search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.74k stars 561 forks source link

Enhancement hardened internet sandbox needed #4339

Closed osevan closed 3 years ago

osevan commented 3 years ago

i want start on my host machine squid proxy inside firejail with hardened config.

what i want next is, allowing internet access only from "firejail squid ip address containerjail" ;everything outside of firejail squid jail container should not have internet access - for both ingress and egress.

i know its possible with iptables on hostside.. but how to tell iptables to allow only from firejail container internet and NOTHING ELSE.

i want connect with my browser to internet over squid proxy or other proxy and want start like this one:

firejail --proxy="idofsquidjail/or ip" --x11=xpra firefox

after than every application what i want should run with this command above --proxy.... should have internet access , but all other apps should not have access.

benefits:

everything on hostside cannot access to internet

kernel modules havent any internet access -big attack surface solved

whole /usr/bin havent any internet access - big attack surface solved

every binary not started with firejail --proxy command or proxychains functions in combination with firejail, cannot have access to internet ,because binary dont know how to route traffic out ....

only the admin know the way out and starting firejail smart and tidy :-)

Thanks and

Best Regards

topimiettinen commented 3 years ago

I've implemented something similar with a combination of SELinux policies, NFTables firewall rules and NetLabel configuration. The unprivileged user user_u:user_r:user_t:s0 isn't allowed to use network, but for example user_u:user_r:mozilla_t:s0 can connect to TCP ports 80 and 443 and user_u:user_r:ssh_t:s0 can connect to TCP port 22. This may not be airtight considering various methods how processes could influence others but it's something.

I don't know how to implement this with Firejail, but it would surely be great addition. If the user's shell would be firejailed and no way to escape firejailing, maybe everything could be run with 'network=none`, except for the explicitly allowed applications? In your proxy setup, the address of the proxy or crypto key to access it could be disclosed in a file, which would not be accessible by unprivileged applications and only the explicitly allowed applications could be allowed access via Firejail config?

osevan commented 3 years ago

Im experimenting with additional user creation and grepping id.

I plant userid here: ID 1001 for user with internet access. iptables -A OUTPUT -m owner --uid-owner 1001 -j ALLOW 0 for root and other IDs what I want block : iptables -A OUTPUT -m owner --uid-owner 0 -j REJECT

iptables -A OUTPUT -m owner --uid-owner 1000 -j REJECT

But my problem is, I cannot start firejail with different user and Firefox.

Sudo su -m internetaccessuser -c "firejail --debug Firefox" wont start - even when internetaccessuser are in sudoers group. ...

Maybe netblue can help

rusty-snake commented 3 years ago

But my problem is, I cannot start firejail with different user and Firefox. Sudo su -m internetaccessuser -c "firejail --debug Firefox" wing.start - even when internetaccessuser are in sudoers group. ...

Do you get any error? Does firefox start w/o firejail? Do you can start firejail curl or so? If you have a /etc/firejail/firejail.users is internetaccessuser in it? Do you use X11 or Wayland?

osevan commented 3 years ago

But my problem is, I cannot start firejail with different user and Firefox. Sudo su -m internetaccessuser -c "firejail --debug Firefox" wing.start - even when internetaccessuser are in sudoers group. ...

Do you get any error? Does firefox start w/o firejail? Do you can start firejail curl or so? If you have a /etc/firejail/firejail.users is internetaccessuser in it? Do you use X11 or Wayland?

Woow, Thanks for reply.

I can start Firefox with firejail with my default user and root.
I did not know about firejail.users file.

I will test this tomorrow.

Im using x11 and Firefox will be x11 sandboxed with xpra latest from xpra owns repository.

osevan commented 3 years ago

firejail curl inside user shell works fine

$ whoami
internet

$ firejail --version
firejail version 0.9.65

Compile time support:
    - Always force nonewprivs support is disabled
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - D-BUS proxy support is enabled
    - file and directory whitelisting support is enabled
    - file transfer support is enabled
    - firetunnel support is enabled
    - networking support is enabled
    - output logging is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - private-cache and tmpfs as user enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

$ firejail curl gogole.com
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>

EDIT by @rusty-snake: code-block

osevan commented 3 years ago

here when i try to start

firejail --debug firefox ``` $ firejail --debug firefox 2>&1 | tee output.log Reading profile /usr/local/etc/firejail/firefox.profile Autoselecting /bin/sh as shell Building quoted command line: 'firefox' Command name #firefox# Found firefox.profile profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-usr-share-common.inc Found whitelist-usr-share-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/firefox-common.profile Found firefox-common.profile profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-common.inc Found disable-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-devel.inc Found disable-devel.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-exec.inc Found disable-exec.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-interpreters.inc Found disable-interpreters.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/disable-programs.inc Found disable-programs.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-common.inc Found whitelist-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-runuser-common.inc Found whitelist-runuser-common.inc profile in /usr/local/etc/firejail directory Reading profile /usr/local/etc/firejail/whitelist-var-common.inc Found whitelist-var-common.inc profile in /usr/local/etc/firejail directory [profile] combined protocol list: "unix,inet,inet6,netlink" [profile] combined protocol list: "unix,inet,inet6,netlink" DISPLAY=:0.0 parsed as 0 Warning: /usr/bin/xdg-dbus-proxy was not found, downgrading dbus-user policy to allow. To enable DBus filtering, install the xdg-dbus-proxy program. Ignoring "dbus-user.own org.mozilla.Firefox.*" and 2 other dbus-user filter rules. Parent pid 18484, child pid 18486 conditional BROWSER_DISABLE_U2F, nou2f conditional BROWSER_DISABLE_U2F, private-dev Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,ioprio_set,mbind,migrate_pages,move_pages,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Using the local network stack conditional BROWSER_DISABLE_U2F, nou2f conditional BROWSER_DISABLE_U2F, private-dev Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,ioprio_set,mbind,migrate_pages,move_pages,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 76 52 253:0 /etc /etc ro,noatime - ext4 /dev/mapper/rootfs rw mountid=76 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 77 76 253:0 /etc /etc ro,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=77 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 80 78 0:31 / /var/spool rw,noatime - tmpfs none rw,inode64 mountid=80 fsname=/ dir=/var/spool fstype=tmpfs Mounting read-only /var/tmp 81 79 0:30 / /var/tmp ro,noatime - tmpfs none rw,inode64 mountid=81 fsname=/ dir=/var/tmp fstype=tmpfs Mounting read-only /var/spool 82 80 0:31 / /var/spool ro,noatime - tmpfs none rw,inode64 mountid=82 fsname=/ dir=/var/spool fstype=tmpfs Mounting noexec /var 87 86 0:31 / /var/spool ro,noatime - tmpfs none rw,inode64 mountid=87 fsname=/ dir=/var/spool fstype=tmpfs Mounting noexec /var/tmp 88 85 0:30 / /var/tmp ro,nosuid,nodev,noexec,noatime - tmpfs none rw,inode64 mountid=88 fsname=/ dir=/var/tmp fstype=tmpfs Mounting noexec /var/spool 89 87 0:31 / /var/spool ro,nosuid,nodev,noexec,noatime - tmpfs none rw,inode64 mountid=89 fsname=/ dir=/var/spool fstype=tmpfs Mounting read-only /usr 90 52 253:0 /usr /usr ro,noatime - ext4 /dev/mapper/rootfs rw mountid=90 fsname=/usr dir=/usr fstype=ext4 Mounting read-only /bin 91 52 253:0 /bin /bin ro,noatime - ext4 /dev/mapper/rootfs rw mountid=91 fsname=/bin dir=/bin fstype=ext4 Mounting read-only /sbin 92 52 253:0 /sbin /sbin ro,noatime - ext4 /dev/mapper/rootfs rw mountid=92 fsname=/sbin dir=/sbin fstype=ext4 Mounting read-only /lib 93 52 253:0 /lib /lib ro,noatime - ext4 /dev/mapper/rootfs rw mountid=93 fsname=/lib dir=/lib fstype=ext4 Mounting read-only /lib64 94 52 253:0 /lib64 /lib64 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=94 fsname=/lib64 dir=/lib64 fstype=ext4 Mounting read-only /lib32 95 52 253:0 /lib32 /lib32 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=95 fsname=/lib32 dir=/lib32 fstype=ext4 Mounting read-only /libx32 96 52 253:0 /libx32 /libx32 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=96 fsname=/libx32 dir=/libx32 fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs oWarning: file firefox-wayland not found Warning: file getenforce not found Warning: file restorecon not found n /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Cannot open /run/user/1001 directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory mounting /run/firejail/mnt/dev/video0 file mounting /run/firejail/mnt/dev/video1 file Process /dev/shm directory Copying files in the new bin directory Checking /usr/local/bin/basename Checking /usr/bin/basename sbox run: /run/firejail/lib/fcopy /usr/bin/basename /run/firejail/mnt/bin Checking /usr/local/bin/bash Checking /usr/bin/bash Checking /bin/bash sbox run: /run/firejail/lib/fcopy /bin/bash /run/firejail/mnt/bin Checking /usr/local/bin/cat Checking /usr/bin/cat Checking /bin/cat sbox run: /run/firejail/lib/fcopy /bin/cat /run/firejail/mnt/bin Checking /usr/local/bin/dirname Checking /usr/bin/dirname sbox run: /run/firejail/lib/fcopy /usr/bin/dirname /run/firejail/mnt/bin Checking /usr/local/bin/expr Checking /usr/bin/expr sbox run: /run/firejail/lib/fcopy /usr/bin/expr /run/firejail/mnt/bin Checking /usr/local/bin/false Checking /usr/bin/false Checking /bin/false sbox run: /run/firejail/lib/fcopy /bin/false /run/firejail/mnt/bin Checking /usr/local/bin/firefox Checking /usr/bin/firefox sbox run: /run/firejail/lib/fcopy /usr/bin/firefox /run/firejail/mnt/bin Checking /usr/local/bin/firefox-esr Checking /usr/bin/firefox-esr file /usr/lib/firefox-esr/firefox-esr not found sbox run: /run/firejail/lib/fcopy /usr/bin/firefox-esr /run/firejail/mnt/bin Checking /usr/local/bin/firefox-wayland Checking /usr/bin/firefox-wayland Checking /bin/firefox-wayland Checking /usr/games/firefox-wayland Checking /usr/local/games/firefox-wayland Checking /usr/local/sbin/firefox-wayland Checking /usr/sbin/firefox-wayland Checking /sbin/firefox-wayland Checking /usr/local/bin/getenforce Checking /usr/bin/getenforce Checking /bin/getenforce Checking /usr/games/getenforce Checking /usr/local/games/getenforce Checking /usr/local/sbin/getenforce Checking /usr/sbin/getenforce Checking /sbin/getenforce Checking /usr/local/bin/ln Checking /usr/bin/ln Checking /bin/ln sbox run: /run/firejail/lib/fcopy /bin/ln /run/firejail/mnt/bin Checking /usr/local/bin/mkdir Checking /usr/bin/mkdir Checking /bin/mkdir sbox run: /run/firejail/lib/fcopy /bin/mkdir /run/firejail/mnt/bin Checking /usr/local/bin/pidof Checking /usr/bin/pidof Checking /bin/pidof sbox run: /run/firejail/lib/fcopy /sbin/killall5 /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /bin/pidof /run/firejail/mnt/bin Checking /usr/local/bin/restorecon Checking /usr/bin/restorecon Checking /bin/restorecon Checking /usr/games/restorecon Checking /usr/local/games/restorecon Checking /usr/local/sbin/restorecon Checking /usr/sbin/restorecon Checking /sbin/restorecon Checking /usr/local/bin/rm Checking /usr/bin/rm Checking /bin/rm sbox run: /run/firejail/lib/fcopy /bin/rm /run/firejail/mnt/bin Checking /usr/local/bin/rmdir Checking /usr/bin/rmdir Checking /bin/rmdir sbox run: /run/firejail/lib/fcopy /bin/rmdir /run/firejail/mnt/bin Checking /usr/local/bin/sed Checking /usr/bin/sed Checking /bin/sed sbox run: /run/firejail/lib/fcopy /bin/sed /run/firejail/mnt/bin Checking /usr/local/bin/sh Checking /usr/bin/sh Checking /bin/sh sbox run: /run/firejail/lib/fcopy /bin/dash /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /bin/sh /run/firejail/mnt/bin Checking /usr/local/bin/tclsh Checking /usr/bin/tclsh sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh8.6 /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/tclsh /run/firejail/mnt/bin Checking /usr/local/bin/true Checking /usr/bin/true Checking /bin/true sbox run: /run/firejail/lib/fcopy /bin/true /run/firejail/mnt/b21 programs installed in 51.53 ms in Checking /usr/local/bin/uname Checking /usr/bin/uname Checking /bin/uname sbox run: /run/firejail/lib/fcopy /bin/uname /run/firejail/mnt/bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Standard C library installed in 1.43 ms Starting private-lib processing: program firefox, shell none Installing standard C library mounting /lib/x86_64-linux-gnu/libnss_nis.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss_nis.so.2 mounting /lib/x86_64-linux-gnu/librt.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/librt.so.1 mounting /lib/x86_64-linux-gnu/libapparmor.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libapparmor.so.1 mounting /lib/x86_64-linux-gnu/libnss_files.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss_files.so.2 mounting /lib/x86_64-linux-gnu/libselinux.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libselinux.so.1 mounting /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 mounting /lib/x86_64-linux-gnu/libutil.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libutil.so.1 mounting /lib/x86_64-linux-gnu/libpthread.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpthread.so.0 mounting /lib/x86_64-linux-gnu/libcrypt.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcrypt.so.1 mounting /lib/x86_64-linux-gnu/libthread_db.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libthread_db.so.1 mounting /lib/x86_64-linux-gnu/libnss_hesiod.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss_hesiod.so.2 mounting /lib/x86_64-linux-gnu/libmemusage.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libmemusage.so mounting /lib/x86_64-linux-gnu/libmvec.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libmvec.so.1 mounting /lib/x86_64-linux-gnu/libnss_dns.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss_dns.so.2 mounting /lib/x86_64-linux-gnu/libc.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libc.so.6 mounting /lib/x86_64-linux-gnu/libanl.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libanl.so.1 mounting /lib/x86_64-linux-gnu/libnss_compat.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss_compat.so.2 mounting /lib/x86_64-linux-gnu/libnsl.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnsl.so.1 mounting /lib/x86_64-linux-gnu/libresolv.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libresolv.so.2 mounting /lib/x86_64-linux-gnu/libm.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libm.so.6 mounting /lib/x86_64-linux-gnu/libapparmor.so.1.6.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libapparmor.so.1.6.0 mounting /lib/x86_64-linux-gnu/libnss_nisplus.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss_nisplus.so.2 mounting /lib/x86_64-linux-gnu/libdl.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libdl.so.2 mounting /lib64/ld-linux-x86-64.so.2 on /run/firejail/mnt/lib/ld-linux-x86-64.so.2 mounting /usr/lib/locale on /run/firejail/mnt/lib/locale Firejail libraries installed in 2.84 ms Installing Firejail libraries Cannot read /usr/local/bin/firejail, skipping... mounting /usr/local/lib/firejail on /run/firejail/mnt/lib/firejail fslib_mount_libs /run/firejail/lib/fcopy (parse as root) Creating empty /run/firejail/mnt/libfiles file running fldd /run/firejail/lib/fcopy sbox run: /run/firejail/lib/fldd /run/firejail/lib/fcopy /run/firejail/mnt/libfiles Installing sandboxed program libraries Searching $PATH for firefox trying #/home/ra/.local/bin/firefox# trying #/usr/local/gcc-10.2.0/bin/firefox# trying #/usr/local/bin/firefox# fslib_install_list /usr/local/bin/firefox Processing private-lib files fslib_install_list /usr/lib/firefox-esr/libmozgtk.so,/usr/lib/firefox-esr/libxul.so mounting /usr/lib/firefox-esr/libmozgtk.so on /run/firejail/mnt/lib/libmozgtk.so fslib_mount_libs /usr/lib/firefox-esr/libmozgtk.so (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/lib/firefox-esr/libmozgtk.so sbox run: /run/firejail/lib/fldd /usr/lib/firefox-esr/libmozgtk.so /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libatspi.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libatspi.so.0 mounting /lib/x86_64-linux-gnu/libcap.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcap.so.2 mounting /lib/x86_64-linux-gnu/libsystemd.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libsystemd.so.0 mounting /lib/x86_64-linux-gnu/libdbus-1.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libdbus-1.so.3 mounting /usr/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libatk-bridge-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libatk-1.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libepoxy.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libepoxy.so.0 mounting /usr/lib/x86_64-linux-gnu/libwayland-egl.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libwayland-egl.so.1 mounting /usr/lib/x86_64-linux-gnu/libwayland-client.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libwayland-client.so.0 mounting /usr/lib/x86_64-linux-gnu/libwayland-cursor.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libwayland-cursor.so.0 mounting /usr/lib/x86_64-linux-gnu/libxkbcommon.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libxkbcommon.so.0 mounting /usr/lib/x86_64-linux-gnu/libXdamage.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXdamage.so.1 mounting /usr/lib/x86_64-linux-gnu/libXcomposite.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXcomposite.so.1 mounting /usr/lib/x86_64-linux-gnu/libXfixes.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXfixes.so.3 mounting /usr/lib/x86_64-linux-gnu/libXcursor.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXcursor.so.1 mounting /usr/lib/x86_64-linux-gnu/libXrandr.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXrandr.so.2 mounting /usr/lib/x86_64-linux-gnu/libXi.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXi.so.6 mounting /usr/lib/x86_64-linux-gnu/libXinerama.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXinerama.so.1 mounting /usr/lib/x86_64-linux-gnu/libcairo-gobject.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcairo-gobject.so.2 mounting /lib/x86_64-linux-gnu/libblkid.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libblkid.so.1 mounting /lib/x86_64-linux-gnu/libmount.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libmount.so.1 mounting /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgio-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libXext.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXext.so.6 mounting /usr/lib/x86_64-linux-gnu/libX11.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libX11.so.6 mounting /usr/lib/x86_64-linux-gnu/libXrender.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXrender.so.1 mounting /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libxcb-render.so.0 mounting /usr/lib/x86_64-linux-gnu/libbsd.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libbsd.so.0 mounting /usr/lib/x86_64-linux-gnu/libXdmcp.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXdmcp.soWarning fldd: cannot find libmozsandbox.so, skipping... Warning fldd: cannot find liblgpllibs.so, skipping... Warning fldd: cannot find libmozsqlite3.so, skipping... Warning fldd: cannot find libmozgtk.so, skipping... Warning fldd: cannot find libmozwayland.so, skipping... .6 mounting /usr/lib/x86_64-linux-gnu/libXau.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libXau.so.6 mounting /usr/lib/x86_64-linux-gnu/libxcb.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libxcb.so.1 mounting /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libxcb-shm.so.0 mounting /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpixman-1.so.0 mounting /usr/lib/x86_64-linux-gnu/libcairo.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcairo.so.2 mounting /lib/x86_64-linux-gnu/libuuid.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libuuid.so.1 mounting /lib/x86_64-linux-gnu/libexpat.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libexpat.so.1 mounting /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libfontconfig.so.1 mounting /usr/lib/x86_64-linux-gnu/libgraphite2.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgraphite2.so.3 mounting /lib/x86_64-linux-gnu/libz.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libz.so.1 mounting /usr/lib/x86_64-linux-gnu/libpng16.so.16 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpng16.so.16 mounting /usr/lib/x86_64-linux-gnu/libfreetype.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libfreetype.so.6 mounting /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libharfbuzz.so.0 mounting /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libfribidi.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libfribidi.so.0 mounting /usr/lib/x86_64-linux-gnu/libdatrie.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libdatrie.so.1 mounting /usr/lib/x86_64-linux-gnu/libthai.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libthai.so.0 mounting /usr/lib/x86_64-linux-gnu/libffi.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libffi.so.6 mounting /lib/x86_64-linux-gnu/libpcre.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpcre.so.3 mounting /usr/lib/x86_64-linux-gnu/libglib-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libglib-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgobject-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpango-1.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libgdk-3.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgdk-3.so.0 mounting /usr/lib/x86_64-linux-gnu/libgtk-3.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgtk-3.so.0 mounting /usr/lib/firefox-esr/libxul.so on /run/firejail/mnt/lib/libxul.so fslib_mount_libs /usr/lib/firefox-esr/libxul.so (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/lib/firefox-esr/libxul.so sbox run: /run/firejail/lib/fldd /usr/lib/firefox-esr/libxul.so /run/firejail/mnt/libfiles mounting /lib/x86_64-linux-gnu/libgcc_s.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgcc_s.so.1 mounting /usr/lib/x86_64-linux-gnu/libstdc++.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libstdc++.so.6 mounting /usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libdbus-glib-1.so.2 mounting /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libevent-2.1.so.6 mounting /usr/lib/x86_64-linux-gnu/libX11-xcb.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libX11-xcb.so.1 mounting /usr/lib/x86_64-linux-gnu/libssl3.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libssl3.so mounting /usr/lib/x86_64-linux-gnu/libsmime3.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libsmime3.so mounting /usr/lib/x86_64-linux-gnu/libplds4.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libplds4.so mounting /usr/lib/x86_64-linux-gnu/libnssutil3.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libnssutil3.so mounting /usr/lib/x86_64-linux-gnu/libnss3.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss3.so mounting /usr/lib/x86_64-linux-gnu/libplc4.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libplc4.so mounting /usr/lib/x86_64-linux-gnu/libnspr4.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libnspr4.so Processing private-bin files fslib_install_list basename,/usr/bin/basename,bash,/bin/bash,cat,/bin/cat,dirname,/usr/bin/dirname,expr,/usr/bin/expr,false,/bin/false,firefox,/usr/bin/firefox,firefox-esr,/usr/bin/firefox-esr,ln,/bin/ln,mkdir,/bin/mkdir,pidof,/bin/pidof,rm,/bin/rm,rmdir,/bin/rmdir,sed,/bin/sed,sh,/bin/sh,tclsh,/usr/bin/tclsh,true,/bin/true,uname,/bin/uname fslib_mount_libs /usr/bin/basename (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/basename sbox run: /run/firejail/lib/fldd /usr/bin/basename /run/firejail/mnt/libfiles fslib_mount_libs /bin/bash (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/bash sbox run: /run/firejail/lib/fldd /bin/bash /run/firejail/mnt/libfiles mounting /lib/x86_64-linux-gnu/libtinfo.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libtinfo.so.6 fslib_mount_libs /bin/cat (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/cat sbox run: /run/firejail/lib/fldd /bin/cat /run/firejail/mnt/libfiles fslib_mount_libs /usr/bin/dirname (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/dirname sbox run: /run/firejail/lib/fldd /usr/bin/dirname /run/firejail/mnt/libfiles fslib_mount_libs /usr/bin/expr (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/expr sbox run: /run/firejail/lib/fldd /usr/bin/expr /run/firejail/mnt/libfiles fslib_mount_libs /bin/false (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/false sbox run: /run/firejail/lib/fldd /bin/false /run/firejail/mnt/libfiles mounting /usr/lib/firefox-esr on /run/firejail/mnt/lib/firefox-esr fslib_mount_libs /usr/bin/firefox-esr (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/firefox-esr sbox run: /run/firejail/lib/fldd /usr/bin/firefox-esr /run/firejail/mnt/libfiles fslib_mount_libs /bin/ln (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/ln sbox run: /run/firejail/lib/fldd /bin/ln /run/firejail/mnt/libfiles fslib_mount_libs /bin/mkdir (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/mkdir sbox run: /run/firejail/lib/fldd /bin/mkdir /run/firejail/mnt/libfiles fslib_mount_libs /bin/pidof (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/pidof sbox run: /run/firejail/lib/fldd /bin/pidof /run/firejail/mnt/libfiles fslib_mount_libs /bin/rm (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/rm sbox run: /run/firejail/lib/fldd /bin/rm /run/firejail/mnt/libfiles fslib_mount_libs /bin/rmdir (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/rmdir sbox run: /run/firejail/lib/fldd /bin/rmdir /run/firejail/mnt/libfiles fslib_mount_libs /bin/sed (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/sed sbox run: /run/firejail/lib/fldd /bin/sed /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libattr.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libattr.so.1 mounting /usr/lib/x86_64-linux-gnu/libacl.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libacl.so.1 fslib_mount_libs /bin/sh (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/sh sbox run: /run/firejail/lib/fldd /bin/sh /run/firejail/mnt/libfiles fslib_mount_libs /usr/bin/tclsh (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/tclsh sbox run: /run/firejail/lib/fldd /usr/bin/tclsh /run/firejail/mnt/libfiles Dropping all capabilitienux-gnu/libnssutil3.so mounting /usr/lib/x86_64-linux-gnu/libnss3.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libnss3.so mounting /usr/lib/x86_64-linux-gnu/libplc4.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libplc4.so mounting /usr/lib/x86_64-linux-gnu/libnspr4.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libnspr4.so Processing private-bin files fslib_install_list basename,/usr/bin/basename,bash,/bin/bash,cat,/bin/cat,dirname,/usr/bin/dirname,expr,/usr/bin/expr,false,/bin/false,firefox,/usr/bin/firefox,firefox-esr,/usr/bin/firefox-esr,ln,/bin/ln,mkdir,/bin/mkdir,pidof,/bin/pidof,rm,/bin/rm,rmdir,/bin/rmdir,sed,/bin/sed,sh,/bin/sh,tclsh,/usr/bin/tclsh,true,/bin/true,uname,/bin/uname fslib_mount_libs /usr/bin/basename (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/basename sbox run: /run/firejail/lib/fldd /usr/bin/basename /run/firejail/mnt/libfiles fslib_mount_libs /bin/bash (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/bash sbox run: /run/firejail/lib/fldd /bin/bash /run/firejail/mnt/libfiles mounting /lib/x86_64-linux-gnu/libtinfo.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libtinfo.so.6 fslib_mount_libs /bin/cat (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/cat sbox run: /run/firejail/lib/fldd /bin/cat /run/firejail/mnt/libfiles fslib_mount_libs /usr/bin/dirname (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/dirname sbox run: /run/firejail/lib/fldd /usr/bin/dirname /run/firejail/mnt/libfiles fslib_mount_libs /usr/bin/expr (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/expr sbox run: /run/firejail/lib/fldd /usr/bin/expr /run/firejail/mnt/libfiles fslib_mount_libs /bin/false (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/false sbox run: /run/firejail/lib/fldd /bin/false /run/firejail/mnt/libfiles mounting /usr/lib/firefox-esr on /run/firejail/mnt/lib/firefox-esr fslib_mount_libs /usr/bin/firefox-esr (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/firefox-esr sbox run: /run/firejail/lib/fldd /usr/bin/firefox-esr /run/firejail/mnt/libfiles fslib_mount_libs /bin/ln (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/ln sbox run: /run/firejail/lib/fldd /bin/ln /run/firejail/mnt/libfiles fslib_mount_libs /bin/mkdir (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/mkdir sbox run: /run/firejail/lib/fldd /bin/mkdir /run/firejail/mnt/libfiles fslib_mount_libs /bin/pidof (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/pidof sbox run: /run/firejail/lib/fldd /bin/pidof /run/firejail/mnt/libfiles fslib_mount_libs /bin/rm (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/rm sbox run: /run/firejail/lib/fldd /bin/rm /run/firejail/mnt/libfiles fslib_mount_libs /bin/rmdir (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/rmdir sbox run: /run/firejail/lib/fldd /bin/rmdir /run/firejail/mnt/libfiles fslib_mount_libs /bin/sed (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/sed sbox run: /run/firejail/lib/fldd /bin/sed /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libattr.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libattr.so.1 mounting /usr/lib/x86_64-linux-gnu/libacl.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libacl.so.1 fslib_mount_libs /bin/sh (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/sh sbox run: /run/firejail/lib/fldd /bin/sh /run/firejail/mnt/libfiles fslib_mount_libs /usr/bin/tclsh (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/bin/tclsh sbox run: /run/firejail/lib/fldd /usr/bin/tclsh /run/firejail/mnt/libfiles mounting /usr/lib/x8Program libraries installed in 85.68 ms 6_64-linux-gnu/libtcl8.6.so on /run/firejail/mnt/lib/x86_64-linux-gnu/libtcl8.6.so fslib_mount_libs /bin/true (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/true sbox run: /run/firejail/lib/fldd /bin/true /run/firejail/mnt/libfiles fslib_mount_libs /bin/uname (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /bin/uname sbox run: /run/firejail/lib/fldd /bin/uname /run/firejail/mnt/libfiles GdkPixbuf installed in 19.87 ms Installing system libraries fslib_mount_libs /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0 (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0 sbox run: /run/firejail/lib/fldd /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0 /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libjpeg.so.62 on /run/firejail/mnt/lib/x86_64-linux-gnu/libjpeg.so.62 mounting /usr/lib/x86_64-linux-gnu/libjbig.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libjbig.so.0 mounting /usr/lib/x86_64-linux-gnu/libzstd.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libzstd.so.1 mounting /usr/lib/x86_64-linux-gnu/libwebp.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libwebp.so.6 mounting /usr/lib/x86_64-linux-gnu/libtiff.so.5 on /run/firejail/mnt/lib/x86_64-linux-gnu/libtiff.so.5 mounting /lib/x86_64-linux-gnu/liblzma.so.5 on /run/firejail/mnt/lib/x86_64-linux-gnu/liblzma.so.5 mounting /usr/lib/x86_64-linux-gnu/libicudata.so.63 on /run/firejail/mnt/lib/x86_64-linux-gnu/libicudata.so.63 mounting /usr/lib/x86_64-linux-gnu/libicuuc.so.63 on /run/firejail/mnt/lib/x86_64-linux-gnu/libicuuc.so.63 mounting /usr/lib/x86_64-linux-gnu/libicui18n.so.63 on /run/firejail/mnt/lib/x86_64-linux-gnu/libicui18n.so.63 mounting /usr/lib/x86_64-linux-gnu/libxml2.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libxml2.so.2 mounting /usr/lib/x86_64-linux-gnu/libcroco-0.6.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcroco-0.6.so.3 mounting /usr/lib/x86_64-linux-gnu/librsvg-2.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/librsvg-2.so.2 mounting /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/gdk-pixbuf-2.0 GTK3 installed in 56.33 ms fslib_mount_libs /usr/lib/x86_64-linux-gnu/gtk-3.0 (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/lib/x86_64-linux-gnu/gtk-3.0 sbox run: /run/firejail/lib/fldd /usr/lib/x86_64-linux-gnu/gtk-3.0 /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libavahi-client.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libavahi-client.so.3 mounting /usr/lib/x86_64-linux-gnu/libavahi-common.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libavahi-common.so.3 mounting /usr/lib/x86_64-linux-gnu/libgmp.so.10 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgmp.so.10 mounting /usr/lib/x86_64-linux-gnu/libhogweed.so.4 on /run/firejail/mnt/lib/x86_64-linux-gnu/libhogweed.so.4 mounting /usr/lib/x86_64-linux-gnu/libnettle.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libnettle.so.6 mounting /usr/lib/x86_64-linux-gnu/libtasn1.so.6 on /run/firejail/mnt/lib/x86_64-linux-gnu/libtasn1.so.6 mounting /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libp11-kit.so.0 mounting /usr/lib/x86_64-linux-gnu/libgnutls.so.30 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgnutls.so.30 mounting /usr/lib/x86_64-linux-gnu/libcups.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcups.so.2 mounting /lib/x86_64-linux-gnu/libudev.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libudev.so.1 mounting /usr/lib/x86_64-linux-gnu/liblcms2.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/liblcms2.so.2 mounting /usr/lib/x86_64-linux-gnu/libcolord.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcolord.so.2 mounting /usr/lib/x86_64-linux-gnu/libjson-glib-1.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libjson-glib-1.0.so.0 mounting /usr/lib/x86_64-linux-gnu/libunistring.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libunistring.so.2 mounting /usr/lib/x86_64-linux-gnu/libidn2.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libidn2.so.0 mounting /usr/lib/x86_64-linux-gnu/libpsl.so.5 on /run/firejail/mnt/lib/x86_64-linux-gnu/libpsl.so.5 mounting /usr/lib/x86_64-linux-gnu/libsqlite3.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libsqlite3.so.0 mounting /lib/x86_64-linux-gnu/libcom_err.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libcom_err.so.2 mounting /lib/x86_64-linux-gnu/libkeyutils.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libkeyutils.so.1 mounting /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libkrb5support.so.0 mounting /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libk5crypto.so.3 mounting /usr/lib/x86_64-linux-gnu/libkrb5.so.3 on /run/firejail/mnt/lib/x86_64-linux-gnu/libkrb5.so.3 mounting /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 mounting /usr/lib/x86_64-linux-gnu/libsoup-2.4.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libsoup-2.4.so.1 mounting /usr/lib/x86_64-linux-gnu/libsoup-gnome-2.4.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libsoup-gnome-2.4.so.1 mounting /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgthread-2.0.so.0 mounting /usr/lib/x86_64-linux-gnu/librest-0.7.so.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/librest-0.7.so.0 mounting /usr/lib/x86_64-linux-gnu/gtk-3.0 on /run/firejail/mnt/lib/x86_64-linux-gnu/gtk-3.0 fslib_mount_libs /usr/lib/x86_64-linux-gnu/libgtk-3-0 (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/lib/x86_64-linux-gnu/libgtk-3-0 sbox run: /run/firejail/lib/fldd /usr/lib/x86_64-linux-gnu/libgtk-3-0 /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libgtk-3-0 on /run/firejail/mnt/lib/x86_64-linux-gnu/libgtk-3-0 Pango installed in 0.01 ms GIO installed in 8.98 ms fslib_mount_libs /usr/lib/x86_64-linux-gnu/gio (parse as user) Creating empty /run/firejail/mnt/libfiles file running fldd /usr/lib/x86_64-linux-gnu/gio sbox run: /run/firejail/lib/fldd /usr/lib/x86_64-linux-gnu/gio /run/firejail/mnt/libfiles mounting /usr/lib/x86_64-linux-gnu/libproxy.so.1 on /run/firejail/mnt/lib/x86_64-linux-gnu/libproxy.so.1 mounting /usr/lib/x86_64-linux-gnu/gio on /run/firejail/mnt/lib/x86_64-linux-gnu/gio Installed 137 libraries and 7 directories Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: file /etc/pango not found. Warning: skipping pango for private /etc Warning: file /etc/$ not found. Warning: skipping $ for private /etc Private /etc installed in 46.46 ms Mounting read-only /run/firejail/mnt/lib 422 278 253:0 /usr/lib/x86_64-linux-gnu/gio /run/firejail/mnt/lib/x86_64-linux-gnu/gio ro,noatime - ext4 /dev/mapper/rootfs rw mountid=422 fsname=/usr/lib/x86_64-linux-gnu/gio dir=/run/firejail/mnt/lib/x86_64-linux-gnu/gio fstype=ext4 Mount-bind /run/firejail/mnt/lib on top of /usr/lib64 Mount-bind /run/firejail/mnt/lib on top of /lib64 Mount-bind /run/firejail/mnt/lib on top of /usr/lib Mount-bind /run/firejail/mnt/lib on top of /lib Mount-bind /run/firejail/mnt/lib on top of /usr/local/lib Generate private-tmp whitelist commands Creating empty /run/firejail/mnt/dbus directory Creating empty /run/firejail/mnt/dbus/system file blacklist /run/dbus/system_bus_socket blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /boot Disable /proc/kmsg Copying files in the new /etc directory: Copying /etc/passwd to private /etc sbox run: /run/firejail/lib/fcopy /etc/passwd /run/firejail/mnt/etc Copying /etc/group to private /etc sbox run: /run/firejail/lib/fcopy /etc/group /run/firejail/mnt/etc Copying /etc/hostname to private /etc sbox run: /run/firejail/lib/fcopy /etc/hostname /run/firejail/mnt/etc Copying /etc/hosts to private /etc sbox run: /run/firejail/lib/fcopy /etc/hosts /run/firejail/mnt/etc Copying /etc/localtime to private /etc sbox run: /run/firejail/lib/fcopy /etc/localtime /run/firejail/mnt/etc Copying /etc/nsswitch.conf to private /etc sbox run: /run/firejail/lib/fcopy /etc/nsswitch.conf /run/firejail/mnt/etc Copying /etc/resolv.conf to private /etc sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc Copying /etc/gtk-2.0 to private /etc Creating empty /run/firejail/mnt/etc/gtk-2.0 directory sbox run: /run/firejail/lib/fcopy /etc/gtk-2.0 /run/firejail/mnt/etc/gtk-2.0 Copying /etc/fonts to private /etc Creating empty /run/firejail/mnt/etc/fonts directory sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts Mount-bind /run/firejail/mnt/etc on top of /etc Private /usr/etc installed in 0.02 ms Cannot find /usr/etc: No such file or directory Mount-bind /run/firejail/mnt/usretc on top of /usr/etc Cannot find /usr/etc: No such file or directory Debug 559: whitelist ${HOME}/.cache/mozilla/firefox Debug 580: expanded: /home/internet/.cache/mozilla/firefox Debug 591: new_name: /home/internet/.cache/mozilla/firefox Debug 605: dir: /home/internet Adding whitelist top level directory /home/internet Debug 559: whitelist ${HOME}/.mozilla Debug 580: expanded: /home/internet/.mozilla Debug 591: new_name: /home/internet/.mozilla Debug 605: dir: /home/internet Debug 559: whitelist /usr/share/doc Debug 580: expanded: /usr/share/doc Debug 591: new_name: /usr/share/doc Debug 605: dir: /usr/share Adding whitelist top level directory /usr/share Debug 559: whitelist /usr/share/firefox Debug 580: expanded: /usr/share/firefox Debug 591: new_name: /usr/share/firefox Debug 605: dir: /usr/share Removed path: whitelist /usr/share/firefox expanded: /usr/share/firefox realpath: (null) No such file or directory Debug 559: whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini Debug 580: expanded: /usr/share/gnome-shell/search-providers/firefox-search-provider.ini Debug 591: new_name: /usr/share/gnome-shell/search-providers/firefox-search-provider.ini Debug 605: dir: /usr/share Removed path: whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini expanded: /usr/share/gnome-shell/search-providers/firefox-search-provider.ini realpath: (null) No such file or directory Debug 559: whitelist /usr/share/gtk-doc/html Debug 580: expanded: /usr/share/gtk-doc/html Debug 591: new_name: /usr/share/gtk-doc/html Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/mozilla Debug 580: expanded: /usr/share/mozilla Debug 591: new_name: /usr/share/mozilla Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/webext Debug 580: expanded: /usr/share/webext Debug 591: new_name: /usr/share/webext Debug 605: dir: /usr/share Removed path: whitelist /usr/share/webext expanded: /usr/share/webext realpath: (null) No such file or directory Debug 559: whitelist /usr/share/alsa Debug 580: expanded: /usr/share/alsa Debug 591: new_name: /usr/share/alsa Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/applications Debug 580: expanded: /usr/share/applications Debug 591: new_name: /usr/share/applications Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/ca-certificates Debug 580: expanded: /usr/share/ca-certificates Debug 591: new_name: /usr/share/ca-certificates Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/crypto-policies Debug 580: expanded: /usr/share/crypto-policies Debug 591: new_name: /usr/share/crypto-policies Debug 605: dir: /usr/share Removed path: whitelist /usr/share/crypto-policies expanded: /usr/share/crypto-policies realpath: (null) No such file or directory Debug 559: whitelist /usr/share/cursors Debug 580: expanded: /usr/share/cursors Debug 591: new_name: /usr/share/cursors Debug 605: dir: /usr/share Removed path: whitelist /usr/share/cursors expanded: /usr/share/cursors realpath: (null) No such file or directory Debug 559: whitelist /usr/share/dconf Debug 580: expanded: /usr/share/dconf Debug 591: new_name: /usr/share/dconf Debug 605: dir: /usr/share Removed path: whitelist /usr/share/dconf expanded: /usr/share/dconf realpath: (null) No such file or directory Debug 559: whitelist /usr/share/distro-info Debug 580: expanded: /usr/share/distro-info Debug 591: new_name: /usr/share/distro-info Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/drirc.d Debug 580: expanded: /usr/share/drirc.d Debug 591: new_name: /usr/share/drirc.d Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/enchant Debug 580: expanded: /usr/share/enchant Debug 591: new_name: /usr/share/enchant Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/enchant-2 Debug 580: expanded: /usr/share/enchant-2 Debug 591: new_name: /usr/share/enchant-2 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/enchant-2 expanded: /usr/share/enchant-2 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/file Debug 580: expanded: /usr/share/file Debug 591: new_name: /usr/share/file Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/fontconfig Debug 580: expanded: /usr/share/fontconfig Debug 591: new_name: /usr/share/fontconfig Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/fonts Debug 580: expanded: /usr/share/fonts Debug 591: new_name: /usr/share/fonts Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/fonts-config Debug 580: expanded: /usr/share/fonts-config Debug 591: new_name: /usr/share/fonts-config Debug 605: dir: /usr/share Removed path: whitelist /usr/share/fonts-config expanded: /usr/share/fonts-config realpath: (null) No such file or directory Debug 559: whitelist /usr/share/gir-1.0 Debug 580: expanded: /usr/share/gir-1.0 Debug 591: new_name: /usr/share/gir-1.0 Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/gjs-1.0 Debug 580: expanded: /usr/share/gjs-1.0 Debug 591: new_name: /usr/share/gjs-1.0 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/gjs-1.0 expanded: /usr/share/gjs-1.0 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/glib-2.0 Debug 580: expanded: /usr/share/glib-2.0 Debug 591: new_name: /usr/share/glib-2.0 Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/glvnd Debug 580: expanded: /usr/share/glvnd Debug 591: new_name: /usr/share/glvnd Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/gtk-2.0 Debug 580: expanded: /usr/share/gtk-2.0 Debug 591: new_name: /usr/share/gtk-2.0 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/gtk-2.0 expanded: /usr/share/gtk-2.0 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/gtk-3.0 Debug 580: expanded: /usr/share/gtk-3.0 Debug 591: new_name: /usr/share/gtk-3.0 Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/gtk-engines Debug 580: expanded: /usr/share/gtk-engines Debug 591: new_name: /usr/share/gtk-engines Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/gtksourceview-3.0 Debug 580: expanded: /usr/share/gtksourceview-3.0 Debug 591: new_name: /usr/share/gtksourceview-3.0 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/gtksourceview-3.0 expanded: /usr/share/gtksourceview-3.0 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/gtksourceview-4 Debug 580: expanded: /usr/share/gtksourceview-4 Debug 591: new_name: /usr/share/gtksourceview-4 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/gtksourceview-4 expanded: /usr/share/gtksourceview-4 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/hunspell Debug 580: expanded: /usr/share/hunspell Debug 591: new_name: /usr/share/hunspell Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/hwdata Debug 580: expanded: /usr/share/hwdata Debug 591: new_name: /usr/share/hwdata Debug 605: dir: /usr/share Removed path: whitelist /usr/share/hwdata expanded: /usr/share/hwdata realpath: (null) No such file or directory Debug 559: whitelist /usr/share/icons Debug 580: expanded: /usr/share/icons Debug 591: new_name: /usr/share/icons Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/icu Debug 580: expanded: /usr/share/icu Debug 591: new_name: /usr/share/icu Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/knotifications5 Debug 580: expanded: /usr/share/knotifications5 Debug 591: new_name: /usr/share/knotifications5 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/knotifications5 expanded: /usr/share/knotifications5 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/kservices5 Debug 580: expanded: /usr/share/kservices5 Debug 591: new_name: /usr/share/kservices5 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/kservices5 expanded: /usr/share/kservices5 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/Kvantum Debug 580: expanded: /usr/share/Kvantum Debug 591: new_name: /usr/share/Kvantum Debug 605: dir: /usr/share Removed path: whitelist /usr/share/Kvantum expanded: /usr/share/Kvantum realpath: (null) No such file or directory Debug 559: whitelist /usr/share/kxmlgui5 Debug 580: expanded: /usr/share/kxmlgui5 Debug 591: new_name: /usr/share/kxmlgui5 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/kxmlgui5 expanded: /usr/share/kxmlgui5 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/libdrm Debug 580: expanded: /usr/share/libdrm Debug 591: new_name: /usr/share/libdrm Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/libthai Debug 580: expanded: /usr/share/libthai Debug 591: new_name: /usr/share/libthai Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/locale Debug 580: expanded: /usr/share/locale Debug 591: new_name: /usr/share/locale Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/mime Debug 580: expanded: /usr/share/mime Debug 591: new_name: /usr/share/mime Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/misc Debug 580: expanded: /usr/share/misc Debug 591: new_name: /usr/share/misc Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/Modules Debug 580: expanded: /usr/share/Modules Debug 591: new_name: /usr/share/Modules Debug 605: dir: /usr/share Removed path: whitelist /usr/share/Modules expanded: /usr/share/Modules realpath: (null) No such file or directory Debug 559: whitelist /usr/share/myspell Debug 580: expanded: /usr/share/myspell Debug 591: new_name: /usr/share/myspell Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/p11-kit Debug 580: expanded: /usr/share/p11-kit Debug 591: new_name: /usr/share/p11-kit Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/perl Debug 580: expanded: /usr/share/perl Debug 591: new_name: /usr/share/perl Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/perl5 Debug 580: expanded: /usr/share/perl5 Debug 591: new_name: /usr/share/perl5 Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/pixmaps Debug 580: expanded: /usr/share/pixmaps Debug 591: new_name: /usr/share/pixmaps Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/pki Debug 580: expanded: /usr/share/pki Debug 591: new_name: /usr/share/pki Debug 605: dir: /usr/share Removed path: whitelist /usr/share/pki expanded: /usr/share/pki realpath: (null) No such file or directory Debug 559: whitelist /usr/share/plasma Debug 580: expanded: /usr/share/plasma Debug 591: new_name: /usr/share/plasma Debug 605: dir: /usr/share Removed path: whitelist /usr/share/plasma expanded: /usr/share/plasma realpath: (null) No such file or directory Debug 559: whitelist /usr/share/publicsuffix Debug 580: expanded: /usr/share/publicsuffix Debug 591: new_name: /usr/share/publicsuffix Debug 605: dir: /usr/share Removed path: whitelist /usr/share/publicsuffix expanded: /usr/share/publicsuffix realpath: (null) No such file or directory Debug 559: whitelist /usr/share/qt Debug 580: expanded: /usr/share/qt Debug 591: new_name: /usr/share/qt Debug 605: dir: /usr/share Removed path: whitelist /usr/share/qt expanded: /usr/share/qt realpath: (null) No such file or directory Debug 559: whitelist /usr/share/qt4 Debug 580: expanded: /usr/share/qt4 Debug 591: new_name: /usr/share/qt4 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/qt4 expanded: /usr/share/qt4 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/qt5 Debug 580: expanded: /usr/share/qt5 Debug 591: new_name: /usr/share/qt5 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/qt5 expanded: /usr/share/qt5 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/qt5ct Debug 580: expanded: /usr/share/qt5ct Debug 591: new_name: /usr/share/qt5ct Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/sounds Debug 580: expanded: /usr/share/sounds Debug 591: new_name: /usr/share/sounds Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/tcl8.6 Debug 580: expanded: /usr/share/tcl8.6 Debug 591: new_name: /usr/share/tcl8.6 Debug 605: dir: /usr/share Removed path: whitelist /usr/share/tcl8.6 expanded: /usr/share/tcl8.6 realpath: (null) No such file or directory Debug 559: whitelist /usr/share/tcltk Debug 580: expanded: /usr/share/tcltk Debug 591: new_name: /usr/share/tcltk Debug 605: dir: /usr*** *** Warning: cannot whitelist ${DOWNLOADS} directory *** Any file saved in this directory will be lost when the sandbox is closed. *** /share Debug 559: whitelist /usr/share/terminfo Debug 580: expanded: /usr/share/terminfo Debug 591: new_name: /usr/share/terminfo Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/texlive Debug 580: expanded: /usr/share/texlive Debug 591: new_name: /usr/share/texlive Debug 605: dir: /usr/share Removed path: whitelist /usr/share/texlive expanded: /usr/share/texlive realpath: (null) No such file or directory Debug 559: whitelist /usr/share/texmf Debug 580: expanded: /usr/share/texmf Debug 591: new_name: /usr/share/texmf Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/themes Debug 580: expanded: /usr/share/themes Debug 591: new_name: /usr/share/themes Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/thumbnail.so Debug 580: expanded: /usr/share/thumbnail.so Debug 591: new_name: /usr/share/thumbnail.so Debug 605: dir: /usr/share Removed path: whitelist /usr/share/thumbnail.so expanded: /usr/share/thumbnail.so realpath: (null) No such file or directory Debug 559: whitelist /usr/share/uim Debug 580: expanded: /usr/share/uim Debug 591: new_name: /usr/share/uim Debug 605: dir: /usr/share Removed path: whitelist /usr/share/uim expanded: /usr/share/uim realpath: (null) No such file or directory Debug 559: whitelist /usr/share/vulkan Debug 580: expanded: /usr/share/vulkan Debug 591: new_name: /usr/share/vulkan Debug 605: dir: /usr/share Removed path: whitelist /usr/share/vulkan expanded: /usr/share/vulkan realpath: (null) No such file or directory Debug 559: whitelist /usr/share/X11 Debug 580: expanded: /usr/share/X11 Debug 591: new_name: /usr/share/X11 Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/xml Debug 580: expanded: /usr/share/xml Debug 591: new_name: /usr/share/xml Debug 605: dir: /usr/share Debug 559: whitelist /usr/share/zenity Debug 580: expanded: /usr/share/zenity Debug 591: new_name: /usr/share/zenity Debug 605: dir: /usr/share Removed path: whitelist /usr/share/zenity expanded: /usr/share/zenity realpath: (null) No such file or directory Debug 559: whitelist /usr/share/zoneinfo Debug 580: expanded: /usr/share/zoneinfo Debug 591: new_name: /usr/share/zoneinfo Debug 605: dir: /usr/share Debug 559: whitelist ${DOWNLOADS} Debug 559: whitelist ${HOME}/.pki Debug 580: expanded: /home/internet/.pki Debug 591: new_name: /home/internet/.pki Debug 605: dir: /home/internet Debug 559: whitelist ${HOME}/.local/share/pki Debug 580: expanded: /home/internet/.local/share/pki Debug 591: new_name: /home/internet/.local/share/pki Debug 605: dir: /home/internet Debug 559: whitelist ${HOME}/.XCompose Debug 580: expanded: /home/internet/.XCompose Debug 591: new_name: /home/internet/.XCompose Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.XCompose expanded: /home/internet/.XCompose realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.alsaequal.bin Debug 580: expanded: /home/internet/.alsaequal.bin Debug 591: new_name: /home/internet/.alsaequal.bin Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.alsaequal.bin expanded: /home/internet/.alsaequal.bin realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.asoundrc Debug 580: expanded: /home/internet/.asoundrc Debug 591: new_name: /home/internet/.asoundrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.asoundrc expanded: /home/internet/.asoundrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/ibus Debug 580: expanded: /home/internet/.config/ibus Debug 591: new_name: /home/internet/.config/ibus Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/ibus expanded: /home/internet/.config/ibus realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/mimeapps.list Debug 580: expanded: /home/internet/.config/mimeapps.list Debug 591: new_name: /home/internet/.config/mimeapps.list Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/mimeapps.list expanded: /home/internet/.config/mimeapps.list realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/pkcs11 Debug 580: expanded: /home/internet/.config/pkcs11 Debug 591: new_name: /home/internet/.config/pkcs11 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/pkcs11 expanded: /home/internet/.config/pkcs11 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/user-dirs.dirs Debug 580: expanded: /home/internet/.config/user-dirs.dirs Debug 591: new_name: /home/internet/.config/user-dirs.dirs Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/user-dirs.dirs expanded: /home/internet/.config/user-dirs.dirs realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/user-dirs.locale Debug 580: expanded: /home/internet/.config/user-dirs.locale Debug 591: new_name: /home/internet/.config/user-dirs.locale Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/user-dirs.locale expanded: /home/internet/.config/user-dirs.locale realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.drirc Debug 580: expanded: /home/internet/.drirc Debug 591: new_name: /home/internet/.drirc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.drirc expanded: /home/internet/.drirc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.icons Debug 580: expanded: /home/internet/.icons Debug 591: new_name: /home/internet/.icons Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.icons expanded: /home/internet/.icons realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.local/share/applications Debug 580: expanded: /home/internet/.local/share/applications Debug 591: new_name: /home/internet/.local/share/applications Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.local/share/applications expanded: /home/internet/.local/share/applications realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.local/share/icons Debug 580: expanded: /home/internet/.local/share/icons Debug 591: new_name: /home/internet/.local/share/icons Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.local/share/icons expanded: /home/internet/.local/share/icons realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.local/share/mime Debug 580: expanded: /home/internet/.local/share/mime Debug 591: new_name: /home/internet/.local/share/mime Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.local/share/mime expanded: /home/internet/.local/share/mime realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.mime.types Debug 580: expanded: /home/internet/.mime.types Debug 591: new_name: /home/internet/.mime.types Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.mime.types expanded: /home/internet/.mime.types realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.uim.d Debug 580: expanded: /home/internet/.uim.d Debug 591: new_name: /home/internet/.uim.d Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.uim.d expanded: /home/internet/.uim.d realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/dconf Debug 580: expanded: /home/internet/.config/dconf Debug 591: new_name: /home/internet/.config/dconf Debug 605: dir: /home/internet Debug 559: whitelist ${HOME}/.cache/fontconfig Debug 580: expanded: /home/internet/.cache/fontconfig Debug 591: new_name: /home/internet/.cache/fontconfig Debug 605: dir: /home/internet Debug 559: whitelist ${HOME}/.config/fontconfig Debug 580: expanded: /home/internet/.config/fontconfig Debug 591: new_name: /home/internet/.config/fontconfig Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/fontconfig expanded: /home/internet/.config/fontconfig realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.fontconfig Debug 580: expanded: /home/internet/.fontconfig Debug 591: new_name: /home/internet/.fontconfig Debug 605: dir: /home/internet Debug 559: whitelist ${HOME}/.fonts Debug 580: expanded: /home/internet/.fonts Debug 591: new_name: /home/internet/.fonts Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.fonts expanded: /home/internet/.fonts realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.fonts.conf Debug 580: expanded: /home/internet/.fonts.conf Debug 591: new_name: /home/internet/.fonts.conf Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.fonts.conf expanded: /home/internet/.fonts.conf realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.fonts.conf.d Debug 580: expanded: /home/internet/.fonts.conf.d Debug 591: new_name: /home/internet/.fonts.conf.d Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.fonts.conf.d expanded: /home/internet/.fonts.conf.d realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.fonts.d Debug 580: expanded: /home/internet/.fonts.d Debug 591: new_name: /home/internet/.fonts.d Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.fonts.d expanded: /home/internet/.fonts.d realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.local/share/fonts Debug 580: expanded: /home/internet/.local/share/fonts Debug 591: new_name: /home/internet/.local/share/fonts Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.local/share/fonts expanded: /home/internet/.local/share/fonts realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.pangorc Debug 580: expanded: /home/internet/.pangorc Debug 591: new_name: /home/internet/.pangorc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.pangorc expanded: /home/internet/.pangorc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/gtk-2.0 Debug 580: expanded: /home/internet/.config/gtk-2.0 Debug 591: new_name: /home/internet/.config/gtk-2.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/gtk-2.0 expanded: /home/internet/.config/gtk-2.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/gtk-3.0 Debug 580: expanded: /home/internet/.config/gtk-3.0 Debug 591: new_name: /home/internet/.config/gtk-3.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/gtk-3.0 expanded: /home/internet/.config/gtk-3.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/gtk-4.0 Debug 580: expanded: /home/internet/.config/gtk-4.0 Debug 591: new_name: /home/internet/.config/gtk-4.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/gtk-4.0 expanded: /home/internet/.config/gtk-4.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/gtkrc Debug 580: expanded: /home/internet/.config/gtkrc Debug 591: new_name: /home/internet/.config/gtkrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/gtkrc expanded: /home/internet/.config/gtkrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/gtkrc-2.0 Debug 580: expanded: /home/internet/.config/gtkrc-2.0 Debug 591: new_name: /home/internet/.config/gtkrc-2.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/gtkrc-2.0 expanded: /home/internet/.config/gtkrc-2.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.gnome2 Debug 580: expanded: /home/internet/.gnome2 Debug 591: new_name: /home/internet/.gnome2 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.gnome2 expanded: /home/internet/.gnome2 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.gnome2-private Debug 580: expanded: /home/internet/.gnome2-private Debug 591: new_name: /home/internet/.gnome2-private Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.gnome2-private expanded: /home/internet/.gnome2-private realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.gtk-2.0 Debug 580: expanded: /home/internet/.gtk-2.0 Debug 591: new_name: /home/internet/.gtk-2.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.gtk-2.0 expanded: /home/internet/.gtk-2.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.gtkrc Debug 580: expanded: /home/internet/.gtkrc Debug 591: new_name: /home/internet/.gtkrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.gtkrc expanded: /home/internet/.gtkrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.gtkrc-2.0 Debug 580: expanded: /home/internet/.gtkrc-2.0 Debug 591: new_name: /home/internet/.gtkrc-2.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.gtkrc-2.0 expanded: /home/internet/.gtkrc-2.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/gtkrc Debug 580: expanded: /home/internet/.kde/share/config/gtkrc Debug 591: new_name: /home/internet/.kde/share/config/gtkrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/internet/.kde/share/config/gtkrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 Debug 580: expanded: /home/internet/.kde/share/config/gtkrc-2.0 Debug 591: new_name: /home/internet/.kde/share/config/gtkrc-2.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/internet/.kde/share/config/gtkrc-2.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/gtkrc Debug 580: expanded: /home/internet/.kde4/share/config/gtkrc Debug 591: new_name: /home/internet/.kde4/share/config/gtkrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/internet/.kde4/share/config/gtkrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 Debug 580: expanded: /home/internet/.kde4/share/config/gtkrc-2.0 Debug 591: new_name: /home/internet/.kde4/share/config/gtkrc-2.0 Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/internet/.kde4/share/config/gtkrc-2.0 realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.local/share/themes Debug 580: expanded: /home/internet/.local/share/themes Debug 591: new_name: /home/internet/.local/share/themes Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.local/share/themes expanded: /home/internet/.local/share/themes realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.themes Debug 580: expanded: /home/internet/.themes Debug 591: new_name: /home/internet/.themes Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.themes expanded: /home/internet/.themes realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.cache/kioexec/krun Debug 580: expanded: /home/internet/.cache/kioexec/krun Debug 591: new_name: /home/internet/.cache/kioexec/krun Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.cache/kioexec/krun expanded: /home/internet/.cache/kioexec/krun realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/Kvantum Debug 580: expanded: /home/internet/.config/Kvantum Debug 591: new_name: /home/internet/.config/Kvantum Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/Kvantum expanded: /home/internet/.config/Kvantum realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/Trolltech.conf Debug 580: expanded: /home/internet/.config/Trolltech.conf Debug 591: new_name: /home/internet/.config/Trolltech.conf Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/Trolltech.conf expanded: /home/internet/.config/Trolltech.conf realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/QtProject.conf Debug 580: expanded: /home/internet/.config/QtProject.conf Debug 591: new_name: /home/internet/.config/QtProject.conf Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/QtProject.conf expanded: /home/internet/.config/QtProject.conf realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/kdeglobals Debug 580: expanded: /home/internet/.config/kdeglobals Debug 591: new_name: /home/internet/.config/kdeglobals Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/kdeglobals expanded: /home/internet/.config/kdeglobals realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/kio_httprc Debug 580: expanded: /home/internet/.config/kio_httprc Debug 591: new_name: /home/internet/.config/kio_httprc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/kio_httprc expanded: /home/internet/.config/kio_httprc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/kioslaverc Debug 580: expanded: /home/internet/.config/kioslaverc Debug 591: new_name: /home/internet/.config/kioslaverc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/kioslaverc expanded: /home/internet/.config/kioslaverc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/ksslcablacklist Debug 580: expanded: /home/internet/.config/ksslcablacklist Debug 591: new_name: /home/internet/.config/ksslcablacklist Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/internet/.config/ksslcablacklist realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/qt5ct Debug 580: expanded: /home/internet/.config/qt5ct Debug 591: new_name: /home/internet/.config/qt5ct Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/qt5ct expanded: /home/internet/.config/qt5ct realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.config/qtcurve Debug 580: expanded: /home/internet/.config/qtcurve Debug 591: new_name: /home/internet/.config/qtcurve Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.config/qtcurve expanded: /home/internet/.config/qtcurve realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/kdeglobals Debug 580: expanded: /home/internet/.kde/share/config/kdeglobals Debug 591: new_name: /home/internet/.kde/share/config/kdeglobals Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/kdeglobals expanded: /home/internet/.kde/share/config/kdeglobals realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/kio_httprc Debug 580: expanded: /home/internet/.kde/share/config/kio_httprc Debug 591: new_name: /home/internet/.kde/share/config/kio_httprc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/internet/.kde/share/config/kio_httprc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/kioslaverc Debug 580: expanded: /home/internet/.kde/share/config/kioslaverc Debug 591: new_name: /home/internet/.kde/share/config/kioslaverc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/internet/.kde/share/config/kioslaverc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/ksslcablacklist Debug 580: expanded: /home/internet/.kde/share/config/ksslcablacklist Debug 591: new_name: /home/internet/.kde/share/config/ksslcablacklist Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/internet/.kde/share/config/ksslcablacklist realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/config/oxygenrc Debug 580: expanded: /home/internet/.kde/share/config/oxygenrc Debug 591: new_name: /home/internet/.kde/share/config/oxygenrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/internet/.kde/share/config/oxygenrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde/share/icons Debug 580: expanded: /home/internet/.kde/share/icons Debug 591: new_name: /home/internet/.kde/share/icons Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde/share/icons expanded: /home/internet/.kde/share/icons realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/kdeglobals Debug 580: expanded: /home/internet/.kde4/share/config/kdeglobals Debug 591: new_name: /home/internet/.kde4/share/config/kdeglobals Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/kdeglobals expanded: /home/internet/.kde4/share/config/kdeglobals realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/kio_httprc Debug 580: expanded: /home/internet/.kde4/share/config/kio_httprc Debug 591: new_name: /home/internet/.kde4/share/config/kio_httprc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/kio_httprc expanded: /home/internet/.kde4/share/config/kio_httprc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/kioslaverc Debug 580: expanded: /home/internet/.kde4/share/config/kioslaverc Debug 591: new_name: /home/internet/.kde4/share/config/kioslaverc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/kioslaverc expanded: /home/internet/.kde4/share/config/kioslaverc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/ksslcablacklist Debug 580: expanded: /home/internet/.kde4/share/config/ksslcablacklist Debug 591: new_name: /home/internet/.kde4/share/config/ksslcablacklist Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/internet/.kde4/share/config/ksslcablacklist realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/config/oxygenrc Debug 580: expanded: /home/internet/.kde4/share/config/oxygenrc Debug 591: new_name: /home/internet/.kde4/share/config/oxygenrc Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/internet/.kde4/share/config/oxygenrc realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.kde4/share/icons Debug 580: expanded: /home/internet/.kde4/share/icons Debug 591: new_name: /home/internet/.kde4/share/icons Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.kde4/share/icons expanded: /home/internet/.kde4/share/icons realpath: (null) No such file or directory Debug 559: whitelist ${HOME}/.local/share/qt5ct Debug 580: expanded: /home/internet/.local/share/qt5ct Debug 591: new_name: /home/internet/.local/share/qt5ct Debug 605: dir: /home/internet Removed path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/internet/.local/share/qt5ct realpath: (null) No such file or directory Debug 559: whitelist ${RUNUSER}/bus Debug 580: expanded: /run/user/1001/bus Debug 591: new_name: /run/user/1001/bus Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/dconf Debug 580: expanded: /run/user/1001/dconf Debug 591: new_name: /run/user/1001/dconf Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/gdm/Xauthority Debug 580: expanded: /run/user/1001/gdm/Xauthority Debug 591: new_name: /run/user/1001/gdm/Xauthority Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/ICEauthority Debug 580: expanded: /run/user/1001/ICEauthority Debug 591: new_name: /run/user/1001/ICEauthority Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/.mutter-Xwaylandauth.* Debug 580: expanded: /run/user/1001/.mutter-Xwaylandauth.* Debug 591: new_name: /run/user/1001/.mutter-Xwaylandauth.* Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/pulse/native Debug 580: expanded: /run/user/1001/pulse/native Debug 591: new_name: /run/user/1001/pulse/native Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/wayland-0 Debug 580: expanded: /run/user/1001/wayland-0 Debug 591: new_name: /run/user/1001/wayland-0 Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/wayland-1 Debug 580: expanded: /run/user/1001/wayland-1 Debug 591: new_name: /run/user/1001/wayland-1 Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/xauth_* Debug 580: expanded: /run/user/1001/xauth_* Debug 591: new_name: /run/user/1001/xauth_* Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 580: expanded: /run/user/1001/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 591: new_name: /run/user/1001/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 605: dir: /run/user/1001 Cannot access whitelist top level directory /run/user/1001: No such file or directory Debug 559: whitelist /var/lib/aspell Debug 580: expanded: /var/lib/aspell Debug 591: new_name: /var/lib/aspell Debug 605: dir: /var Adding whitelist top level directory /var Debug 559: whitelist /var/lib/ca-certificates Debug 580: expanded: /var/lib/ca-certificates Debug 591: new_name: /var/lib/ca-certificates Debug 605: dir: /var Removed path: whitelist /var/lib/ca-certificates expanded: /var/lib/ca-certificates realpath: (null) No such file or directory Debug 559: whitelist /var/lib/dbus Debug 580: expanded: /var/lib/dbus Debug 591: new_name: /var/lib/dbus Debug 605: dir: /var Debug 559: whitelist /var/lib/menu-xdg Debug 580: expanded: /var/lib/menu-xdg Debug 591: new_name: /var/lib/menu-xdg Debug 605: dir: /var Debug 559: whitelist /var/lib/uim Debug 580: expanded: /var/lib/uim Debug 591: new_name: /var/lib/uim Debug 605: dir: /var Removed path: whitelist /var/lib/uim expanded: /var/lib/uim realpath: (null) No such file or directory Debug 559: whitelist /var/cache/fontconfig Debug 580: expanded: /var/cache/fontconfig Debug 591: new_name: /var/cache/fontconfig Debug 605: dir: /var Debug 559: whitelist /var/tmp Debug 580: expanded: /var/tmp Debug 591: new_name: /var/tmp Debug 605: dir: /var Debug 559: whitelist /var/run Debug 580: expanded: /var/run Debug 591: new_name: /var/run Debug 605: dir: /var Debug 559: whitelist /var/lock Debug 580: expanded: /var/lock Debug 591: new_name: /var/lock Debug 605: dir: /var Debug 559: whitelist /tmp/.X11-unix Debug 580: expanded: /tmp/.X11-unix Debug 591: new_name: /tmp/.X11-unix Debug 605: dir: /tmp Adding whitelist top level directory /tmp Mounting tmpfs on /usr/share, check owner: no 1169 90 0:55 / /usr/share rw,nosuid,nodev,noatime - tmpfs tmpfs rw,mode=755,inode64 mountid=1169 fsname=/ dir=/usr/share fstype=tmpfs Mounting tmpfs on /var, check owner: no 1170 83 0:56 / /var rw,nosuid,nodev,noexec,noatime - tmpfs tmpfs rw,mode=755,inode64 mountid=1170 fsname=/ dir=/var fstype=tmpfs Mounting tmpfs on /tmp, check owner: no 1171 69 0:57 / /tmp rw,nosuid,nodev,noatime - tmpfs tmpfs rw,inode64 mountid=1171 fsname=/ dir=/tmp fstype=tmpfs Mounting a new /root directory Mounting a new /home directory Create a new user directory Debug 741: file: /home/internet/.cache/mozilla/firefox; dirfd: 4; topdir: /home/internet; rel: .cache/mozilla/firefox Whitelisting /home/internet/.cache/mozilla/firefox 1174 1173 253:0 /home/internet/.cache/mozilla/firefox /home/internet/.cache/mozilla/firefox rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1174 fsname=/home/internet/.cache/mozilla/firefox dir=/home/internet/.cache/mozilla/firefox fstype=ext4 Debug 741: file: /home/internet/.mozilla; dirfd: 4; topdir: /home/internet; rel: .mozilla Whitelisting /home/internet/.mozilla 1175 1173 253:0 /home/internet/.mozilla /home/internet/.mozilla rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1175 fsname=/home/internet/.mozilla dir=/home/internet/.mozilla fstype=ext4 Debug 741: file: /usr/share/doc; dirfd: 5; topdir: /usr/share; rel: doc Whitelisting /usr/share/doc 1176 1169 253:0 /usr/share/doc /usr/share/doc ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1176 fsname=/usr/share/doc dir=/usr/share/doc fstype=ext4 Debug 741: file: /usr/share/gtk-doc/html; dirfd: 5; topdir: /usr/share; rel: gtk-doc/html Whitelisting /usr/share/gtk-doc/html 1177 1169 253:0 /usr/share/gtk-doc/html /usr/share/gtk-doc/html ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1177 fsname=/usr/share/gtk-doc/html dir=/usr/share/gtk-doc/html fstype=ext4 Debug 741: file: /usr/share/mozilla; dirfd: 5; topdir: /usr/share; rel: mozilla Whitelisting /usr/share/mozilla 1178 1169 253:0 /usr/share/mozilla /usr/share/mozilla ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1178 fsname=/usr/share/mozilla dir=/usr/share/mozilla fstype=ext4 Debug 741: file: /usr/share/alsa; dirfd: 5; topdir: /usr/share; rel: alsa Whitelisting /usr/share/alsa 1179 1169 253:0 /usr/share/alsa /usr/share/alsa ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1179 fsname=/usr/share/alsa dir=/usr/share/alsa fstype=ext4 Debug 741: file: /usr/share/applications; dirfd: 5; topdir: /usr/share; rel: applications Whitelisting /usr/share/applications 1180 1169 253:0 /usr/share/applications /usr/share/applications ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1180 fsname=/usr/share/applications dir=/usr/share/applications fstype=ext4 Debug 741: file: /usr/share/ca-certificates; dirfd: 5; topdir: /usr/share; rel: ca-certificates Whitelisting /usr/share/ca-certificates 1181 1169 253:0 /usr/share/ca-certificates /usr/share/ca-certificates ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1181 fsname=/usr/share/ca-certificates dir=/usr/share/ca-certificates fstype=ext4 Debug 741: file: /usr/share/distro-info; dirfd: 5; topdir: /usr/share; rel: distro-info Whitelisting /usr/share/distro-info 1182 1169 253:0 /usr/share/distro-info /usr/share/distro-info ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1182 fsname=/usr/share/distro-info dir=/usr/share/distro-info fstype=ext4 Debug 741: file: /usr/share/drirc.d; dirfd: 5; topdir: /usr/share; rel: drirc.d Whitelisting /usr/share/drirc.d 1183 1169 253:0 /usr/share/drirc.d /usr/share/drirc.d ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1183 fsname=/usr/share/drirc.d dir=/usr/share/drirc.d fstype=ext4 Debug 741: file: /usr/share/enchant; dirfd: 5; topdir: /usr/share; rel: enchant Whitelisting /usr/share/enchant 1184 1169 253:0 /usr/share/enchant /usr/share/enchant ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1184 fsname=/usr/share/enchant dir=/usr/share/enchant fstype=ext4 Debug 741: file: /usr/share/file; dirfd: 5; topdir: /usr/share; rel: file Whitelisting /usr/share/file 1185 1169 253:0 /usr/share/file /usr/share/file ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1185 fsname=/usr/share/file dir=/usr/share/file fstype=ext4 Debug 741: file: /usr/share/fontconfig; dirfd: 5; topdir: /usr/share; rel: fontconfig Whitelisting /usr/share/fontconfig 1186 1169 253:0 /usr/share/fontconfig /usr/share/fontconfig ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1186 fsname=/usr/share/fontconfig dir=/usr/share/fontconfig fstype=ext4 Debug 741: file: /usr/share/fonts; dirfd: 5; topdir: /usr/share; rel: fonts Whitelisting /usr/share/fonts 1187 1169 253:0 /usr/share/fonts /usr/share/fonts ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1187 fsname=/usr/share/fonts dir=/usr/share/fonts fstype=ext4 Debug 741: file: /usr/share/gir-1.0; dirfd: 5; topdir: /usr/share; rel: gir-1.0 Whitelisting /usr/share/gir-1.0 1188 1169 253:0 /usr/share/gir-1.0 /usr/share/gir-1.0 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1188 fsname=/usr/share/gir-1.0 dir=/usr/share/gir-1.0 fstype=ext4 Debug 741: file: /usr/share/glib-2.0; dirfd: 5; topdir: /usr/share; rel: glib-2.0 Whitelisting /usr/share/glib-2.0 1189 1169 253:0 /usr/share/glib-2.0 /usr/share/glib-2.0 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1189 fsname=/usr/share/glib-2.0 dir=/usr/share/glib-2.0 fstype=ext4 Debug 741: file: /usr/share/glvnd; dirfd: 5; topdir: /usr/share; rel: glvnd Whitelisting /usr/share/glvnd 1190 1169 253:0 /usr/share/glvnd /usr/share/glvnd ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1190 fsname=/usr/share/glvnd dir=/usr/share/glvnd fstype=ext4 Debug 741: file: /usr/share/gtk-3.0; dirfd: 5; topdir: /usr/share; rel: gtk-3.0 Whitelisting /usr/share/gtk-3.0 1191 1169 253:0 /usr/share/gtk-3.0 /usr/share/gtk-3.0 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1191 fsname=/usr/share/gtk-3.0 dir=/usr/share/gtk-3.0 fstype=ext4 Debug 741: file: /usr/share/gtk-engines; dirfd: 5; topdir: /usr/share; rel: gtk-engines Whitelisting /usr/share/gtk-engines 1192 1169 253:0 /usr/share/gtk-engines /usr/share/gtk-engines ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1192 fsname=/usr/share/gtk-engines dir=/usr/share/gtk-engines fstype=ext4 Debug 741: file: /usr/share/hunspell; dirfd: 5; topdir: /usr/share; rel: hunspell Whitelisting /usr/share/hunspell 1193 1169 253:0 /usr/share/hunspell /usr/share/hunspell ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1193 fsname=/usr/share/hunspell dir=/usr/share/hunspell fstype=ext4 Debug 741: file: /usr/share/icons; dirfd: 5; topdir: /usr/share; rel: icons Whitelisting /usr/share/icons 1194 1169 253:0 /usr/share/icons /usr/share/icons ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1194 fsname=/usr/share/icons dir=/usr/share/icons fstype=ext4 Debug 741: file: /usr/share/icu; dirfd: 5; topdir: /usr/share; rel: icu Whitelisting /usr/share/icu 1195 1169 253:0 /usr/share/icu /usr/share/icu ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1195 fsname=/usr/share/icu dir=/usr/share/icu fstype=ext4 Debug 741: file: /usr/share/libdrm; dirfd: 5; topdir: /usr/share; rel: libdrm Whitelisting /usr/share/libdrm 1196 1169 253:0 /usr/share/libdrm /usr/share/libdrm ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1196 fsname=/usr/share/libdrm dir=/usr/share/libdrm fstype=ext4 Debug 741: file: /usr/share/libthai; dirfd: 5; topdir: /usr/share; rel: libthai Whitelisting /usr/share/libthai 1197 1169 253:0 /usr/share/libthai /usr/share/libthai ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1197 fsname=/usr/share/libthai dir=/usr/share/libthai fstype=ext4 Debug 741: file: /usr/share/locale; dirfd: 5; topdir: /usr/share; rel: locale Whitelisting /usr/share/locale 1198 1169 253:0 /usr/share/locale /usr/share/locale ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1198 fsname=/usr/share/locale dir=/usr/share/locale fstype=ext4 Debug 741: file: /usr/share/mime; dirfd: 5; topdir: /usr/share; rel: mime Whitelisting /usr/share/mime 1199 1169 253:0 /usr/share/mime /usr/share/mime ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1199 fsname=/usr/share/mime dir=/usr/share/mime fstype=ext4 Debug 741: file: /usr/share/misc; dirfd: 5; topdir: /usr/share; rel: misc Whitelisting /usr/share/misc 1200 1169 253:0 /usr/share/misc /usr/share/misc ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1200 fsname=/usr/share/misc dir=/usr/share/misc fstype=ext4 Debug 741: file: /usr/share/myspell; dirfd: 5; topdir: /usr/share; rel: myspell Whitelisting /usr/share/myspell 1201 1169 253:0 /usr/share/myspell /usr/share/myspell ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1201 fsname=/usr/share/myspell dir=/usr/share/myspell fstype=ext4 Debug 741: file: /usr/share/p11-kit; dirfd: 5; topdir: /usr/share; rel: p11-kit Whitelisting /usr/share/p11-kit 1202 1169 253:0 /usr/share/p11-kit /usr/share/p11-kit ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1202 fsname=/usr/share/p11-kit dir=/usr/share/p11-kit fstype=ext4 Debug 741: file: /usr/share/perl; dirfd: 5; topdir: /usr/share; rel: perl Whitelisting /usr/share/perl 1203 1169 253:0 /usr/share/perl /usr/share/perl ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1203 fsname=/usr/share/perl dir=/usr/share/perl fstype=ext4 Debug 741: file: /usr/share/perl5; dirfd: 5; topdir: /usr/share; rel: perl5 Whitelisting /usr/share/perl5 1204 1169 253:0 /usr/share/perl5 /usr/share/perl5 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1204 fsname=/usr/share/perl5 dir=/usr/share/perl5 fstype=ext4 Debug 741: file: /usr/share/pixmaps; dirfd: 5; topdir: /usr/share; rel: pixmaps Whitelisting /usr/share/pixmaps 1205 1169 253:0 /usr/share/pixmaps /usr/share/pixmaps ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1205 fsname=/usr/share/pixmaps dir=/usr/share/pixmaps fstype=ext4 Debug 741: file: /usr/share/qt5ct; dirfd: 5; topdir: /usr/share; rel: qt5ct Whitelisting /usr/share/qt5ct 1206 1169 253:0 /usr/share/qt5ct /usr/share/qt5ct ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1206 fsname=/usr/share/qt5ct dir=/usr/share/qt5ct fstype=ext4 Debug 741: file: /usr/share/sounds; dirfd: 5; topdir: /usr/share; rel: sounds Whitelisting /usr/share/sounds 1207 1169 253:0 /usr/share/sounds /usr/share/sounds ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1207 fsname=/usr/share/sounds dir=/usr/share/sounds fstype=ext4 Debug 741: file: /usr/share/tcltk; dirfd: 5; topdir: /usr/share; rel: tcltk Whitelisting /usr/share/tcltk 1208 1169 253:0 /usr/share/tcltk /usr/share/tcltk ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1208 fsname=/usr/share/tcltk dir=/usr/share/tcltk fstype=ext4 Debug 741: file: /usr/share/terminfo; dirfd: 5; topdir: /usr/share; rel: terminfo Whitelisting /usr/share/terminfo 1209 1169 253:0 /usr/share/terminfo /usr/share/terminfo ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1209 fsname=/usr/share/terminfo dir=/usr/share/terminfo fstype=ext4 Debug 741: file: /usr/share/texmf; dirfd: 5; topdir: /usr/share; rel: texmf Whitelisting /usr/share/texmf 1210 1169 253:0 /usr/share/texmf /usr/share/texmf ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1210 fsname=/usr/share/texmf dir=/usr/share/texmf fstype=ext4 Debug 741: file: /usr/share/themes; dirfd: 5; topdir: /usr/share; rel: themes Whitelisting /usr/share/themes 1211 1169 253:0 /usr/share/themes /usr/share/themes ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1211 fsname=/usr/share/themes dir=/usr/share/themes fstype=ext4 Debug 741: file: /usr/share/X11; dirfd: 5; topdir: /usr/share; rel: X11 Whitelisting /usr/share/X11 1212 1169 253:0 /usr/share/X11 /usr/share/X11 ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1212 fsname=/usr/share/X11 dir=/usr/share/X11 fstype=ext4 Debug 741: file: /usr/share/xml; dirfd: 5; topdir: /usr/share; rel: xml Whitelisting /usr/share/xml 1213 1169 253:0 /usr/share/xml /usr/share/xml ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1213 fsname=/usr/share/xml dir=/usr/share/xml fstype=ext4 Debug 741: file: /usr/share/zoneinfo; dirfd: 5; topdir: /usr/share; rel: zoneinfo Whitelisting /usr/share/zoneinfo 1214 1169 253:0 /usr/share/zoneinfo /usr/share/zoneinfo ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1214 fsname=/usr/share/zoneinfo dir=/usr/share/zoneinfo fstype=ext4 Debug 741: file: /home/internet/.pki; dirfd: 4; topdir: /home/internet; rel: .pki Whitelisting /home/internet/.pki 1215 1173 253:0 /home/internet/.pki /home/internet/.pki rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1215 fsname=/home/internet/.pki dir=/home/internet/.pki fstype=ext4 Debug 741: file: /home/internet/.local/share/pki; dirfd: 4; topdir: /home/internet; rel: .local/share/pki Whitelisting /home/internet/.local/share/pki 1216 1173 253:0 /home/internet/.local/share/pki /home/internet/.local/share/pki rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1216 fsname=/home/internet/.local/share/pki dir=/home/internet/.local/share/pki fstype=ext4 Debug 741: file: /home/internet/.config/dconf; dirfd: 4; topdir: /home/internet; rel: .config/dconf Whitelisting /home/internet/.config/dconf 1217 1173 253:0 /home/internet/.config/dconf /home/internet/.config/dconf rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1217 fsname=/home/internet/.config/dconf dir=/home/internet/.config/dconf fstype=ext4 Debug 741: file: /home/internet/.cache/fontconfig; dirfd: 4; topdir: /home/internet; rel: .cache/fontconfig Whitelisting /home/internet/.cache/fontconfig 1218 1173 253:0 /home/internet/.cache/fontconfig /home/internet/.cache/fontconfig rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1218 fsname=/home/internet/.cache/fontconfig dir=/home/internet/.cache/fontconfig fstype=ext4 Debug 741: file: /home/internet/.fontconfig; dirfd: 4; topdir: /home/internet; rel: .fontconfig Whitelisting /home/internet/.fontconfig 1219 1173 253:0 /home/internet/.fontconfig /home/internet/.fontconfig rw,noatime - ext4 /dev/mapper/rootfs rw mountid=1219 fsname=/home/internet/.fontconfig dir=/home/internet/.fontconfig fstype=ext4 Debug 741: file: /var/lib/aspell; dirfd: 7; topdir: /var; rel: lib/aspell Whitelisting /var/lib/aspell 1220 1170 253:0 /var/lib/aspell /var/lib/aspell ro,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1220 fsname=/var/lib/aspell dir=/var/lib/aspell fstype=ext4 Debug 741: file: /var/lib/dbus; dirfd: 7; topdir: /var; rel: lib/dbus Whitelisting /var/lib/dbus 1221 1170 253:0 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1221 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=ext4 Debug 741: file: /var/lib/menu-xdg; dirfd: 7; topdir: /var; rel: lib/menu-xdg Whitelisting /var/lib/menu-xdg 1222 1170 253:0 /var/lib/menu-xdg /var/lib/menu-xdg ro,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1222 fsname=/var/lib/menu-xdg dir=/var/lib/menu-xdg fstype=ext4 Debug 741: file: /var/cache/fontconfig; dirfd: 7; topdir: /var; rel: cache/fontconfig Whitelisting /var/cache/fontconfig 1223 1170 253:0 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1223 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Debug 741: file: /var/tmp; dirfd: 7; topdir: /var; rel: tmp Whitelisting /var/tmp 1224 1170 0:46 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1224 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Debug 741: file: /tmp/.X11-unix; dirfd: 8; topdir: /tmp; rel: .X11-unix Whitelisting /tmp/.X11-unix 1225 1171 0:29 /.X11-unix /tmp/.X11-unix rw,noatime - tmpfs none rw,inode64 mountid=1225 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting read-only /home/internet/.config/dconf 1226 1217 253:0 /home/internet/.config/dconf /home/internet/.config/dconf ro,noatime - ext4 /dev/mapper/rootfs rw mountid=1226 fsname=/home/internet/.config/dconf dir=/home/internet/.config/dconf fstype=ext4 Disable /usr/share/applications/veracrypt.desktop Disable /usr/share/pixmaps/veracrypt.xpm Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /run/rpcbind.sock (requested /var/run/rpcbind.sock) Not blacklist /home/internet/.pki Not blacklist /home/internet/.local/share/pki Disable /sbin Disable /usr/local/sbin Disable /usr/sbin Disable /usr/local/gcc-10.2.0/bin/c++-10.2 Disable /usr/local/gcc-10.2.0/bin/cpp-10.2 Disable /usr/local/gcc-10.2.0/bin/g++-10.2 Disable /usr/local/gcc-10.2.0/bin/gcc-nm-10.2 Disable /usr/local/gcc-10.2.0/bin/gcc-ar-10.2 Disable /usr/local/gcc-10.2.0/bin/gcc-ranlib-10.2 Disable /usr/local/gcc-10.2.0/bin/gcc-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-ranlib-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-10.2.0 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-nm-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gDISPLAY=:0.0 parsed as 0 line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000006 jmp 000c 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 15 01 00 00000029 jeq socket 000c (false 000b) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 20 00 00 00000010 ld data.args[0] 000d: 15 00 01 00000001 jeq 1 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 15 00 01 00000002 jeq 2 0010 (false 0011) 0010: 06 00 00 7fff0000 ret ALLOW 0011: 15 00 01 0000000a jeq a 0012 (false 0013) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 01 00000010 jeq 10 0014 (false 0015) 0014: 06 00 00 7fff0000 ret ALLOW 0015: 06 00 00 0005005f ret ERRNO(95) cc-ar-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-g++-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-ranlib-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-10.2.0 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-nm-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-ar-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-gcc-10.2 Disable /usr/local/gcc-10.2.0/bin/x86_64-linux-gnu-g++-10.2 Disable /usr/src Disable /usr/local/src Disable /usr/include Disable /usr/local/include Mounting noexec /home/internet/.cache/mozilla/firefox 1257 1174 253:0 /home/internet/.cache/mozilla/firefox /home/internet/.cache/mozilla/firefox rw,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1257 fsname=/home/internet/.cache/mozilla/firefox dir=/home/internet/.cache/mozilla/firefox fstype=ext4 Mounting noexec /home/internet/.mozilla 1258 1175 253:0 /home/internet/.mozilla /home/internet/.mozilla rw,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1258 fsname=/home/internet/.mozilla dir=/home/internet/.mozilla fstype=ext4 Mounting noexec /home/internet/.pki 1259 1215 253:0 /home/internet/.pki /home/internet/.pki rw,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1259 fsname=/home/internet/.pki dir=/home/internet/.pki fstype=ext4 Mounting noexec /home/internet/.local/share/pki 1260 1216 253:0 /home/internet/.local/share/pki /home/internet/.local/share/pki rw,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1260 fsname=/home/internet/.local/share/pki dir=/home/internet/.local/share/pki fstype=ext4 Mounting noexec /home/internet/.config/dconf 1261 1226 253:0 /home/internet/.config/dconf /home/internet/.config/dconf ro,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1261 fsname=/home/internet/.config/dconf dir=/home/internet/.config/dconf fstype=ext4 Mounting noexec /home/internet/.cache/fontconfig 1262 1218 253:0 /home/internet/.cache/fontconfig /home/internet/.cache/fontconfig rw,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1262 fsname=/home/internet/.cache/fontconfig dir=/home/internet/.cache/fontconfig fstype=ext4 Mounting noexec /home/internet/.fontconfig 1263 1219 253:0 /home/internet/.fontconfig /home/internet/.fontconfig rw,nosuid,nodev,noexec,noatime - ext4 /dev/mapper/rootfs rw mountid=1263 fsname=/home/internet/.fontconfig dir=/home/internet/.fontconfig fstype=ext4 Mounting noexec /dev/shm 1264 117 0:52 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1264 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1266 1265 0:29 /.X11-unix /tmp/.X11-unix rw,noatime - tmpfs none rw,inode64 mountid=1266 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 1267 1266 0:29 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,noatime - tmpfs none rw,inode64 mountid=1267 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /usr/share/perl5 Disable /usr/share/perl Not blacklist /home/internet/.mozilla Not blacklist /home/internet/.cache/mozilla Mounting tmpfs on /home/internet/.cache, check owner: yes 1270 1173 0:60 / /home/internet/.cache rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,uid=1001,gid=1003,inode64 mountid=1270 fsname=/ dir=/home/internet/.cache fstype=tmpfs Mounting read-only /tmp/.X11-unix 1271 1267 0:29 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,noatime - tmpfs none rw,inode64 mountid=1271 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount /etc/pulse/client.conf not found Current directory: /home/internet Install protocol filter: unix,inet,inet6,netlink configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/local/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol Build drop seccomp filter sbox run: /run/firejail/lib/fseccomp drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec @cloSeccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,ioprio_set,mbind,migrate_pages,move_pages,sched_setaffinity,sched_setattr,sched_setparam,sched_setscheduler,set_mempolicy,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 45 00 0000009f jeq adjtimex 004d (false 0008) 0008: 15 44 00 00000131 jeq clock_adjtime 004d (false 0009) 0009: 15 43 00 000000e3 jeq clock_settime 004d (false 000a) 000a: 15 42 00 000000a4 jeq settimeofday 004d (false 000b) 000b: 15 41 00 0000009a jeq modify_ldt 004d (false 000c) 000c: 15 40 00 000000d4 jeq lookup_dcookie 004d (false 000d) 000d: 15 3f 00 0000012a jeq perf_event_open 004d (false 000e) 000e: 15 3e 00 00000137 jeq process_vm_writev 004d (false 000f) 000f: 15 3d 00 000000b0 jeq delete_module 004d (false 0010) 0010: 15 3c 00 00000139 jeq finit_module 004d (false 0011) 0011: 15 3b 00 000000af jeq init_module 004d (false 0012) 0012: 15 3a 00 0000009c jeq _sysctl 004d (false 0013) 0013: 15 39 00 000000b7 jeq afs_syscall 004d (false 0014) 0014: 15 38 00 000000ae jeq create_module 004d (false 0015) 0015: 15 37 00 000000b1 jeq get_kernel_syms 004d (false 0016) 0016: 15 36 00 000000b5 jeq getpmsg 004d (false 0017) 0017: 15 35 00 000000b6 jeq putpmsg 004d (false 0018) 0018: 15 34 00 000000b2 jeq query_module 004d (false 0019) 0019: 15 33 00 000000b9 jeq security 004d (false 001a) 001a: 15 32 00 0000008b jeq sysfs 004d (false 001b) 001b: 15 31 00 000000b8 jeq tuxcall 004d (false 001c) 001c: 15 30 00 00000086 jeq uselib 004d (false 001d) 001d: 15 2f 00 00000088 jeq ustat 004d (false 001e) 001e: 15 2e 00 000000ec jeq vserver 004d (false 001f) 001f: 15 2d 00 000000ad jeq ioperm 004d (false 0020) 0020: 15 2c 00 000000ac jeq iopl 004d (false 0021) 0021: 15 2b 00 000000f6 jeq kexec_load 004d (false 0022) 0022: 15 2a 00 00000140 jeq kexec_file_load 004d (false 0023) 0023: 15 29 00 000000a9 jeq reboot 004d (false 0024) 0024: 15 28 00 000000fb jeq ioprio_set 004d (false 0025) 0025: 15 27 00 000000ed jeq mbind 004d (false 0026) 0026: 15 26 00 00000100 jeq migrate_pages 004d (false 0027) 0027: 15 25 00 00000117 jeq move_pages 004d (false 0028) 0028: 15 24 00 000000cb jeq sched_setaffinity 004d (false 0029) 0029: 15 23 00 0000013a jeq sched_setattr 004d (false 002a) 002a: 15 22 00 0000008e jeq sched_setparam 004d (false 002b) 002b: 15 21 00 00000090 jeq sched_setscheduler 004d (false 002c) 002c: 15 20 00 000000ee jeq set_mempolicy 004d (false 002d) 002d: 15 1f 00 000000a7 jeq swapon 004d (false 002e) 002e: 15 1e 00 000000a8 jeq swapoff 004d (false 002f) 002f: 15 1d 00 000000a3 jeq acct 004d (false 0030) 0030: 15 1c 00 000000f8 jeq add_key 004d (false 0031) 0031: 15 1b 00 00000141 jeq bpf 004d (false 0032) 0032: 15 1a 00 0000012c jeq fanotify_init 004d (false 0033) 0033: 15 19 00 000000d2 jeq io_cancel 004d (false 0034) 0034: 15 18 00 000000cf jeq io_destroy 004d (false 0035) 0035: 15 17 00 000000d0 jeq io_getevents 004d (false 0036) 0036: 15 16 00 000000ce jeq io_setup 004d (false 0037) 0037: 15 15 00 000000d1 jeq io_submit 004d (false 0038) 0038: 15 14 00 000000fb jeq ioprio_set 004d (false 0039) 0039: 15 13 00 00000138 jeq kcmp 004d (false 003a) 003a: 15 12 00 000000fa jeq keyctl 004d (false 003b) 003b: 15 11 00 000000a5 jeq mount 004d (false 003c) 003c: 15 10 00 0000012f jeq name_to_handle_at 004d (false 003d) 003d: 15 0f 00 000000b4 jeq nfsservctl 004d (false 003e) 003e: 15 0e 00 00000130 jeq open_by_handle_at 004d (false 003f) 003f: 15 0d 00 00000087 jeq personality 004d (false 0040) 0040: 15 0c 00 0000009b jeq pivot_root 004d (false 0041) 0041: 15 0b 00 00000136 jeq process_vm_readv 004d (false 0042) 0042: 15 0a 00 00000065 jeq ptrace 004d (false 0043) 0043: 15 09 00 000000d8 jeq remap_file_pages 004d (false 0044) 0044: 15 08 00 000000f9 jeq request_key 004d (false 0045) 0045: 15 07 00 000000ab jeq setdomainname 004d (false 0046) 0046: 15 06 00 000000aa jeq sethostname 004d (false 0047) 0047: 15 05 00 00000067 jeq syslog 004d (false 0048) 0048: 15 04 00 000000a6 jeq umount2 004d (false 0049) 0049: 15 03 00 00000143 jeq userfaultfd 004d (false 004a) 004a: 15 02 00 00000099 jeq vhangup 004d (false 004b) 004b: 15 01 00 00000116 jeq vmsplice 004d (false 004c) 004c: 06 00 00 7fff0000 ret ALLOW 004d: 06 00 01 00050001 ret ERRNO(1) ck,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp configuring 78 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/local/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 1277 73 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=1277 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 320 .. -rw-r--r-- internet internet 624 seccomp -rw-r--r-- internet internet 432 seccomp.32 -rw-r--r-- internet internet 77 seccomp.list -rw-r--r-- internet internet 0 seccomp.postexec -rw-r--r-- internet internet 0 seccomp.postexec32 -rw-r--r-- internet internet 176 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1001, gid 1003, nogroups 1 No supplementary groups AppArmor enabled Child process initialized in 743.59 ms Starting application LD_PRELOAD=(null) execvp argument 0: firefox /usr/local/bin/firefox: 3: /usr/local/bin/firefox: which: Permission denied No protocol specified Unable to init server: connection.... Error: cannot open display: :0.0 Parent is shutting down, bye... ```

EDIT by @rusty-snake: code-block and details-summary

osevan commented 3 years ago

firefox.profile works everything with success with default user:

# Firejail profile for firefox
# Description: Safe and easy web browser from Mozilla
# This file is overwritten after every install/update
# Persistent local customizations
include firefox.local
# Persistent global definitions
include globals.local

# NOTE: sandboxing web browsers is as important as it is complex. Users might be
# interested in creating custom profiles depending on use case (e.g. one for
# general browsing, another for banking, ...). Consult our FAQ/issue tracker for more
# info. Here are a few links to get you going.
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#firefox-doesnt-open-in-a-new-sandbox-instead-it-opens-a-new-tab-in-an-existing-firefox-instance
# https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#how-do-i-run-two-instances-of-firefox
# https://github.com/netblue30/firejail/issues/4206#issuecomment-824806968

noblacklist ${HOME}/.cache/mozilla
noblacklist ${HOME}/.mozilla
#firefox nightly using
#noblacklist /home/ra/compile/firefox/mozilla-unified/
#ignore noexec ${HOME}
#whitelist /home/ra/compile/firefox/mozilla-unified/

mkdir ${HOME}/.cache/mozilla/firefox
mkdir ${HOME}/.mozilla
whitelist ${HOME}/.cache/mozilla/firefox
whitelist ${HOME}/.mozilla

# Add one of the following whitelist options to your firefox.local to enable KeePassXC Plugin support.
# NOTE: start KeePassXC before Firefox and keep it open to allow communication between them.
#whitelist ${RUNUSER}/kpxc_server
#whitelist ${RUNUSER}/org.keepassxc.KeePassXC.BrowserServer

whitelist /usr/share/doc
whitelist /usr/share/firefox
whitelist /usr/share/gnome-shell/search-providers/firefox-search-provider.ini
whitelist /usr/share/gtk-doc/html
whitelist /usr/share/mozilla
whitelist /usr/share/webext
include whitelist-usr-share-common.inc

# firefox requires a shell to launch on Arch - add the next line to your firefox.local to enable private-bin.
#private-bin bash,dbus-launch,dbus-send,env,firefox,sh,which
# Fedora uses shell scripts to launch firefox - add the next line to your firefox.local to enable private-bin.
private-bin basename,bash,cat,dirname,expr,false,firefox,firefox-esr,firefox-wayland,getenforce,ln,mkdir,pidof,restorecon,rm,rmdir,sed,sh,tclsh,true,uname
# Add the next line to your firefox.local to enable private-etc support - note that this must be enabled in your firefox-common.local too.
#private-etc firefox

dbus-user filter
dbus-user.own org.mozilla.Firefox.*
dbus-user.own org.mozilla.firefox.*
dbus-user.own org.mpris.MediaPlayer2.firefox.*
# Add the next line to your firefox.local to enable native notifications.
#dbus-user.talk org.freedesktop.Notifications
# Add the next line to your firefox.local to allow inhibiting screensavers.
#dbus-user.talk org.freedesktop.ScreenSaver
# Add the next lines to your firefox.local for plasma browser integration.
#dbus-user.own org.mpris.MediaPlayer2.plasma-browser-integration
#dbus-user.talk org.kde.JobViewServer
#dbus-user.talk org.kde.kuiserver
# Add the next two lines to your firefox.local to allow screen sharing under wayland.
#whitelist ${RUNUSER}/pipewire-0
#dbus-user.talk org.freedesktop.portal.*
# Add the next line to your firefox.local if screen sharing sharing still does not work
# with the above lines (might depend on the portal implementation).
#ignore noroot
ignore dbus-user none

# Redirect
include firefox-common.profile

apparmor
caps.drop all
netfilter
nonewprivs
noroot
protocol unix,inet,inet6,netlink
nogroups
seccomp

#seccomp.drop adjtimex,clock_adjtime,clock_settime,settimeofday,stime,modify_ldt,subpage_prot,swi$
seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice
#tracelog

# experimental features
private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,gtk-2.0,pango,fonts,$
private-dev
#private-bin firefox-esr
private-tmp
private-cache
private-lib /usr/lib/firefox-esr/libmozgtk.so,/usr/lib/firefox-esr/libxul.so
noexec ${HOME}
noexec /tmp
noexec ${DOWNLOADS}
#memory-deny-write-execute

EDIT by @rusty-snake: code-block

osevan commented 3 years ago

i did xhost +local:internet

and than sudo -u internet -H firejail --debug firefox

this do this magic trick now all works very well...

please update documents and changelog for this fix