fred-Barclay commented 5 years ago

I haven't been able to duplicate (I'm on Arch). Even 7 simultaneous downloads don't take my CPU above ~26%.

Vincent43 commented 5 years ago

@Fred-Barclay can you go to https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/log/ and try to open several commits, each on a new tab?

SkewedZeppelin commented 5 years ago

I can't really reproduce either. Downloading a 10GB file at 150Mbps doesn't push any of my cores past 20%.

And I tried opening a bunch of large commits from there and all of them loaded near instantly.

I am sure there are a lot of variables that effect this result which is why we don't all see the same like: processor (and microcode), kernel version, kernel config, distro compiler flags, network speed, drive, disk encryption, browser (and extensions), etc.

Vincent43 commented 5 years ago

It could be also issues related to that site itself in a specific time period.

mkkot commented 5 years ago

Guys, this has nothing to do with kernel.org. I just used the site as it has easily available big files to download. The problem is with downloading files with firefox and firejail. I tried firejail --ignore=seccomp but it doesn't change anything. I will try to dig more and see if I can narrow down the problem.

//Edit: this doesn't happen on fresh firefox profile. However, please try to change this setting:

przechwycenie obrazu ekranu_2019-01-03_10-02-42

Now you should be able to reproduce the issue.

Fred-Barclay commented 5 years ago

Yep, it's "Always ask you where to save files" that does it! This is the progress from 0 to 5 simultaneous downloads: increasing

ghost commented 5 years ago

hello, i have tried to reproduce and i don't have this problem while using firejailed firefox, manjaro kde edition, firejail 0.9.57 r4574 from 18 december

rusty-snake commented 5 years ago

I tried to reproduce:

Firefox esr
Fedora 29 + GNOME + Wayland
"Always ask you where to save files"
8 Simultane downloads
firejail 0.9.56

Result:

CPU 100%
Firefox 25-50% CPU
Tracker 100% CPU

chiraag-nataraj commented 5 years ago

Unfortunately, I cannot reproduce this either :confused:

Boruch-Baum commented 5 years ago

I'm pretty sure that I have a solution for this. What I've done is to create a file ~/.local/bin/firefox-esr which is all of:

#!/bin/sh
2> /dev/null 1> /dev/null cpulimit -l 50 firejail firefox-esr "$@" &

The directory ~/.local/bin is the first item in my $PATH.

glitsj16 commented 5 years ago

@Boruch-Baum Does that actually work? IMHO it would eternally loop, executing firefox-esr in ~/.local/bin on each iteration (causing even higher CPU usage and confusing your system into a fit). It would only work if you called firefox-esr in that shell script by its full path.

Boruch-Baum commented 5 years ago

@glitsj16 : Yup, it's how I'm writing this comment now - a firefox instance in a firejail under cpulimit, as launched by that wrapper script. Pretty cool, eh? I had started launching firefox under cpulimit years ago, without firejail, so it was just natural for me to try this. My guess is that firejail internally canonicalizes the path of \foo which would avoid the loop.

Fred-Barclay commented 5 years ago

Duplicate of #2608

Fred-Barclay commented 5 years ago

Also sorry for the noise! Was trying to use Github's "mark as duplicate" tool. Anyhow, this looks like it's similar to #2608 #2330 #1730

https://help.github.com/en/articles/about-duplicate-issues-and-pull-requests

glitsj16 commented 5 years ago

Upstream released Firefox 66, which carries a Linux-specific fix for Firefox freezing when downloading files (see releasenotes and bug report).

chiraag-nataraj commented 5 years ago

@mkkot Is your issue resolved?

mkkot commented 5 years ago

I will answer to that when I get home next week. Can't check now.

wt., 21 maj 2019 o 11:28 ಚಿರಾಗ್ ನಟರಾಜ್ notifications@github.com napisał(a):

@mkkot https://github.com/mkkot Is your issue resolved?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/netblue30/firejail/issues/2324?email_source=notifications&email_token=ACQLHTXFHUKUA7OOII5DATLPWO6FLA5CNFSM4GMXO73KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV3KHZY#issuecomment-494314471, or mute the thread https://github.com/notifications/unsubscribe-auth/ACQLHTR7BRWTF27K6P6E4OLPWO6FLANCNFSM4GMXO73A .

-- Pozdrawiam / Greetings Marcin Kocur █ Brak odpowiedzi? / No answer? http://koci.net.pl/email/

mkkot commented 5 years ago

Firefox 66.0.2: Przechwycenie obrazu ekranu_2019-05-23_22-39-53

I think I will have to read about some performance visualizers to debug this issue.

glitsj16 commented 4 years ago

Closing this due to inactivity.

netblue30 / firejail

Firefox using 100% CPU with firejail when downloading files #2324