Closed x10an14 closed 3 years ago
Does firejail --ignore=disable-mnt firefox
work?
Does
firejail --ignore=disable-mnt firefox
work?
[2020-12-31 14:38:03] 1 x10an14@x10-desktop:~
-> $ firejail --ignore=disable-mnt firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 23477, child pid 23478
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 195.10 ms
Exec failed with error: Permission denied
Parent is shutting down, bye...
[2020-12-31 14:38:53] 255 x10an14@x10-desktop:~
-> $
Nope... =( But changed the error message though.
It is correct that /opt
resides on a different mountpoint than /{,home/}
, though.
It is correct that
/opt
resides on a different mountpoint than/{,home/}
, though.
The problem isn't that is has an other partition/mount, the problem is that is seems to be mounted at /mnt
which is blacklisted by disable-mnt
. If your setup allows you to mount it somewhere else, you can keep ´disable-mnt`.
Exec failed with error: Permission denied
Maybe AA makes it noexec
. Try firejail --ignore=disable-mnt --ignore=apparmor firefox
.
I have this too and I think the problem is, that it is only a link in ~ ✦ ❯ ls -lha /usr/bin/firefox lrwxrwxrwx 1 root root 22 18. Dez 02:09 /usr/bin/firefox -> ../lib/firefox/firefox
mdomann in sysiphus in ~ ✦ ❯ firejail --ignore=disable-mnt --ignore=apparmor firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /home/mdomann/.config/firejail/firefox.local
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 37947, child pid 37950
1 program installed in 0.73 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 66.83 ms
Error: no suitable firefox executable found
Parent is shutting down, bye...
firejail --profile=/etc/firejail/firefox.profile /usr/lib/firefox/firefox works
I don't know if my issue is related to this here but I had similar issues that got solved by finding all the firefox executable and figuring out which one was not owned by root.
I think I had one in /usr/bin/firefox and one in /usr/local/bin/firefox
I have no idea how that happenned but suddenly in the last week I had issues with firejail because of this. I have no idea what happenned so I installed the latest firejail version then checked out all the executables of firefox by hand.
Useful commands are type -a firefox
and locate firefox | grep bin
/usr/local/bin/firefox is a link to the firejail binary created by the install. So that firefox should always run in firejail.
Maybe AA makes it noexec. Try firejail --ignore=disable-mnt --ignore=apparmor firefox.
@rusty-snake was on-point, the --ignore=apparmor
lets my Firefox start.
Is there some way of getting better error reports from firejail (as opposed to have to manually test/remove/add flags) to figure out exactly what stops the app from running?
But since it's apparmor (which is not activated for some reason when running without firejail) I guess that means we can close this issue =)
(Any hints/tips to properly debug apparmor would be much appreciated)!
(Any hints/tips to properly debug apparmor would be much appreciated)!
@Vincent43 knows what to add to firejail-local in order to allow exec from /mnt.
PS: You can also create a firefox.local with ignore disable-mnt
and ignore apparmor
.
PS: You can also create a firefox.local with ignore disable-mnt and ignore apparmor.
Is this firejail or apparmor specific?
firejail
Example: mkdir ~/.config/firejail && echo "ignore apparmor" >> ~/.config/firejail/firefox.local && echo "ignore disable-mnt" >> ~/.config/firejail/firefox.local
You can add /mnt/** ix,
line to /etc/apparmor.d/local/firejail-default
then restart apparmor or reboot system.
For debugging apparmor stuff (not only for firejail) you may inspect journalctl
, i.e. journalctl --grep=DENIED
@rusty-snake please reopen. the solution above doesn't work for me. Since programs like keepass try to load firefox and get stuck with no executable found.
firefox or no other binary will be startet. firefox works with noprifile. I have firejail version 0.9.64 from debian unstable. I try to resolv this on my own:
EDIT by @rusty-snake: code-block and details tags for debug output.
Reading profile /home/mdomann/.config/firejail/firefox.local
What's in it? Has you uncommented private-etc
or private-bin
? If it still fails, add the following at the very top of firefox.profile and try again.
ignore whitelist /usr/share
ignore whitelist ${HOME}
ignore dbus-user filter
ignore include firefox-common.profile
If it works now remove one and try again to find which it is.
Ahrg. it's my fault. I have added private-bin keepassxc-proxy to my firefox.local, which breaks the setup. I definitely need to create a roadmap for such test for me. Can be closed. Thanks a lot.
Bug and expected behavior
What did you expect to happen?
Firefox to start
No profile and disabling firejail
What changed calling
firejail --noprofile /path/to/program
in a terminal?firefox
could start:which <program>
orfirejail --list
while the sandbox is running)?Reproduce
Steps to reproduce the behavior:
firejail firefox
orfirejail /opt/firefox/firefox
Environment
Linux distribution and version (ie output of
lsb_release -a
,screenfetch
orcat /etc/os-release
)Firejail version (output of
firejail --version
) exclusive or used git commit (git rev-parse HEAD
)Additional context
Other context about the problem like related errors to understand the problem.
Checklist
https://github.com/netblue30/firejail/issues/1139
)--profile=PROFILENAME
is used to set the right profile.LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM
to get english error-messages.browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.debug output
``` [2020-12-31 13:34:32] 0 x10an14@x10-desktop:~ -> $ firejail --debug firefox Autoselecting /bin/bash as shell Building quoted command line: 'firefox' Command name #firefox# Found firefox.profile profile in /etc/firejail directory Reading profile /etc/firejail/firefox.profile Found firefox-common.profile profile in /etc/firejail directory Reading profile /etc/firejail/firefox-common.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found whitelist-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file conditional BROWSER_DISABLE_U2F, nou2f DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 12868, child pid 12869 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file IBUS_ADDRESS=unix:abstract=/tmp/dbus-xgD4t6tj,guid=bb16cef9fa1c97e51f67c76f5fed9413 IBUS_DAEMON_PID=2104 Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory mounting /run/firejail/mnt/dev/nvidia0 file mounting /run/firejail/mnt/dev/nvidiactl file mounting /run/firejail/mnt/dev/nvidia-modeset file Process /dev/shm directory blacklist /run/user/1000/bus Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Debug 398: new_name #/home/x10an14/.cache/mozilla/firefox#, whitelist Debug 504: fname #/home/x10an14/.cache/mozilla/firefox#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.cache/mozilla/firefox Debug 398: new_name #/home/x10an14/.mozilla#, whitelist Debug 504: fname #/home/x10an14/.mozilla#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.mozilla Directory ${DOWNLOADS} resolved as Downloads Debug 398: new_name #/home/x10an14/Downloads#, whitelist Debug 504: fname #/home/x10an14/Downloads#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/Downloads Debug 398: new_name #/home/x10an14/.pki#, whitelist Debug 504: fname #/home/x10an14/.pki#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.pki Debug 398: new_name #/home/x10an14/.local/share/pki#, whitelist Debug 504: fname #/home/x10an14/.local/share/pki#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.local/share/pki Debug 398: new_name #/home/x10an14/.XCompose#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose expanded: /home/x10an14/.XCompose real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.asoundrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc expanded: /home/x10an14/.asoundrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/ibus#, whitelist Debug 504: fname #/home/x10an14/.config/ibus#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.config/ibus Debug 398: new_name #/home/x10an14/.config/mimeapps.list#, whitelist Debug 504: fname #/home/x10an14/.config/mimeapps.list#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.config/mimeapps.list Debug 398: new_name #/home/x10an14/.config/pkcs11#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11 expanded: /home/x10an14/.config/pkcs11 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/user-dirs.dirs#, whitelist Debug 504: fname #/home/x10an14/.config/user-dirs.dirs#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.config/user-dirs.dirs Debug 398: new_name #/home/x10an14/.drirc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc expanded: /home/x10an14/.drirc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons expanded: /home/x10an14/.icons real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.local/share/applications#, whitelist Debug 504: fname #/home/x10an14/.local/share/applications#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.local/share/applications Debug 398: new_name #/home/x10an14/.local/share/icons#, whitelist Debug 504: fname #/home/x10an14/.local/share/icons#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.local/share/icons Debug 398: new_name #/home/x10an14/.local/share/mime#, whitelist Debug 504: fname #/home/x10an14/.local/share/mime#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.local/share/mime Debug 398: new_name #/home/x10an14/.mime.types#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types expanded: /home/x10an14/.mime.types real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/dconf#, whitelist Debug 504: fname #/home/x10an14/.config/dconf#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.config/dconf Debug 398: new_name #/home/x10an14/.cache/fontconfig#, whitelist Debug 504: fname #/home/x10an14/.cache/fontconfig#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.cache/fontconfig Debug 398: new_name #/home/x10an14/.config/fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig expanded: /home/x10an14/.config/fontconfig real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.fontconfig#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig expanded: /home/x10an14/.fontconfig real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.fonts#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts expanded: /home/x10an14/.fonts real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.fonts.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf expanded: /home/x10an14/.fonts.conf real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.fonts.conf.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d expanded: /home/x10an14/.fonts.conf.d real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.fonts.d#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d expanded: /home/x10an14/.fonts.d real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.local/share/fonts#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts expanded: /home/x10an14/.local/share/fonts real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.pangorc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc expanded: /home/x10an14/.pangorc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/gtk-2.0#, whitelist Debug 504: fname #/home/x10an14/.config/gtk-2.0#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.config/gtk-2.0 Debug 398: new_name #/home/x10an14/.config/gtk-3.0#, whitelist Debug 504: fname #/home/x10an14/.config/gtk-3.0#, cfg.homedir #/home/x10an14# Replaced whitelist path: whitelist /home/x10an14/.config/gtk-3.0 Debug 398: new_name #/home/x10an14/.config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc expanded: /home/x10an14/.config/gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0 expanded: /home/x10an14/.config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.gnome2#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2 expanded: /home/x10an14/.gnome2 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.gnome2-private#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private expanded: /home/x10an14/.gnome2-private real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.gtk-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0 expanded: /home/x10an14/.gtk-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc expanded: /home/x10an14/.gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc-2.0 expanded: /home/x10an14/.gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/x10an14/.kde/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/x10an14/.kde/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/gtkrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/x10an14/.kde4/share/config/gtkrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/gtkrc-2.0#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/x10an14/.kde4/share/config/gtkrc-2.0 real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.local/share/themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes expanded: /home/x10an14/.local/share/themes real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.themes#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes expanded: /home/x10an14/.themes real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.cache/kioexec/krun#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun expanded: /home/x10an14/.cache/kioexec/krun real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/Kvantum#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum expanded: /home/x10an14/.config/Kvantum real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/Trolltech.conf#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf expanded: /home/x10an14/.config/Trolltech.conf real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kdeglobals expanded: /home/x10an14/.config/kdeglobals real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc expanded: /home/x10an14/.config/kio_httprc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc expanded: /home/x10an14/.config/kioslaverc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/x10an14/.config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.config/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct expanded: /home/x10an14/.config/qt5ct real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals expanded: /home/x10an14/.kde/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/x10an14/.kde/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/x10an14/.kde/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/x10an14/.kde/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/x10an14/.kde/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons expanded: /home/x10an14/.kde/share/icons real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/kdeglobals#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals expanded: /home/x10an14/.kde4/share/config/kdeglobals real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/kio_httprc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc expanded: /home/x10an14/.kde4/share/config/kio_httprc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/kioslaverc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc expanded: /home/x10an14/.kde4/share/config/kioslaverc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/ksslcablacklist#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/x10an14/.kde4/share/config/ksslcablacklist real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/config/oxygenrc#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/x10an14/.kde4/share/config/oxygenrc real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.kde4/share/icons#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons expanded: /home/x10an14/.kde4/share/icons real path: (null) realpath: No such file or directory Debug 398: new_name #/home/x10an14/.local/share/qt5ct#, whitelist Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/x10an14/.local/share/qt5ct real path: (null) realpath: No such file or directory Debug 398: new_name #/var/lib/dbus#, whitelist Debug 398: new_name #/var/lib/menu-xdg#, whitelist Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) realpath: No such file or directory Debug 398: new_name #/var/cache/fontconfig#, whitelist Debug 398: new_name #/var/tmp#, whitelist Debug 398: new_name #/var/run#, whitelist Replaced whitelist path: whitelist /run Debug 398: new_name #/var/lock#, whitelist Replaced whitelist path: whitelist /run/lock Debug 398: new_name #/tmp/.X11-unix#, whitelist Debug 398: new_name #/tmp/pulse-PKdhtXMmr18n#, whitelist Drop privileges: pid 3, uid 1000, gid 1000, nogroups 0 Supplementary groups: 29 44 Mounting a new /home directory Mounting a new /root directory Create a new user directory Drop privileges: pid 4, uid 1000, gid 1000, nogroups 0 Supplementary groups: 29 44 Drop privileges: pid 5, uid 1000, gid 1000, nogroups 0 Supplementary groups: 29 44 Mounting tmpfs on /tmp directory Mounting tmpfs on /var directory Whitelisting /home/x10an14/.cache/mozilla/firefox 811 679 253:5 /x10an14/.cache/mozilla/firefox /home/x10an14/.cache/mozilla/firefox rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=811 fsname=/x10an14/.cache/mozilla/firefox dir=/home/x10an14/.cache/mozilla/firefox fstype=ext4 Whitelisting /home/x10an14/.mozilla 812 679 253:5 /x10an14/.mozilla /home/x10an14/.mozilla rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=812 fsname=/x10an14/.mozilla dir=/home/x10an14/.mozilla fstype=ext4 Whitelisting /home/x10an14/Downloads 813 679 253:5 /x10an14/Downloads /home/x10an14/Downloads rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=813 fsname=/x10an14/Downloads dir=/home/x10an14/Downloads fstype=ext4 Whitelisting /home/x10an14/.pki 814 679 253:5 /x10an14/.pki /home/x10an14/.pki rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=814 fsname=/x10an14/.pki dir=/home/x10an14/.pki fstype=ext4 Whitelisting /home/x10an14/.local/share/pki 815 679 253:5 /x10an14/.local/share/pki /home/x10an14/.local/share/pki rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=815 fsname=/x10an14/.local/share/pki dir=/home/x10an14/.local/share/pki fstype=ext4 Whitelisting /home/x10an14/.config/ibus 816 679 253:5 /x10an14/.config/ibus /home/x10an14/.config/ibus rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=816 fsname=/x10an14/.config/ibus dir=/home/x10an14/.config/ibus fstype=ext4 Whitelisting /home/x10an14/.config/mimeapps.list 817 679 253:5 /x10an14/.config/mimeapps.list /home/x10an14/.config/mimeapps.list rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=817 fsname=/x10an14/.config/mimeapps.list dir=/home/x10an14/.config/mimeapps.list fstype=ext4 Whitelisting /home/x10an14/.config/user-dirs.dirs 828 679 253:5 /x10an14/.config/user-dirs.dirs /home/x10an14/.config/user-dirs.dirs rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=828 fsname=/x10an14/.config/user-dirs.dirs dir=/home/x10an14/.config/user-dirs.dirs fstype=ext4 Whitelisting /home/x10an14/.local/share/applications 847 679 253:5 /x10an14/.local/share/applications /home/x10an14/.local/share/applications rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=847 fsname=/x10an14/.local/share/applications dir=/home/x10an14/.local/share/applications fstype=ext4 Whitelisting /home/x10an14/.local/share/icons 871 679 253:5 /x10an14/.local/share/icons /home/x10an14/.local/share/icons rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=871 fsname=/x10an14/.local/share/icons dir=/home/x10an14/.local/share/icons fstype=ext4 Whitelisting /home/x10an14/.local/share/mime 872 679 253:5 /x10an14/.local/share/mime /home/x10an14/.local/share/mime rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=872 fsname=/x10an14/.local/share/mime dir=/home/x10an14/.local/share/mime fstype=ext4 Whitelisting /home/x10an14/.config/dconf 873 679 253:5 /x10an14/.config/dconf /home/x10an14/.config/dconf rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=873 fsname=/x10an14/.config/dconf dir=/home/x10an14/.config/dconf fstype=ext4 Whitelisting /home/x10an14/.cache/fontconfig 874 679 253:5 /x10an14/.cache/fontconfig /home/x10an14/.cache/fontconfig rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=874 fsname=/x10an14/.cache/fontconfig dir=/home/x10an14/.cache/fontconfig fstype=ext4 Whitelisting /home/x10an14/.config/gtk-2.0 875 679 253:5 /x10an14/.config/gtk-2.0 /home/x10an14/.config/gtk-2.0 rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=875 fsname=/x10an14/.config/gtk-2.0 dir=/home/x10an14/.config/gtk-2.0 fstype=ext4 Whitelisting /home/x10an14/.config/gtk-3.0 876 679 253:5 /x10an14/.config/gtk-3.0 /home/x10an14/.config/gtk-3.0 rw,relatime master:65 - ext4 /dev/mapper/x10--desktop--vg-home rw mountid=876 fsname=/x10an14/.config/gtk-3.0 dir=/home/x10an14/.config/gtk-3.0 fstype=ext4 Whitelisting /var/lib/dbus 877 809 253:2 /lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:63 - ext4 /dev/mapper/x10--desktop--vg-var rw mountid=877 fsname=/lib/dbus dir=/var/lib/dbus fstype=ext4 Whitelisting /var/cache/fontconfig 878 809 253:2 /cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:63 - ext4 /dev/mapper/x10--desktop--vg-var rw mountid=878 fsname=/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Whitelisting /var/tmp 879 809 0:71 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw mountid=879 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 880 745 253:4 /.X11-unix /tmp/.X11-unix rw,relatime master:61 - ext4 /dev/mapper/x10--desktop--vg-tmp rw mountid=880 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=ext4 Whitelisting /tmp/pulse-PKdhtXMmr18n 881 745 253:4 /pulse-PKdhtXMmr18n /tmp/pulse-PKdhtXMmr18n rw,relatime master:61 - ext4 /dev/mapper/x10--desktop--vg-tmp rw mountid=881 fsname=/pulse-PKdhtXMmr18n dir=/tmp/pulse-PKdhtXMmr18n fstype=ext4 Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/x10an14/.Xauthority Disable /run/docker.sock (requested /var/run/docker.sock) Disable /etc/anacrontab Disable /etc/cron.allow Disable /etc/cron.d Disable /etc/cron.hourly Disable /etc/cron.monthly Disable /etc/cron.daily Disable /etc/crontab Disable /etc/cron.weekly Disable /etc/profile.d Disable /etc/rc0.d Disable /etc/rc2.d Disable /etc/rc4.d Disable /etc/rc3.d Disable /etc/rcS.d Disable /etc/rc1.d Disable /etc/rc6.d Disable /etc/rc5.d Disable /etc/kernel Disable /etc/grub.d Disable /etc/dkms Disable /etc/apparmor.d Disable /etc/apparmor Disable /etc/selinux Disable /etc/modules Disable /etc/modules-load.d Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/adduser.conf Mounting read-only /home/x10an14/.bashrc Mounting read-only /home/x10an14/.local/share/applications Not blacklist /home/x10an14/.pki Not blacklist /home/x10an14/.local/share/pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/strace Disable /usr/bin/strace (requested /bin/strace) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/gnome-terminal Disable /usr/bin/gnome-terminal (requested /bin/gnome-terminal) Disable /usr/bin/gnome-terminal.wrapper Disable /usr/bin/gnome-terminal.wrapper (requested /bin/gnome-terminal.wrapper) Disable /usr/share/flatpak Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as) Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/cc) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/cc) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /usr/bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/c++) Disable /usr/bin/c89-gcc Disable /usr/bin/c89-gcc (requested /usr/bin/c89) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c89-gcc (requested /bin/c89) Disable /usr/bin/c99-gcc (requested /usr/bin/c99) Disable /usr/bin/c99-gcc Disable /usr/bin/c99-gcc (requested /bin/c99) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /usr/bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /usr/bin/cpp-8) Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-8 (requested /bin/cpp-8) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /usr/bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /usr/bin/g++-8) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/g++-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /usr/bin/gcc-ar-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /usr/bin/gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /usr/bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /usr/bin/gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /usr/bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /usr/bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/gcc-ar-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/gcc-ar) Disable /usr/bin/gdb Disable /usr/bin/gdb (requested /bin/gdb) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld) Disable /usr/bin/avr-gcc-nm Disable /usr/bin/arm-none-eabi-gcc Disable /usr/bin/arm-none-eabi-gcc-ranlib Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-8 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/arm-none-eabi-gcc-nm Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/avr-gcc-5.4.0 Disable /usr/bin/avr-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 Disable /usr/bin/avr-gcc-ar Disable /usr/bin/arm-none-eabi-gcc-7.3.1 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/arm-none-eabi-gcc-ar Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/c99-gcc Disable /usr/bin/avr-gcc-ranlib Disable /usr/bin/avr-gcc-nm (requested /bin/avr-gcc-nm) Disable /usr/bin/arm-none-eabi-gcc (requested /bin/arm-none-eabi-gcc) Disable /usr/bin/arm-none-eabi-gcc-ranlib (requested /bin/arm-none-eabi-gcc-ranlib) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/arm-none-eabi-gcc-nm (requested /bin/arm-none-eabi-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/avr-gcc-5.4.0 (requested /bin/avr-gcc-5.4.0) Disable /usr/bin/avr-gcc (requested /bin/avr-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar-8) Disable /usr/bin/avr-gcc-ar (requested /bin/avr-gcc-ar) Disable /usr/bin/arm-none-eabi-gcc-7.3.1 (requested /bin/arm-none-eabi-gcc-7.3.1) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/arm-none-eabi-gcc-ar (requested /bin/arm-none-eabi-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/avr-gcc-ranlib (requested /bin/avr-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-g++-8 Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/avr-g++ Disable /usr/bin/arm-none-eabi-g++ Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/x86_64-linux-gnu-g++-8) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/avr-g++ (requested /bin/avr-g++) Disable /usr/bin/arm-none-eabi-g++ (requested /bin/arm-none-eabi-g++) Disable /usr/bin/avr-gcc-nm Disable /usr/bin/arm-none-eabi-gcc Disable /usr/bin/arm-none-eabi-gcc-ranlib Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-8 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/arm-none-eabi-gcc-nm Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/avr-gcc-5.4.0 Disable /usr/bin/avr-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 Disable /usr/bin/avr-gcc-ar Disable /usr/bin/arm-none-eabi-gcc-7.3.1 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/arm-none-eabi-gcc-ar Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/c99-gcc Disable /usr/bin/avr-gcc-ranlib Disable /usr/bin/avr-gcc-nm (requested /bin/avr-gcc-nm) Disable /usr/bin/arm-none-eabi-gcc (requested /bin/arm-none-eabi-gcc) Disable /usr/bin/arm-none-eabi-gcc-ranlib (requested /bin/arm-none-eabi-gcc-ranlib) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc-8) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/arm-none-eabi-gcc-nm (requested /bin/arm-none-eabi-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/avr-gcc-5.4.0 (requested /bin/avr-gcc-5.4.0) Disable /usr/bin/avr-gcc (requested /bin/avr-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-8 (requested /bin/x86_64-linux-gnu-gcc-nm-8) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar-8) Disable /usr/bin/avr-gcc-ar (requested /bin/avr-gcc-ar) Disable /usr/bin/arm-none-eabi-gcc-7.3.1 (requested /bin/arm-none-eabi-gcc-7.3.1) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-8 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/arm-none-eabi-gcc-ar (requested /bin/arm-none-eabi-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-8 (requested /bin/x86_64-linux-gnu-gcc-ranlib-8) Disable /usr/bin/x86_64-linux-gnu-gcc-8 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/avr-gcc-ranlib (requested /bin/avr-gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-g++-8 Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/avr-g++ Disable /usr/bin/arm-none-eabi-g++ Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/x86_64-linux-gnu-g++-8) Disable /usr/bin/x86_64-linux-gnu-g++-8 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/avr-g++ (requested /bin/avr-g++) Disable /usr/bin/arm-none-eabi-g++ (requested /bin/arm-none-eabi-g++) Disable /usr/include Disable /usr/local/go/bin/go Disable /usr/local/go/bin/gofmt Disable /usr/share/java Disable /usr/bin/openssl Disable /usr/bin/openssl (requested /bin/openssl) Disable /usr/lib/valgrind Disable /usr/share/texlive/texmf-dist/scripts/luaotfload/luaotfload-tool.lua (requested /usr/bin/luaotfload-tool) Disable /usr/bin/luatex53 Disable /usr/bin/luatex (requested /usr/bin/lualatex) Disable /usr/bin/luatex Disable /usr/share/texlive/texmf-dist/scripts/lua2dox/lua2dox_filter (requested /usr/bin/lua2dox_filter) Disable /usr/bin/luajittex Disable /usr/bin/luatools Disable /usr/share/texlive/texmf-dist/scripts/luaotfload/luaotfload-tool.lua (requested /bin/luaotfload-tool) Disable /usr/bin/luatex53 (requested /bin/luatex53) Disable /usr/bin/luatex (requested /bin/lualatex) Disable /usr/bin/luatex (requested /bin/luatex) Disable /usr/share/texlive/texmf-dist/scripts/lua2dox/lua2dox_filter (requested /bin/lua2dox_filter) Disable /usr/bin/luajittex (requested /bin/luajittex) Disable /usr/bin/luatools (requested /bin/luatools) Disable /usr/share/lua Disable /usr/bin/node Disable /usr/bin/node (requested /bin/node) Disable /usr/bin/cpan5.28-x86_64-linux-gnu Disable /usr/bin/cpan5.28-i386-linux-gnu Disable /usr/bin/cpan Disable /usr/bin/cpan5.28-x86_64-linux-gnu (requested /bin/cpan5.28-x86_64-linux-gnu) Disable /usr/bin/cpan5.28-i386-linux-gnu (requested /bin/cpan5.28-i386-linux-gnu) Disable /usr/bin/cpan (requested /bin/cpan) Disable /usr/bin/perl Disable /usr/bin/perl (requested /bin/perl) Disable /usr/share/perl Disable /usr/share/perl-openssl-defaults Disable /usr/share/perl5 Disable /usr/bin/ruby2.5 (requested /usr/bin/ruby) Disable /usr/bin/ruby2.5 (requested /bin/ruby) Disable /usr/lib/ruby Disable /usr/bin/python2-pasteurize Disable /usr/bin/python2.7 Disable /usr/bin/python2.7 (requested /usr/bin/python2) Disable /usr/bin/python2-futurize Disable /usr/bin/python2-pasteurize (requested /bin/python2-pasteurize) Disable /usr/bin/python2.7 (requested /bin/python2.7) Disable /usr/bin/python2.7 (requested /bin/python2) Disable /usr/bin/python2-futurize (requested /bin/python2-futurize) Disable /usr/lib/python2.6 Disable /usr/lib/python2.7 Disable /usr/local/lib/python2.7 Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /usr/bin/python3.7-config) Disable /usr/bin/python3.7m (requested /usr/bin/python3m) Disable /usr/bin/python3.7m Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /usr/bin/python3-config) Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /usr/bin/python3m-config) Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /usr/bin/python3.7m-config) Disable /usr/bin/python3.7 Disable /usr/bin/python3.7 (requested /usr/bin/python3) Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /bin/python3.7-config) Disable /usr/bin/python3.7m (requested /bin/python3m) Disable /usr/bin/python3.7m (requested /bin/python3.7m) Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /bin/python3-config) Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /bin/python3m-config) Disable /usr/bin/x86_64-linux-gnu-python3.7m-config (requested /bin/python3.7m-config) Disable /usr/bin/python3.7 (requested /bin/python3.7) Disable /usr/bin/python3.7 (requested /bin/python3) Disable /usr/lib/python3.7 Disable /usr/lib/python3 Disable /usr/local/lib/python3.7 Disable /usr/share/python3 Not blacklist /home/x10an14/.mozilla Not blacklist /home/x10an14/.cache/mozilla Mounting read-only /home/x10an14/.config/user-dirs.dirs Mounting noexec /tmp Mounting noexec /tmp/.X11-unix Mounting noexec /tmp/pulse-PKdhtXMmr18n Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount Mounting noexec /run/firejail/mnt/pulse Creating empty /home/x10an14/.config/pulse directory Drop privileges: pid 6, uid 1000, gid 1000, nogroups 0 Supplementary groups: 29 44 1514 679 0:48 /pulse /home/x10an14/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755 mountid=1514 fsname=/pulse dir=/home/x10an14/.config/pulse fstype=tmpfs blacklist /dev/dvb blacklist /dev/sr0 blacklist /dev/hidraw0 blacklist /dev/hidraw1 blacklist /dev/hidraw2 blacklist /dev/hidraw3 blacklist /dev/hidraw4 blacklist /dev/hidraw5 blacklist /dev/hidraw6 blacklist /dev/hidraw7 blacklist /dev/hidraw8 blacklist /dev/hidraw9 blacklist /dev/usb Create the new ld.so.preload file Post-exec seccomp protector enabled Mount the new ld.so.preload file Current directory: /home/x10an14 DISPLAY=:0 parsed as 0 Install protocol filter: unix,inet,inet6,netlink configuring 16 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) Dropping all capabilities Drop privileges: pid 7, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 01 00000010 jeq 10 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 06 00 00 0005005f ret ERRNO(95) Build drop seccomp filter sbox run: /run/firejail/lib/fseccomp drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice (null) Dropping all capabilities Drop privileges: pid 8, uid 1000, gid 1000, nogroups 1 No supplementary groups Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 9, uid 1000, gid 1000, nogroups 1 No supplementary groups configuring 73 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) Dropping all capabilities Drop privileges: pid 10, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 40 00 0000009f jeq adjtimex 0048 (false 0008) 0008: 15 3f 00 00000131 jeq clock_adjtime 0048 (false 0009) 0009: 15 3e 00 000000e3 jeq clock_settime 0048 (false 000a) 000a: 15 3d 00 000000a4 jeq settimeofday 0048 (false 000b) 000b: 15 3c 00 0000009a jeq modify_ldt 0048 (false 000c) 000c: 15 3b 00 000000d4 jeq lookup_dcookie 0048 (false 000d) 000d: 15 3a 00 0000012a jeq perf_event_open 0048 (false 000e) 000e: 15 39 00 00000137 jeq process_vm_writev 0048 (false 000f) 000f: 15 38 00 000000b0 jeq delete_module 0048 (false 0010) 0010: 15 37 00 00000139 jeq finit_module 0048 (false 0011) 0011: 15 36 00 000000af jeq init_module 0048 (false 0012) 0012: 15 35 00 0000009c jeq _sysctl 0048 (false 0013) 0013: 15 34 00 000000b7 jeq afs_syscall 0048 (false 0014) 0014: 15 33 00 000000ae jeq create_module 0048 (false 0015) 0015: 15 32 00 000000b1 jeq get_kernel_syms 0048 (false 0016) 0016: 15 31 00 000000b5 jeq getpmsg 0048 (false 0017) 0017: 15 30 00 000000b6 jeq putpmsg 0048 (false 0018) 0018: 15 2f 00 000000b2 jeq query_module 0048 (false 0019) 0019: 15 2e 00 000000b9 jeq security 0048 (false 001a) 001a: 15 2d 00 0000008b jeq sysfs 0048 (false 001b) 001b: 15 2c 00 000000b8 jeq tuxcall 0048 (false 001c) 001c: 15 2b 00 00000086 jeq uselib 0048 (false 001d) 001d: 15 2a 00 00000088 jeq ustat 0048 (false 001e) 001e: 15 29 00 000000ec jeq vserver 0048 (false 001f) 001f: 15 28 00 000000ad jeq ioperm 0048 (false 0020) 0020: 15 27 00 000000ac jeq iopl 0048 (false 0021) 0021: 15 26 00 000000f6 jeq kexec_load 0048 (false 0022) 0022: 15 25 00 00000140 jeq kexec_file_load 0048 (false 0023) 0023: 15 24 00 000000a9 jeq reboot 0048 (false 0024) 0024: 15 23 00 000000ee jeq set_mempolicy 0048 (false 0025) 0025: 15 22 00 00000100 jeq migrate_pages 0048 (false 0026) 0026: 15 21 00 00000117 jeq move_pages 0048 (false 0027) 0027: 15 20 00 000000ed jeq mbind 0048 (false 0028) 0028: 15 1f 00 000000a7 jeq swapon 0048 (false 0029) 0029: 15 1e 00 000000a8 jeq swapoff 0048 (false 002a) 002a: 15 1d 00 000000a3 jeq acct 0048 (false 002b) 002b: 15 1c 00 000000f8 jeq add_key 0048 (false 002c) 002c: 15 1b 00 00000141 jeq bpf 0048 (false 002d) 002d: 15 1a 00 0000012c jeq fanotify_init 0048 (false 002e) 002e: 15 19 00 000000d2 jeq io_cancel 0048 (false 002f) 002f: 15 18 00 000000cf jeq io_destroy 0048 (false 0030) 0030: 15 17 00 000000d0 jeq io_getevents 0048 (false 0031) 0031: 15 16 00 000000ce jeq io_setup 0048 (false 0032) 0032: 15 15 00 000000d1 jeq io_submit 0048 (false 0033) 0033: 15 14 00 000000fb jeq ioprio_set 0048 (false 0034) 0034: 15 13 00 00000138 jeq kcmp 0048 (false 0035) 0035: 15 12 00 000000fa jeq keyctl 0048 (false 0036) 0036: 15 11 00 000000a5 jeq mount 0048 (false 0037) 0037: 15 10 00 0000012f jeq name_to_handle_at 0048 (false 0038) 0038: 15 0f 00 000000b4 jeq nfsservctl 0048 (false 0039) 0039: 15 0e 00 00000130 jeq open_by_handle_at 0048 (false 003a) 003a: 15 0d 00 00000087 jeq personality 0048 (false 003b) 003b: 15 0c 00 0000009b jeq pivot_root 0048 (false 003c) 003c: 15 0b 00 00000136 jeq process_vm_readv 0048 (false 003d) 003d: 15 0a 00 00000065 jeq ptrace 0048 (false 003e) 003e: 15 09 00 000000d8 jeq remap_file_pages 0048 (false 003f) 003f: 15 08 00 000000f9 jeq request_key 0048 (false 0040) 0040: 15 07 00 000000ab jeq setdomainname 0048 (false 0041) 0041: 15 06 00 000000aa jeq sethostname 0048 (false 0042) 0042: 15 05 00 00000067 jeq syslog 0048 (false 0043) 0043: 15 04 00 000000a6 jeq umount2 0048 (false 0044) 0044: 15 03 00 00000143 jeq userfaultfd 0048 (false 0045) 0045: 15 02 00 00000099 jeq vhangup 0048 (false 0046) 0046: 15 01 00 00000116 jeq vmsplice 0048 (false 0047) 0047: 06 00 00 7fff0000 ret ALLOW 0048: 06 00 00 00000000 ret KILL seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups AppArmor enabled starting application LD_PRELOAD=(null) execvp argument 0: firefox Child process initialized in 175.54 ms Searching $PATH for firefox trying #/home/x10an14/.sdkman/candidates/maven/current/bin/firefox# trying #/home/x10an14/.sdkman/candidates/java/current/bin/firefox# trying #/usr/lib/google-cloud-sdk/bin/firefox# trying #/home/x10an14/Documents/github/pyenv/shims/firefox# trying #/home/x10an14/Documents/github/pyenv/bin/firefox# trying #/home/x10an14/.volta//bin/firefox# trying #/home/x10an14/.cargo/bin/firefox# trying #/home/x10an14/.cargo/bin/firefox# trying #/home/x10an14/.dotnet/tools/firefox# trying #/home/x10an14/.kubectx/firefox# trying #/home/x10an14/.local/bin/firefox# trying #/usr/local/bin/firefox# trying #/usr/bin/firefox# trying #/bin/firefox# trying #/usr/local/games/firefox# trying #/usr/games/firefox# trying #/usr/local/go/bin/firefox# trying #/home/x10an14/go/bin/firefox# trying #/usr/sbin/firefox# Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter Error: no suitable firefox executable found monitoring pid 11 Sandbox monitor: waitpid 11 retval 11 status 256 Parent is shutting down, bye... [2020-12-31 13:35:44] 1 x10an14@x10-desktop:~ -> $ ```