Closed christianskou07 closed 3 years ago
rusty-snake
commented
3 years ago SRBMiner doesn't have a profile yet. Request one in #1139 or write it yourself.
I have narrowed it down to whether or not the line
blacklist ${HOME}/.netrcin/etc/firejail/disable-common.incis commented out or not makes the difference.
Then add noblacklist ${HOME}/.netrc if you write a custom profile.
christianskou07
commented
3 years ago SRBMiner doesn't have a profile yet. Request one in #1139 or write it yourself.
I have narrowed it down to whether or not the line
blacklist ${HOME}/.netrcin/etc/firejail/disable-common.incis commented out or not makes the difference.Then add
noblacklist ${HOME}/.netrcif you write a custom profile.
Wouldn't that introduce a security risk?
rusty-snake
commented
3 years ago What is a security risk for you? Every additional file that can be accessed is possible a theoretical security risk. On the other hand keep in mind that you run it without whitelist, dbus-{user,system} none, net none, private-tmp, … and that it does not work without access to it. Allowing firefox to use chroot is a security risk but firefox needs it. W^X violations are security risks, but a lot programs (mostly OpenGL/Vulkan and interpreters like python or perl) need W&X mem.
You can also make it read-only and FYI that the current list:
$ grep netrc /etc/firejail/*
/etc/firejail/aria2c.profile:noblacklist ${HOME}/.netrc
/etc/firejail/disable-common.inc:blacklist ${HOME}/.netrc
/etc/firejail/fetchmail.profile:noblacklist ${HOME}/.netrc
/etc/firejail/firefox-common-addons.profile:noblacklist ${HOME}/.netrc
/etc/firejail/firefox-common-addons.profile:whitelist ${HOME}/.netrc
/etc/firejail/mpsyt.profile:noblacklist ${HOME}/.netrc
/etc/firejail/mpsyt.profile:whitelist ${HOME}/.netrc
/etc/firejail/mpv.profile:noblacklist ${HOME}/.netrc
/etc/firejail/mpv.profile:mkfile ${HOME}/.netrc
/etc/firejail/mpv.profile:whitelist ${HOME}/.netrc
/etc/firejail/rtv-addons.profile:noblacklist ${HOME}/.netrc
/etc/firejail/rtv-addons.profile:whitelist ${HOME}/.netrc
/etc/firejail/wget.profile:noblacklist ${HOME}/.netrc
/etc/firejail/youtube-dl.profile:noblacklist ${HOME}/.netrcPart of what you are saying is above my knowledge level, so excuse my ignorance.
As .netrc is a file which potentially could contain rather sensitive information, I consider it a security risk.
There should be no reason for SRBMiner to need any sort of access to ${HOME}/.netrc, and afaik it doesn't do so either, hence I find it odd that this is the line causing the whole issue.
The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.
rusty-snake
commented
3 years ago The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.
Was there an update of SRBMiner/firejail? What happens if you remove/rename ~/.netrc?
christianskou07
commented
3 years ago The other thing is the fact that it has worked with no issues running SRBMiner with firejail, and suddenly out of the blue it doesn't.
Was there an update of SRBMiner/firejail? What happens if you remove/rename
~/.netrc?
That was my first thought too, but no.
I have gotten it a little closer, however it is still unclear to me what has happened. Just to make it clear, I have no experience with ~/.netrc and I have never used it before (at least not what I know of).
However, it seems like an empty ~/.netrc was created yesterday, and if I remove it I'm allowed to run SRBMiner with firejail and its default profile.
When ~/.netrc is blacklisted and if ~/.netrc exists, then I can't run SRBMiner with firejail. If ~/.netrc doesn't exists and is still blacklisted, then I can run SRBMiner with firejail.
Not that I think it is relevant, however I feel the need to mention it as it was almost the second after I used the script inhere the error occurred: https://docs.nvidia.com/cuda/cuda-installation-guide-linux/index.html#runfile-verifications
rusty-snake
commented
3 years ago empty
~/.netrc
If it is empty there is no risk.
When
~/.netrcis blacklisted and if~/.netrcexists, then I can't run SRBMiner with firejail.
Looks like a bug in SRBMiner. A program should not die if it gets EACCES.
If
~/.netrcdoesn't exists and is still blacklisted, then I can run SRBMiner with firejail.
Well at least ENOENT is handled correctly by SRBMiner.
christianskou07
commented
3 years ago empty
~/.netrcIf it is empty there is no risk.
When
~/.netrcis blacklisted and if~/.netrcexists, then I can't run SRBMiner with firejail.Looks like a bug in SRBMiner. A program should not die if it gets
EACCES.If
~/.netrcdoesn't exists and is still blacklisted, then I can run SRBMiner with firejail.Well at least
ENOENTis handled correctly by SRBMiner.
Thank you for helping. Just to make sure you've seen it, I edited my comment after a little while including the link from nvidia.
Would you by any chance have a guess why an empty ~/.netrc would be created and why SRBMiner would like to access it?
rusty-snake
commented
3 years ago Would you by any chance have a guess why an empty ~/.netrc would be created
If you used any of this profiles grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/* ~/.config/firejail/*, it was firejail. If not I've no idea.
why SRBMiner would like to access it
IDK how SRBMiner works and which libraries/externl programs it use. But it sound ok that it looks into netrc if it has any kind of support for it.
christianskou07
commented
3 years ago If you used any of this profiles
grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/* ~/.config/firejail/*, it was firejail. If not I've no idea.All I get is
grep: /home/chr1s/.config/firejail/*: No such file or directory.IDK how SRBMiner works and which libraries/externl programs it use. But it sound ok that it looks into netrc if it has any kind of support for it.
Afaik I don't think it has any support for it, but that may be a subject to another discussion.
rusty-snake
commented
3 years ago All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory.
Depends on nullglob behaviour. Anyway grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/*.
christianskou07
commented
3 years ago All I get is grep: /home/chr1s/.config/firejail/*: No such file or directory.
Depends on nullglob behaviour. Anyway
grep -l -E "^mkfile \${HOME}\/\.netrc" /etc/firejail/*.
I tried that as well, but that gives me pure nothing...
rusty-snake
commented
3 years ago Gotcha! $ need double escape grep -l -E "^mkfile \\\${HOME}\/\.netrc" /etc/firejail/*.
christianskou07
commented
3 years ago Gotcha!
$need double escapegrep -l -E "^mkfile \\\${HOME}\/\.netrc" /etc/firejail/*.
Yup, /etc/firejail/mpv.profile shows up, and if I recall I might have done something in the ballpark of firejail --noprofile --noblacklist=/sys/module mpv
rusty-snake
commented
3 years ago Running it with --noprofile actually does not create ~/.netrc however one (accidental) call w/o --noprofile does.
You can also make it
read-only...
... , use whitelist or private.
christianskou07
commented
3 years ago Running it with
--noprofileactually does not create~/.netrchowever one (accidental) call w/o--noprofiledoes.You can also make it
read-only...... , use
whitelistorprivate.
I guess it makes more sense that I have tried to do it w/o --noprofile, as I knew it would work with.
As of right now, I have removed the ~/.netrc file and kept it blacklisted while using the default profile with no issues. Either I'll look into making a more tailored profile for both SRBMiner and NBMiner or hope someone else are interested in doing the same thing.
Nonetheless, you've been a great help. Thank you.
rusty-snake
commented
3 years ago https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template ^ Just to make sure you're aware of the template.
christianskou07
commented
3 years ago https://github.com/netblue30/firejail/blob/master/etc/templates/profile.template ^ Just to make sure you're aware of the template.
Noted! Thanks.
Bug and expected behavior Running SRBMiner with firejail using the default profile blocks internet access causing the miner not to work properly (crashing upon startup). However, for a period of time it was working without any issues. I have narrowed it down to whether or not the line
blacklist ${HOME}/.netrcin/etc/firejail/disable-common.incis commented out or not makes the difference.SRBMiner 0.7.5 and 0.7.6.
No profile and disabling firejail
firejail --noprofile /path/to/programin a terminal? Works as expected.Reproduce Steps to reproduce the behavior: Setup SRBMiner using
--setup, thereafter run the generated start script with firejail.Environment
lsb_release -a,screenfetchorcat /etc/os-release)firejail --version) exclusive or used git commit (git rev-parse HEAD)Checklist
https://github.com/netblue30/firejail/issues/1139)--profile=PROFILENAMEis used to set the right profile.LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAMto get english error-messages.browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.debug output
It should be noted that a rather large part of `/etc/firejail/disable-common.inc` is commented out when reading the output below. ``` Autoselecting /bin/bash as shell Building quoted command line: './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' Command name #SRBMiner-MULTI# Attempting to find default.profile... Found default.profile profile in /etc/firejail directory Reading profile /etc/firejail/default.profile Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-passwdmgr.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-passwdmgr.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** DISPLAY=:0.0 parsed as 0 Using the local network stack Parent pid 3030, child pid 3031 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1 No supplementary groups Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 534 493 8:7 /etc /etc ro,noatime master:1 - ext4 /dev/sda7 rw mountid=534 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 535 534 8:7 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda7 rw mountid=535 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 536 493 8:7 /var /var ro,noatime master:1 - ext4 /dev/sda7 rw mountid=536 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 537 536 8:7 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/sda7 rw mountid=537 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 538 493 8:7 /usr /usr ro,noatime master:1 - ext4 /dev/sda7 rw mountid=538 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Disable /run/firejail/appimage blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /home/chr1s/.gnupg Disable /home/chr1s/.local/share/keyrings Disable /home/chr1s/.netrc Disable /home/chr1s/.pki Disable /home/chr1s/.ssh Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /home/chr1s/Arduino Disable /home/chr1s/.android Disable /home/chr1s/.arduino15 Disable /home/chr1s/.config/BraveSoftware Disable /home/chr1s/.config/Code - OSS Disable /home/chr1s/.config/GIMP Disable /home/chr1s/.config/Mousepad Disable /home/chr1s/.config/Thunar Disable /home/chr1s/.config/catfish Disable /home/chr1s/.config/chromium Disable /home/chr1s/.config/discord Disable /home/chr1s/.config/falkon Disable /home/chr1s/.config/galculator Disable /home/chr1s/.config/google-chrome Disable /home/chr1s/.config/libreoffice Disable /home/chr1s/.local/share/man Disable /home/chr1s/.config/mpv Disable /home/chr1s/.config/pavucontrol.ini Disable /home/chr1s/.config/Pinta Disable /home/chr1s/.config/qpdfview Disable /home/chr1s/.config/spotify Disable /home/chr1s/.config/torbrowser Disable /home/chr1s/.config/viewnior Disable /home/chr1s/.config/vlc Disable /home/chr1s/.config/wireshark Disable /home/chr1s/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml Disable /home/chr1s/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml Disable /home/chr1s/.config/youtube-dl Disable /home/chr1s/.gitconfig Disable /home/chr1s/.java Disable /home/chr1s/.local/share/JetBrains Disable /home/chr1s/.local/share/qpdfview Disable /home/chr1s/.local/share/torbrowser Disable /home/chr1s/.local/share/vlc Disable /home/chr1s/.mozilla Disable /home/chr1s/.nanorc Disable /home/chr1s/.nv Disable /home/chr1s/.pylint.d Disable /home/chr1s/.thunderbird Disable /home/chr1s/.vscode-oss Disable /home/chr1s/.wget-hsts Disable /home/chr1s/.xournalpp Disable /tmp/ssh-XXXXXXx0uZFd Disable /home/chr1s/.cache/babl Disable /home/chr1s/.cache/chromium Disable /home/chr1s/.cache/gegl-0.4 Disable /home/chr1s/.cache/gimp Disable /home/chr1s/.cache/mozilla Disable /home/chr1s/.cache/pip Disable /home/chr1s/.cache/spotify Disable /home/chr1s/.cache/thunderbird Disable /home/chr1s/.cache/torbrowser Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 975 531 0:55 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=975 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/chr1s/.config/pulse 976 545 0:55 /pulse /home/chr1s/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=976 fsname=/pulse dir=/home/chr1s/.config/pulse fstype=tmpfs Current directory: /home/chr1s/Documents/miners/SRBMiner-Multi-0-7-5 DISPLAY=:0.0 parsed as 0 Install protocol filter: unix,inet,inet6 configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Dropping all capabilities Drop privileges: pid 3, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 06 00 00 0005005f ret ERRNO(95) configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dropping all capabilities Drop privileges: pid 4, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 00000015 jeq 15 0005 (false 0006) 0005: 06 00 00 00000001 ret KILL 0006: 15 00 01 00000034 jeq 34 0007 (false 0008) 0007: 06 00 00 00000001 ret KILL 0008: 15 00 01 0000001a jeq 1a 0009 (false 000a) 0009: 06 00 00 00000001 ret KILL 000a: 15 00 01 0000011b jeq 11b 000b (false 000c) 000b: 06 00 00 00000001 ret KILL 000c: 15 00 01 00000155 jeq 155 000d (false 000e) 000d: 06 00 00 00000001 ret KILL 000e: 15 00 01 00000156 jeq 156 000f (false 0010) 000f: 06 00 00 00000001 ret KILL 0010: 15 00 01 0000007f jeq 7f 0011 (false 0012) 0011: 06 00 00 00000001 ret KILL 0012: 15 00 01 00000080 jeq 80 0013 (false 0014) 0013: 06 00 00 00000001 ret KILL 0014: 15 00 01 0000015e jeq 15e 0015 (false 0016) 0015: 06 00 00 00000001 ret KILL 0016: 15 00 01 00000081 jeq 81 0017 (false 0018) 0017: 06 00 00 00000001 ret KILL 0018: 15 00 01 0000006e jeq 6e 0019 (false 001a) 0019: 06 00 00 00000001 ret KILL 001a: 15 00 01 00000065 jeq 65 001b (false 001c) 001b: 06 00 00 00000001 ret KILL 001c: 15 00 01 00000121 jeq 121 001d (false 001e) 001d: 06 00 00 00000001 ret KILL 001e: 15 00 01 00000057 jeq 57 001f (false 0020) 001f: 06 00 00 00000001 ret KILL 0020: 15 00 01 00000073 jeq 73 0021 (false 0022) 0021: 06 00 00 00000001 ret KILL 0022: 15 00 01 00000067 jeq 67 0023 (false 0024) 0023: 06 00 00 00000001 ret KILL 0024: 15 00 01 0000015b jeq 15b 0025 (false 0026) 0025: 06 00 00 00000001 ret KILL 0026: 15 00 01 0000015c jeq 15c 0027 (false 0028) 0027: 06 00 00 00000001 ret KILL 0028: 15 00 01 00000087 jeq 87 0029 (false 002a) 0029: 06 00 00 00000001 ret KILL 002a: 15 00 01 00000095 jeq 95 002b (false 002c) 002b: 06 00 00 00000001 ret KILL 002c: 15 00 01 0000007c jeq 7c 002d (false 002e) 002d: 06 00 00 00000001 ret KILL 002e: 15 00 01 00000157 jeq 157 002f (false 0030) 002f: 06 00 00 00000001 ret KILL 0030: 15 00 01 000000fd jeq fd 0031 (false 0032) 0031: 06 00 00 00000001 ret KILL 0032: 15 00 01 00000150 jeq 150 0033 (false 0034) 0033: 06 00 00 00000001 ret KILL 0034: 15 00 01 00000152 jeq 152 0035 (false 0036) 0035: 06 00 00 00000001 ret KILL 0036: 15 00 01 0000015d jeq 15d 0037 (false 0038) 0037: 06 00 00 00000001 ret KILL 0038: 15 00 01 0000011e jeq 11e 0039 (false 003a) 0039: 06 00 00 00000001 ret KILL 003a: 15 00 01 0000011f jeq 11f 003b (false 003c) 003b: 06 00 00 00000001 ret KILL 003c: 15 00 01 00000120 jeq 120 003d (false 003e) 003d: 06 00 00 00000001 ret KILL 003e: 15 00 01 00000056 jeq 56 003f (false 0040) 003f: 06 00 00 00000001 ret KILL 0040: 15 00 01 00000033 jeq 33 0041 (false 0042) 0041: 06 00 00 00000001 ret KILL 0042: 15 00 01 0000007b jeq 7b 0043 (false 0044) 0043: 06 00 00 00000001 ret KILL 0044: 15 00 01 000000d9 jeq d9 0045 (false 0046) 0045: 06 00 00 00000001 ret KILL 0046: 15 00 01 000000f5 jeq f5 0047 (false 0048) 0047: 06 00 00 00000001 ret KILL 0048: 15 00 01 000000f6 jeq f6 0049 (false 004a) 0049: 06 00 00 00000001 ret KILL 004a: 15 00 01 000000f7 jeq f7 004b (false 004c) 004b: 06 00 00 00000001 ret KILL 004c: 15 00 01 000000f8 jeq f8 004d (false 004e) 004d: 06 00 00 00000001 ret KILL 004e: 15 00 01 000000f9 jeq f9 004f (false 0050) 004f: 06 00 00 00000001 ret KILL 0050: 15 00 01 00000101 jeq 101 0051 (false 0052) 0051: 06 00 00 00000001 ret KILL 0052: 15 00 01 00000112 jeq 112 0053 (false 0054) 0053: 06 00 00 00000001 ret KILL 0054: 15 00 01 00000114 jeq 114 0055 (false 0056) 0055: 06 00 00 00000001 ret KILL 0056: 15 00 01 00000126 jeq 126 0057 (false 0058) 0057: 06 00 00 00000001 ret KILL 0058: 15 00 01 0000013d jeq 13d 0059 (false 005a) 0059: 06 00 00 00000001 ret KILL 005a: 15 00 01 0000013c jeq 13c 005b (false 005c) 005b: 06 00 00 00000001 ret KILL 005c: 15 00 01 0000003d jeq 3d 005d (false 005e) 005d: 06 00 00 00000001 ret KILL 005e: 15 00 01 00000058 jeq 58 005f (false 0060) 005f: 06 00 00 00000001 ret KILL 0060: 15 00 01 000000a9 jeq a9 0061 (false 0062) 0061: 06 00 00 00000001 ret KILL 0062: 15 00 01 00000082 jeq 82 0063 (false 0064) 0063: 06 00 00 00000001 ret KILL 0064: 06 00 00 7fff0000 ret ALLOW Dual 32/64 bit seccomp filter configured configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp Dropping all capabilities Drop privileges: pid 5, uid 1000, gid 1000, nogroups 1 No supplementary groups line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 0000009f jeq adjtimex 0008 (false 0009) 0008: 06 00 00 00000001 ret KILL 0009: 15 00 01 00000131 jeq clock_adjtime 000a (false 000b) 000a: 06 00 00 00000001 ret KILL 000b: 15 00 01 000000e3 jeq clock_settime 000c (false 000d) 000c: 06 00 00 00000001 ret KILL 000d: 15 00 01 000000a4 jeq settimeofday 000e (false 000f) 000e: 06 00 00 00000001 ret KILL 000f: 15 00 01 0000009a jeq modify_ldt 0010 (false 0011) 0010: 06 00 00 00000001 ret KILL 0011: 15 00 01 000000d4 jeq lookup_dcookie 0012 (false 0013) 0012: 06 00 00 00000001 ret KILL 0013: 15 00 01 0000012a jeq perf_event_open 0014 (false 0015) 0014: 06 00 00 00000001 ret KILL 0015: 15 00 01 00000137 jeq process_vm_writev 0016 (false 0017) 0016: 06 00 00 00000001 ret KILL 0017: 15 00 01 000000b0 jeq delete_module 0018 (false 0019) 0018: 06 00 00 00000001 ret KILL 0019: 15 00 01 00000139 jeq finit_module 001a (false 001b) 001a: 06 00 00 00000001 ret KILL 001b: 15 00 01 000000af jeq init_module 001c (false 001d) 001c: 06 00 00 00000001 ret KILL 001d: 15 00 01 000000a1 jeq chroot 001e (false 001f) 001e: 06 00 00 00000001 ret KILL 001f: 15 00 01 000000a5 jeq mount 0020 (false 0021) 0020: 06 00 00 00000001 ret KILL 0021: 15 00 01 0000009b jeq pivot_root 0022 (false 0023) 0022: 06 00 00 00000001 ret KILL 0023: 15 00 01 000000a6 jeq umount2 0024 (false 0025) 0024: 06 00 00 00000001 ret KILL 0025: 15 00 01 0000009c jeq _sysctl 0026 (false 0027) 0026: 06 00 00 00000001 ret KILL 0027: 15 00 01 000000b7 jeq afs_syscall 0028 (false 0029) 0028: 06 00 00 00000001 ret KILL 0029: 15 00 01 000000ae jeq create_module 002a (false 002b) 002a: 06 00 00 00000001 ret KILL 002b: 15 00 01 000000b1 jeq get_kernel_syms 002c (false 002d) 002c: 06 00 00 00000001 ret KILL 002d: 15 00 01 000000b5 jeq getpmsg 002e (false 002f) 002e: 06 00 00 00000001 ret KILL 002f: 15 00 01 000000b6 jeq putpmsg 0030 (false 0031) 0030: 06 00 00 00000001 ret KILL 0031: 15 00 01 000000b2 jeq query_module 0032 (false 0033) 0032: 06 00 00 00000001 ret KILL 0033: 15 00 01 000000b9 jeq security 0034 (false 0035) 0034: 06 00 00 00000001 ret KILL 0035: 15 00 01 0000008b jeq sysfs 0036 (false 0037) 0036: 06 00 00 00000001 ret KILL 0037: 15 00 01 000000b8 jeq tuxcall 0038 (false 0039) 0038: 06 00 00 00000001 ret KILL 0039: 15 00 01 00000086 jeq uselib 003a (false 003b) 003a: 06 00 00 00000001 ret KILL 003b: 15 00 01 00000088 jeq ustat 003c (false 003d) 003c: 06 00 00 00000001 ret KILL 003d: 15 00 01 000000ec jeq vserver 003e (false 003f) 003e: 06 00 00 00000001 ret KILL 003f: 15 00 01 000000ad jeq ioperm 0040 (false 0041) 0040: 06 00 00 00000001 ret KILL 0041: 15 00 01 000000ac jeq iopl 0042 (false 0043) 0042: 06 00 00 00000001 ret KILL 0043: 15 00 01 000000f6 jeq kexec_load 0044 (false 0045) 0044: 06 00 00 00000001 ret KILL 0045: 15 00 01 00000140 jeq kexec_file_load 0046 (false 0047) 0046: 06 00 00 00000001 ret KILL 0047: 15 00 01 000000a9 jeq reboot 0048 (false 0049) 0048: 06 00 00 00000001 ret KILL 0049: 15 00 01 000000a7 jeq swapon 004a (false 004b) 004a: 06 00 00 00000001 ret KILL 004b: 15 00 01 000000a8 jeq swapoff 004c (false 004d) 004c: 06 00 00 00000001 ret KILL 004d: 15 00 01 00000130 jeq open_by_handle_at 004e (false 004f) 004e: 06 00 00 00000001 ret KILL 004f: 15 00 01 0000012f jeq name_to_handle_at 0050 (false 0051) 0050: 06 00 00 00000001 ret KILL 0051: 15 00 01 000000fb jeq ioprio_set 0052 (false 0053) 0052: 06 00 00 00000001 ret KILL 0053: 15 00 01 00000067 jeq syslog 0054 (false 0055) 0054: 06 00 00 00000001 ret KILL 0055: 15 00 01 0000012c jeq fanotify_init 0056 (false 0057) 0056: 06 00 00 00000001 ret KILL 0057: 15 00 01 00000138 jeq kcmp 0058 (false 0059) 0058: 06 00 00 00000001 ret KILL 0059: 15 00 01 000000f8 jeq add_key 005a (false 005b) 005a: 06 00 00 00000001 ret KILL 005b: 15 00 01 000000f9 jeq request_key 005c (false 005d) 005c: 06 00 00 00000001 ret KILL 005d: 15 00 01 000000ed jeq mbind 005e (false 005f) 005e: 06 00 00 00000001 ret KILL 005f: 15 00 01 00000100 jeq migrate_pages 0060 (false 0061) 0060: 06 00 00 00000001 ret KILL 0061: 15 00 01 00000117 jeq move_pages 0062 (false 0063) 0062: 06 00 00 00000001 ret KILL 0063: 15 00 01 000000fa jeq keyctl 0064 (false 0065) 0064: 06 00 00 00000001 ret KILL 0065: 15 00 01 000000ce jeq io_setup 0066 (false 0067) 0066: 06 00 00 00000001 ret KILL 0067: 15 00 01 000000cf jeq io_destroy 0068 (false 0069) 0068: 06 00 00 00000001 ret KILL 0069: 15 00 01 000000d0 jeq io_getevents 006a (false 006b) 006a: 06 00 00 00000001 ret KILL 006b: 15 00 01 000000d1 jeq io_submit 006c (false 006d) 006c: 06 00 00 00000001 ret KILL 006d: 15 00 01 000000d2 jeq io_cancel 006e (false 006f) 006e: 06 00 00 00000001 ret KILL 006f: 15 00 01 000000d8 jeq remap_file_pages 0070 (false 0071) 0070: 06 00 00 00000001 ret KILL 0071: 15 00 01 00000143 jeq userfaultfd 0072 (false 0073) 0072: 06 00 00 00000001 ret KILL 0073: 15 00 01 000000a3 jeq acct 0074 (false 0075) 0074: 06 00 00 00000001 ret KILL 0075: 15 00 01 00000141 jeq bpf 0076 (false 0077) 0076: 06 00 00 00000001 ret KILL 0077: 15 00 01 000000b4 jeq nfsservctl 0078 (false 0079) 0078: 06 00 00 00000001 ret KILL 0079: 15 00 01 000000ab jeq setdomainname 007a (false 007b) 007a: 06 00 00 00000001 ret KILL 007b: 15 00 01 000000aa jeq sethostname 007c (false 007d) 007c: 06 00 00 00000001 ret KILL 007d: 15 00 01 00000099 jeq vhangup 007e (false 007f) 007e: 06 00 00 00000001 ret KILL 007f: 15 00 01 00000065 jeq ptrace 0080 (false 0081) 0080: 06 00 00 00000001 ret KILL 0081: 15 00 01 00000087 jeq personality 0082 (false 0083) 0082: 06 00 00 00000001 ret KILL 0083: 15 00 01 00000136 jeq process_vm_readv 0084 (false 0085) 0084: 06 00 00 00000001 ret KILL 0085: 06 00 00 7fff0000 ret ALLOW seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 978 531 0:55 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=978 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 260 .. -rw-r--r-- chr1s chr1s 1072 seccomp -rw-r--r-- chr1s chr1s 808 seccomp.32 -rw-r--r-- chr1s chr1s 114 seccomp.list -rw-r--r-- chr1s chr1s 0 seccomp.postexec -rw-r--r-- chr1s chr1s 0 seccomp.postexec32 -rw-r--r-- chr1s chr1s 160 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 0 Warning: cleaning all supplementary groups Starting application LD_PRELOAD=(null) Running './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: './SRBMiner-MULTI' '--algorithm' 'autolykos2' '--pool' 'stratum+ssl://ergo.herominers.com:10250' '--wallet' 'wallet' '--password' '' '--cpu-threads' '-1' '--log-file' 'log-ergo.txt' '--extended-log' Child process initialized in 32.38 ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 6 Detecting OpenCL devices... CPU0 : AMD Ryzen 5 3600 6-Core Processor [L3: 32768 KB][L2: 3072 KB][L1: 192 KB][PU: 12] GPU0 : radeon_rx_570_series [ellesmere ][MEM: 4090 MB][CU: 32][BUS: 25] ====================================================================== SRBMiner-MULTI 0.7.5 Press 's' to display stats Press 'h' to display hashrate Press 'p' to switch to the next pool Press 'o' to switch to the previous pool Press 0-9 to disable/enable GPU 0-9, shift+0-9 for GPU 10-19 ====================================================================== Algorithm/s : autolykos2 [2.00% fee] Gpu mining : enabled Cpu mining : enabled Gpu tweaking : disabled Gpu watchdog : enabled Huge-pages : enabled HW-Aes : available [2021-06-03 21:09:59] Please run miner as administrator/root to enable GPU tweaking [2021-06-03 21:09:59] Run miner with root privileges to increase CPU hashrate [2021-06-03 21:09:59] If you experience crashes on 'autolykos2' algorithm, try using 1 thread per GPU ( --gpu-intensity 0 ) [2021-06-03 21:10:02] Internet not found! Please insert internet into miner - check your firewall Sandbox monitor: waitpid 6 retval 6 status 0 Parent is shutting down, bye... ```