firefox: freeze with custom profile (seccomp)

[fpusersuggest]

Description

Describe the bug Hello, I have a custom profile for firefox. If I go on a specific facebook group, that firefox tab freeze and I have to close it. I found an error in the log and I like to know how to fix it. This is the log: nov 18 20:48:14 mypc audit[10931]: SECCOMP auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=10931 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7fe97668589d code=0x0 nov 18 20:48:14 mypc kernel: audit: type=1326 audit(1637264894.948:51): auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=10931 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7fe97668589d code=0x0

Steps to Reproduce

1. Run in bash LC_ALL=C firejail PROGRAM (LC_ALL=C to get a consistent output in English that can be understood by everybody)

$ LC_ALL=C firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Parent pid 14951, child pid 14952 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 182.72 ms ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment.

ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment.

2. Click on '....' I connect to facebook and then to the following facebook group https://www.facebook.com/groups/477126719059034 after that the facebook tab freeze and I see the error in the log: nov 18 20:55:56 audit[15170]: SECCOMP auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=15170 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0d6896189d code=0x0 nov 18 20:55:56 kernel: audit: type=1326 audit(1637265356.469:52): auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=15170 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0d6896189d code=0x0

Expected behavior

browse facebook without freeze

Environment

• Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux") ubuntu 20.04 $ uname -a Linux mypc 5.11.0-40-generic #44~20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

• Firejail version (firejail --version). firejail version 0.9.62

Checklist

• [x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [ ] I can reproduce the issue without custom modifications (e.g. globals.local).
• [ ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [ ] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [ ] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Output of LC_ALL=C firejail --debug /path/to/program

``` $ LC_ALL=C firejail --debug firefox 2>&1>fire.debug Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file DISPLAY=:0 parsed as 0 Parent pid 41527, child pid 41528 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Debug 423: new_name #/home/lws/.cache/mozilla/firefox#, whitelist Debug 531: fname #/home/lws/.cache/mozilla/firefox#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.mozilla#, whitelist Debug 531: fname #/home/lws/.mozilla#, cfg.homedir #/home/lws# Debug 423: new_name #/usr/share/mozilla#, whitelist Debug 423: new_name #/usr/share/webext#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/alsa#, whitelist Debug 423: new_name #/usr/share/applications#, whitelist Debug 423: new_name #/usr/share/ca-certificates#, whitelist Debug 423: new_name #/usr/share/crypto-policies#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/cursors#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/dconf#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/distro-info#, whitelist Debug 423: new_name #/usr/share/drirc.d#, whitelist Debug 423: new_name #/usr/share/enchant#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/enchant-2#, whitelist Debug 423: new_name #/usr/share/fontconfig#, whitelist Debug 423: new_name #/usr/share/fonts#, whitelist Debug 423: new_name #/usr/share/gir-1.0#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/gjs-1.0#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/glib-2.0#, whitelist Debug 423: new_name #/usr/share/glvnd#, whitelist Debug 423: new_name #/usr/share/gtk-2.0#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/gtk-3.0#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/gtksourceview-3.0#, whitelist Debug 423: new_name #/usr/share/gtksourceview-4#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/hunspell#, whitelist Debug 423: new_name #/usr/share/hwdata#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/icons#, whitelist Debug 423: new_name #/usr/share/knotifications5#, whitelist Debug 423: new_name #/usr/share/icu#, whitelist Debug 423: new_name #/usr/share/kservices5#, whitelist Debug 423: new_name #/usr/share/Kvantum#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/kxmlgui5#, whitelist Debug 423: new_name #/usr/share/libdrm#, whitelist Debug 423: new_name #/usr/share/libthai#, whitelist Debug 423: new_name #/usr/share/locale#, whitelist Debug 423: new_name #/usr/share/mime#, whitelist Debug 423: new_name #/usr/share/misc#, whitelist Debug 423: new_name #/usr/share/Modules#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/myspell#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/p11-kit#, whitelist Debug 423: new_name #/usr/share/pixmaps#, whitelist Debug 423: new_name #/usr/share/pki#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/plasma#, whitelist Debug 423: new_name #/usr/share/qt#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/qt4#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/qt5#, whitelist Debug 423: new_name #/usr/share/sounds#, whitelist Debug 423: new_name #/usr/share/tcl8.6#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/terminfo#, whitelist Debug 423: new_name #/usr/share/themes#, whitelist Debug 423: new_name #/usr/share/thumbnail.so#, whitelist realpath: No such file or directory Debug 423: new_name #/usr/share/X11#, whitelist Debug 423: new_name #/usr/share/xml#, whitelist Debug 423: new_name #/usr/share/zoneinfo#, whitelist Debug 423: new_name #/home/lws/Scaricati#, whitelist Debug 531: fname #/home/lws/Scaricati#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.pki#, whitelist Debug 531: fname #/home/lws/.pki#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.local/share/pki#, whitelist Debug 531: fname #/home/lws/.local/share/pki#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.XCompose#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.asoundrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/ibus#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/mimeapps.list#, whitelist Debug 531: fname #/home/lws/.config/mimeapps.list#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.config/pkcs11#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/user-dirs.dirs#, whitelist Debug 531: fname #/home/lws/.config/user-dirs.dirs#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.drirc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.icons#, whitelist Debug 531: fname #/home/lws/.icons#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.local/share/applications#, whitelist Debug 531: fname #/home/lws/.local/share/applications#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.local/share/icons#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.local/share/mime#, whitelist Debug 531: fname #/home/lws/.local/share/mime#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.mime.types#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/dconf#, whitelist Debug 531: fname #/home/lws/.config/dconf#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.cache/fontconfig#, whitelist Debug 531: fname #/home/lws/.cache/fontconfig#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.config/fontconfig#, whitelist Debug 531: fname #/home/lws/.config/fontconfig#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.fontconfig#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.fonts#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.fonts.conf#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.fonts.conf.d#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.fonts.d#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.local/share/fonts#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.pangorc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/gtk-2.0#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/gtk-3.0#, whitelist Debug 531: fname #/home/lws/.config/gtk-3.0#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.config/gtkrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/gtkrc-2.0#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.gnome2#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.gnome2-private#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.gtk-2.0#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.gtkrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.gtkrc-2.0#, whitelist Debug 531: fname #/home/lws/.gtkrc-2.0#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.kde/share/config/gtkrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/config/gtkrc-2.0#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/gtkrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/gtkrc-2.0#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.local/share/themes#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.themes#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.cache/kioexec/krun#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/Kvantum#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/Trolltech.conf#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/kdeglobals#, whitelist Debug 531: fname #/home/lws/.config/kdeglobals#, cfg.homedir #/home/lws# Debug 423: new_name #/home/lws/.config/kio_httprc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/kioslaverc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/ksslcablacklist#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.config/qt5ct#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/config/kdeglobals#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/config/kio_httprc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/config/kioslaverc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/config/ksslcablacklist#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/config/oxygenrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde/share/icons#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/kdeglobals#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/kio_httprc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/kioslaverc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/ksslcablacklist#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/config/oxygenrc#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.kde4/share/icons#, whitelist realpath: No such file or directory Debug 423: new_name #/home/lws/.local/share/qt5ct#, whitelist realpath: No such file or directory Debug 423: new_name #/var/lib/dbus#, whitelist Debug 423: new_name #/var/lib/menu-xdg#, whitelist realpath: No such file or directory Debug 423: new_name #/var/cache/fontconfig#, whitelist Debug 423: new_name #/var/tmp#, whitelist Debug 423: new_name #/var/run#, whitelist Debug 423: new_name #/var/lock#, whitelist Debug 423: new_name #/tmp/.X11-unix#, whitelist Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Post-exec seccomp protector enabled DISPLAY=:0 parsed as 0 Child process initialized in 178.53 ms ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment. $ cat fire.debug Autoselecting /bin/bash as shell Building quoted command line: 'firefox' Command name #firefox# Found firefox.profile profile in /etc/firejail directory Found whitelist-usr-share-common.inc profile in /etc/firejail directory Found firefox-common.profile profile in /etc/firejail directory conditional BROWSER_ALLOW_DRM, ignore noexec ${HOME} Found disable-common.inc profile in /etc/firejail directory Found disable-devel.inc profile in /etc/firejail directory Found disable-exec.inc profile in /etc/firejail directory Found disable-interpreters.inc profile in /etc/firejail directory Found disable-programs.inc profile in /etc/firejail directory Found whitelist-common.inc profile in /etc/firejail directory Found whitelist-var-common.inc profile in /etc/firejail directory conditional BROWSER_DISABLE_U2F, nou2f Using the local network stack conditional BROWSER_DISABLE_U2F, nou2f Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Build protocol filter: unix,inet,inet6,netlink sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol (null) Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc Mounting noexec /etc Mounting read-only /var Mounting noexec /var Mounting read-only /bin Mounting read-only /sbin Mounting read-only /lib Mounting read-only /lib64 Mounting read-only /lib32 Mounting read-only /libx32 Mounting read-only /usr Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev mounting /run/firejail/mnt/dev/snd directory mounting /run/firejail/mnt/dev/dri directory mounting /run/firejail/mnt/dev/video0 file mounting /run/firejail/mnt/dev/video1 file Process /dev/shm directory Generate private-tmp whitelist commands blacklist /run/user/1000/bus blacklist /run/dbus/system_bus_socket Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Replaced whitelist path: whitelist /home/lws/.cache/mozilla/firefox Replaced whitelist path: whitelist /home/lws/.mozilla Removed whitelist/nowhitelist path: whitelist /usr/share/webext expanded: /usr/share/webext real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/crypto-policies expanded: /usr/share/crypto-policies real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/cursors expanded: /usr/share/cursors real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/dconf expanded: /usr/share/dconf real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/enchant expanded: /usr/share/enchant real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/gir-1.0 expanded: /usr/share/gir-1.0 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/gjs-1.0 expanded: /usr/share/gjs-1.0 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/gtk-2.0 expanded: /usr/share/gtk-2.0 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/gtk-3.0 expanded: /usr/share/gtk-3.0 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/gtksourceview-4 expanded: /usr/share/gtksourceview-4 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/hwdata expanded: /usr/share/hwdata real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/Kvantum expanded: /usr/share/Kvantum real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/Modules expanded: /usr/share/Modules real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/myspell expanded: /usr/share/myspell real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/pki expanded: /usr/share/pki real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/qt expanded: /usr/share/qt real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/qt4 expanded: /usr/share/qt4 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/tcl8.6 expanded: /usr/share/tcl8.6 real path: (null) Removed whitelist/nowhitelist path: whitelist /usr/share/thumbnail.so expanded: /usr/share/thumbnail.so real path: (null) Directory ${DOWNLOADS} resolved as Scaricati Replaced whitelist path: whitelist /home/lws/Scaricati Replaced whitelist path: whitelist /home/lws/.pki Replaced whitelist path: whitelist /home/lws/.local/share/pki Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose expanded: /home/lws/.XCompose real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc expanded: /home/lws/.asoundrc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ibus expanded: /home/lws/.config/ibus real path: (null) Replaced whitelist path: whitelist /home/lws/.config/mimeapps.list Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11 expanded: /home/lws/.config/pkcs11 real path: (null) Replaced whitelist path: whitelist /home/lws/.config/user-dirs.dirs Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc expanded: /home/lws/.drirc real path: (null) Replaced whitelist path: whitelist /home/lws/.icons Replaced whitelist path: whitelist /home/lws/.local/share/applications Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/icons expanded: /home/lws/.local/share/icons real path: (null) Replaced whitelist path: whitelist /home/lws/.local/share/mime Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types expanded: /home/lws/.mime.types real path: (null) Replaced whitelist path: whitelist /home/lws/.config/dconf Replaced whitelist path: whitelist /home/lws/.cache/fontconfig Replaced whitelist path: whitelist /home/lws/.config/fontconfig Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig expanded: /home/lws/.fontconfig real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts expanded: /home/lws/.fonts real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf expanded: /home/lws/.fonts.conf real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d expanded: /home/lws/.fonts.conf.d real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d expanded: /home/lws/.fonts.d real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts expanded: /home/lws/.local/share/fonts real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc expanded: /home/lws/.pangorc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-2.0 expanded: /home/lws/.config/gtk-2.0 real path: (null) Replaced whitelist path: whitelist /home/lws/.config/gtk-3.0 Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc expanded: /home/lws/.config/gtkrc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0 expanded: /home/lws/.config/gtkrc-2.0 real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2 expanded: /home/lws/.gnome2 real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private expanded: /home/lws/.gnome2-private real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0 expanded: /home/lws/.gtk-2.0 real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc expanded: /home/lws/.gtkrc real path: (null) Replaced whitelist path: whitelist /home/lws/.gtkrc-2.0 Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc expanded: /home/lws/.kde/share/config/gtkrc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0 expanded: /home/lws/.kde/share/config/gtkrc-2.0 real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc expanded: /home/lws/.kde4/share/config/gtkrc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0 expanded: /home/lws/.kde4/share/config/gtkrc-2.0 real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes expanded: /home/lws/.local/share/themes real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes expanded: /home/lws/.themes real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun expanded: /home/lws/.cache/kioexec/krun real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum expanded: /home/lws/.config/Kvantum real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf expanded: /home/lws/.config/Trolltech.conf real path: (null) Replaced whitelist path: whitelist /home/lws/.config/kdeglobals Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc expanded: /home/lws/.config/kio_httprc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc expanded: /home/lws/.config/kioslaverc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist expanded: /home/lws/.config/ksslcablacklist real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct expanded: /home/lws/.config/qt5ct real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals expanded: /home/lws/.kde/share/config/kdeglobals real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc expanded: /home/lws/.kde/share/config/kio_httprc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc expanded: /home/lws/.kde/share/config/kioslaverc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist expanded: /home/lws/.kde/share/config/ksslcablacklist real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc expanded: /home/lws/.kde/share/config/oxygenrc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons expanded: /home/lws/.kde/share/icons real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals expanded: /home/lws/.kde4/share/config/kdeglobals real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc expanded: /home/lws/.kde4/share/config/kio_httprc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc expanded: /home/lws/.kde4/share/config/kioslaverc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist expanded: /home/lws/.kde4/share/config/ksslcablacklist real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc expanded: /home/lws/.kde4/share/config/oxygenrc real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons expanded: /home/lws/.kde4/share/icons real path: (null) Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct expanded: /home/lws/.local/share/qt5ct real path: (null) Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg expanded: /var/lib/menu-xdg real path: (null) Replaced whitelist path: whitelist /run Replaced whitelist path: whitelist /run/lock Mounting tmpfs on /tmp directory Mounting tmpfs on /var directory Mounting tmpfs on /usr/share directory Mounting a new /home directory Mounting a new /root directory Create a new user directory Whitelisting /home/lws/.cache/mozilla/firefox 1337 1335 8:2 /home/lws/.cache/mozilla/firefox /home/lws/.cache/mozilla/firefox rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1337 fsname=/home/lws/.cache/mozilla/firefox dir=/home/lws/.cache/mozilla/firefox fstype=ext4 Whitelisting /home/lws/.mozilla 1338 1335 8:2 /home/lws/.mozilla /home/lws/.mozilla rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1338 fsname=/home/lws/.mozilla dir=/home/lws/.mozilla fstype=ext4 Whitelisting /usr/share/mozilla 1339 1333 8:2 /usr/share/mozilla /usr/share/mozilla ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1339 fsname=/usr/share/mozilla dir=/usr/share/mozilla fstype=ext4 Whitelisting /usr/share/alsa 1340 1333 8:2 /usr/share/alsa /usr/share/alsa ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1340 fsname=/usr/share/alsa dir=/usr/share/alsa fstype=ext4 Whitelisting /usr/share/applications 1341 1333 8:2 /usr/share/applications /usr/share/applications ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1341 fsname=/usr/share/applications dir=/usr/share/applications fstype=ext4 Whitelisting /usr/share/ca-certificates 1342 1333 8:2 /usr/share/ca-certificates /usr/share/ca-certificates ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1342 fsname=/usr/share/ca-certificates dir=/usr/share/ca-certificates fstype=ext4 Whitelisting /usr/share/distro-info 1343 1333 8:2 /usr/share/distro-info /usr/share/distro-info ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1343 fsname=/usr/share/distro-info dir=/usr/share/distro-info fstype=ext4 Whitelisting /usr/share/drirc.d 1344 1333 8:2 /usr/share/drirc.d /usr/share/drirc.d ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1344 fsname=/usr/share/drirc.d dir=/usr/share/drirc.d fstype=ext4 Whitelisting /usr/share/enchant-2 1345 1333 8:2 /usr/share/enchant-2 /usr/share/enchant-2 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1345 fsname=/usr/share/enchant-2 dir=/usr/share/enchant-2 fstype=ext4 Whitelisting /usr/share/fontconfig 1346 1333 8:2 /usr/share/fontconfig /usr/share/fontconfig ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1346 fsname=/usr/share/fontconfig dir=/usr/share/fontconfig fstype=ext4 Whitelisting /usr/share/fonts 1347 1333 8:2 /usr/share/fonts /usr/share/fonts ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1347 fsname=/usr/share/fonts dir=/usr/share/fonts fstype=ext4 Whitelisting /usr/share/glib-2.0 1348 1333 8:2 /usr/share/glib-2.0 /usr/share/glib-2.0 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1348 fsname=/usr/share/glib-2.0 dir=/usr/share/glib-2.0 fstype=ext4 Whitelisting /usr/share/glvnd 1349 1333 8:2 /usr/share/glvnd /usr/share/glvnd ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1349 fsname=/usr/share/glvnd dir=/usr/share/glvnd fstype=ext4 Whitelisting /usr/share/gtksourceview-3.0 1350 1333 8:2 /usr/share/gtksourceview-3.0 /usr/share/gtksourceview-3.0 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1350 fsname=/usr/share/gtksourceview-3.0 dir=/usr/share/gtksourceview-3.0 fstype=ext4 Whitelisting /usr/share/hunspell 1351 1333 8:2 /usr/share/hunspell /usr/share/hunspell ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1351 fsname=/usr/share/hunspell dir=/usr/share/hunspell fstype=ext4 Whitelisting /usr/share/icons 1352 1333 8:2 /usr/share/icons /usr/share/icons ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1352 fsname=/usr/share/icons dir=/usr/share/icons fstype=ext4 Whitelisting /usr/share/knotifications5 1353 1333 8:2 /usr/share/knotifications5 /usr/share/knotifications5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1353 fsname=/usr/share/knotifications5 dir=/usr/share/knotifications5 fstype=ext4 Whitelisting /usr/share/icu 1354 1333 8:2 /usr/share/icu /usr/share/icu ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1354 fsname=/usr/share/icu dir=/usr/share/icu fstype=ext4 Whitelisting /usr/share/kservices5 1355 1333 8:2 /usr/share/kservices5 /usr/share/kservices5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1355 fsname=/usr/share/kservices5 dir=/usr/share/kservices5 fstype=ext4 Whitelisting /usr/share/kxmlgui5 1356 1333 8:2 /usr/share/kxmlgui5 /usr/share/kxmlgui5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1356 fsname=/usr/share/kxmlgui5 dir=/usr/share/kxmlgui5 fstype=ext4 Whitelisting /usr/share/libdrm 1357 1333 8:2 /usr/share/libdrm /usr/share/libdrm ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1357 fsname=/usr/share/libdrm dir=/usr/share/libdrm fstype=ext4 Whitelisting /usr/share/libthai 1358 1333 8:2 /usr/share/libthai /usr/share/libthai ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1358 fsname=/usr/share/libthai dir=/usr/share/libthai fstype=ext4 Whitelisting /usr/share/locale 1359 1333 8:2 /usr/share/locale /usr/share/locale ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1359 fsname=/usr/share/locale dir=/usr/share/locale fstype=ext4 Whitelisting /usr/share/mime 1360 1333 8:2 /usr/share/mime /usr/share/mime ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1360 fsname=/usr/share/mime dir=/usr/share/mime fstype=ext4 Whitelisting /usr/share/misc 1361 1333 8:2 /usr/share/misc /usr/share/misc ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1361 fsname=/usr/share/misc dir=/usr/share/misc fstype=ext4 Whitelisting /usr/share/p11-kit 1362 1333 8:2 /usr/share/p11-kit /usr/share/p11-kit ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1362 fsname=/usr/share/p11-kit dir=/usr/share/p11-kit fstype=ext4 Whitelisting /usr/share/pixmaps 1363 1333 8:2 /usr/share/pixmaps /usr/share/pixmaps ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1363 fsname=/usr/share/pixmaps dir=/usr/share/pixmaps fstype=ext4 Whitelisting /usr/share/plasma 1364 1333 8:2 /usr/share/plasma /usr/share/plasma ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1364 fsname=/usr/share/plasma dir=/usr/share/plasma fstype=ext4 Whitelisting /usr/share/qt5 1365 1333 8:2 /usr/share/qt5 /usr/share/qt5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1365 fsname=/usr/share/qt5 dir=/usr/share/qt5 fstype=ext4 Whitelisting /usr/share/sounds 1366 1333 8:2 /usr/share/sounds /usr/share/sounds ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1366 fsname=/usr/share/sounds dir=/usr/share/sounds fstype=ext4 Whitelisting /usr/share/terminfo 1367 1333 8:2 /usr/share/terminfo /usr/share/terminfo ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1367 fsname=/usr/share/terminfo dir=/usr/share/terminfo fstype=ext4 Whitelisting /usr/share/themes 1368 1333 8:2 /usr/share/themes /usr/share/themes ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1368 fsname=/usr/share/themes dir=/usr/share/themes fstype=ext4 Whitelisting /usr/share/X11 1369 1333 8:2 /usr/share/X11 /usr/share/X11 ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1369 fsname=/usr/share/X11 dir=/usr/share/X11 fstype=ext4 Whitelisting /usr/share/xml 1370 1333 8:2 /usr/share/xml /usr/share/xml ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1370 fsname=/usr/share/xml dir=/usr/share/xml fstype=ext4 Whitelisting /usr/share/zoneinfo 1371 1333 8:2 /usr/share/zoneinfo /usr/share/zoneinfo ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1371 fsname=/usr/share/zoneinfo dir=/usr/share/zoneinfo fstype=ext4 Whitelisting /home/lws/Scaricati 1372 1335 8:2 /home/lws/Scaricati /home/lws/Scaricati rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1372 fsname=/home/lws/Scaricati dir=/home/lws/Scaricati fstype=ext4 Whitelisting /home/lws/.pki 1373 1335 8:2 /home/lws/.pki /home/lws/.pki rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1373 fsname=/home/lws/.pki dir=/home/lws/.pki fstype=ext4 Whitelisting /home/lws/.local/share/pki 1374 1335 8:2 /home/lws/.local/share/pki /home/lws/.local/share/pki rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1374 fsname=/home/lws/.local/share/pki dir=/home/lws/.local/share/pki fstype=ext4 Whitelisting /home/lws/.config/mimeapps.list 1375 1335 8:2 /home/lws/.config/mimeapps.list /home/lws/.config/mimeapps.list rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1375 fsname=/home/lws/.config/mimeapps.list dir=/home/lws/.config/mimeapps.list fstype=ext4 Whitelisting /home/lws/.config/user-dirs.dirs 1376 1335 8:2 /home/lws/.config/user-dirs.dirs /home/lws/.config/user-dirs.dirs rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1376 fsname=/home/lws/.config/user-dirs.dirs dir=/home/lws/.config/user-dirs.dirs fstype=ext4 Whitelisting /home/lws/.icons 1377 1335 8:2 /home/lws/.icons /home/lws/.icons rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1377 fsname=/home/lws/.icons dir=/home/lws/.icons fstype=ext4 Whitelisting /home/lws/.local/share/applications 1378 1335 8:2 /home/lws/.local/share/applications /home/lws/.local/share/applications rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1378 fsname=/home/lws/.local/share/applications dir=/home/lws/.local/share/applications fstype=ext4 Whitelisting /home/lws/.local/share/mime 1379 1335 8:2 /home/lws/.local/share/mime /home/lws/.local/share/mime rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1379 fsname=/home/lws/.local/share/mime dir=/home/lws/.local/share/mime fstype=ext4 Whitelisting /home/lws/.config/dconf 1380 1335 8:2 /home/lws/.config/dconf /home/lws/.config/dconf rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1380 fsname=/home/lws/.config/dconf dir=/home/lws/.config/dconf fstype=ext4 Whitelisting /home/lws/.cache/fontconfig 1381 1335 8:2 /home/lws/.cache/fontconfig /home/lws/.cache/fontconfig rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1381 fsname=/home/lws/.cache/fontconfig dir=/home/lws/.cache/fontconfig fstype=ext4 Whitelisting /home/lws/.config/fontconfig 1382 1335 8:2 /home/lws/.config/fontconfig /home/lws/.config/fontconfig rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1382 fsname=/home/lws/.config/fontconfig dir=/home/lws/.config/fontconfig fstype=ext4 Whitelisting /home/lws/.config/gtk-3.0 1383 1335 8:2 /home/lws/.config/gtk-3.0 /home/lws/.config/gtk-3.0 rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1383 fsname=/home/lws/.config/gtk-3.0 dir=/home/lws/.config/gtk-3.0 fstype=ext4 Whitelisting /home/lws/.gtkrc-2.0 1384 1335 8:2 /home/lws/.gtkrc-2.0 /home/lws/.gtkrc-2.0 rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1384 fsname=/home/lws/.gtkrc-2.0 dir=/home/lws/.gtkrc-2.0 fstype=ext4 Whitelisting /home/lws/.config/kdeglobals 1385 1335 8:2 /home/lws/.config/kdeglobals /home/lws/.config/kdeglobals rw,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1385 fsname=/home/lws/.config/kdeglobals dir=/home/lws/.config/kdeglobals fstype=ext4 Whitelisting /var/lib/dbus 1386 1331 8:2 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1386 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=ext4 Whitelisting /var/cache/fontconfig 1387 1331 8:2 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1387 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4 Whitelisting /var/tmp 1388 1331 0:59 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1388 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /tmp/.X11-unix 1389 1324 0:50 /.X11-unix /tmp/.X11-unix rw,noatime master:69 - tmpfs tmpfs rw,inode64 mountid=1389 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /etc/X11/Xsession.d Disable /etc/xdg/autostart Mounting read-only /home/lws/.Xauthority 1396 1335 0:73 /lws/.Xauthority /home/lws/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1396 fsname=/lws/.Xauthority dir=/home/lws/.Xauthority fstype=tmpfs Mounting read-only /home/lws/.config/kdeglobals 1397 1385 8:2 /home/lws/.config/kdeglobals /home/lws/.config/kdeglobals ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1397 fsname=/home/lws/.config/kdeglobals dir=/home/lws/.config/kdeglobals fstype=ext4 Mounting read-only /home/lws/.config/dconf 1398 1380 8:2 /home/lws/.config/dconf /home/lws/.config/dconf ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1398 fsname=/home/lws/.config/dconf dir=/home/lws/.config/dconf fstype=ext4 Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /etc/anacrontab Disable /etc/cron.monthly Disable /etc/cron.daily Disable /etc/cron.weekly Disable /etc/cron.hourly Disable /etc/cron.d Disable /etc/crontab Disable /etc/profile.d Disable /etc/rc0.d Disable /etc/rc6.d Disable /etc/rcS.d Disable /etc/rc5.d Disable /etc/rc3.d Disable /etc/rc1.d Disable /etc/rc2.d Disable /etc/rc4.d Disable /etc/kernel-img.conf Disable /etc/kerneloops.conf Disable /etc/kernel Disable /etc/grub.d Disable /etc/dkms Disable /etc/apparmor.d Disable /etc/apparmor Disable /etc/selinux Disable /etc/modules-load.d Disable /etc/modules Disable /etc/logrotate.conf Disable /etc/logrotate.d Disable /etc/adduser.conf Mounting read-only /home/lws/.bashrc 1429 1335 0:73 /lws/.bashrc /home/lws/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1429 fsname=/lws/.bashrc dir=/home/lws/.bashrc fstype=tmpfs Mounting read-only /home/lws/.local/share/applications 1430 1378 8:2 /home/lws/.local/share/applications /home/lws/.local/share/applications ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1430 fsname=/home/lws/.local/share/applications dir=/home/lws/.local/share/applications fstype=ext4 Not blacklist /home/lws/.pki Not blacklist /home/lws/.local/share/pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/sbin (requested /sbin) Disable /usr/local/sbin Disable /usr/sbin Disable /usr/bin/chage Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/crontab Disable /usr/bin/crontab (requested /bin/crontab) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/fusermount Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/mount Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/nc.openbsd (requested /usr/bin/nc) Disable /usr/bin/nc.openbsd (requested /bin/nc) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/ntfs-3g Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g) Disable /usr/bin/pkexec Disable /usr/bin/pkexec (requested /bin/pkexec) Disable /usr/bin/newgrp (requested /usr/bin/sg) Disable /usr/bin/newgrp (requested /bin/sg) Disable /usr/bin/strace Disable /usr/bin/strace (requested /bin/strace) Disable /usr/bin/su Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/umount Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/xev Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/lib/virtualbox Disable /usr/bin/urxvtc Disable /usr/bin/urxvtc (requested /bin/urxvtc) Disable /usr/bin/urxvtcd Disable /usr/bin/urxvtcd (requested /bin/urxvtcd) Disable /usr/bin/bwrap Disable /usr/bin/bwrap (requested /bin/bwrap) Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as) Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/cc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/cc) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/c++) Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/c++) Disable /usr/bin/c89-gcc Disable /usr/bin/c89-gcc (requested /usr/bin/c89) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/c89-gcc (requested /bin/c89) Disable /usr/bin/c99-gcc Disable /usr/bin/c99-gcc (requested /usr/bin/c99) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp-9) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp) Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++-9) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld) Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld) Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9) Disable /usr/bin/c99-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc) Disable /usr/bin/c99-gcc (requested /bin/c99-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9) Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9) Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib) Disable /usr/bin/c89-gcc (requested /bin/c89-gcc) Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++) Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9) Disable /usr/include Disable /usr/bin/openssl Disable /usr/bin/openssl (requested /bin/openssl) Disable /usr/lib/valgrind Mounting noexec /run/user/1000 1585 1580 0:25 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=392800k,mode=755,inode64 mountid=1585 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs Mounting noexec /dev/shm 1586 1311 0:68 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1586 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1588 1587 0:50 /.X11-unix /tmp/.X11-unix rw,noatime master:69 - tmpfs tmpfs rw,inode64 mountid=1588 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /tmp/.X11-unix 1589 1588 0:50 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,noatime master:69 - tmpfs tmpfs rw,inode64 mountid=1589 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Mounting noexec /var 1593 1590 0:59 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1593 fsname=/ dir=/var/tmp fstype=tmpfs Disable /usr/bin/cpan5.30-x86_64-linux-gnu Disable /usr/bin/cpan5.30-i386-linux-gnu Disable /usr/bin/cpan Disable /usr/bin/cpan5.30-x86_64-linux-gnu (requested /bin/cpan5.30-x86_64-linux-gnu) Disable /usr/bin/cpan5.30-i386-linux-gnu (requested /bin/cpan5.30-i386-linux-gnu) Disable /usr/bin/cpan (requested /bin/cpan) Disable /usr/bin/perl Disable /usr/bin/perl (requested /bin/perl) Disable /usr/bin/python2.7 Disable /usr/bin/python2.7 (requested /usr/bin/python2) Disable /usr/bin/python2.7 (requested /bin/python2.7) Disable /usr/bin/python2.7 (requested /bin/python2) Disable /usr/lib/python2.7 Disable /usr/local/lib/python2.7 Disable /usr/bin/python3-pasteurize Disable /usr/bin/python3.8 Disable /usr/bin/python3-futurize Disable /usr/bin/python3-wsdump Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /usr/bin/python3.8-config) Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /usr/bin/python3-config) Disable /usr/bin/python3.8 (requested /usr/bin/python3) Disable /usr/bin/python3-pasteurize (requested /bin/python3-pasteurize) Disable /usr/bin/python3.8 (requested /bin/python3.8) Disable /usr/bin/python3-futurize (requested /bin/python3-futurize) Disable /usr/bin/python3-wsdump (requested /bin/python3-wsdump) Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /bin/python3.8-config) Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /bin/python3-config) Disable /usr/bin/python3.8 (requested /bin/python3) Disable /usr/lib/python3.9 Disable /usr/lib/python3.8 Disable /usr/lib/python3 Disable /usr/local/lib/python3.8 Not blacklist /home/lws/.mozilla Not blacklist /home/lws/.cache/mozilla Mounting read-only /home/lws/.config/user-dirs.dirs 1626 1376 8:2 /home/lws/.config/user-dirs.dirs /home/lws/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/sda2 rw,discard mountid=1626 fsname=/home/lws/.config/user-dirs.dirs dir=/home/lws/.config/user-dirs.dirs fstype=ext4 Mounting read-only /tmp/.X11-unix 1627 1589 0:50 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,noatime master:69 - tmpfs tmpfs rw,inode64 mountid=1627 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs Disable /sys/fs Disable /sys/module Disable /mnt Disable /media Disable /run/mount Mounting noexec /run/firejail/mnt/pulse Creating empty /home/lws/.config/pulse directory Mounting /run/firejail/mnt/pulse on /home/lws/.config/pulse 2199 1335 0:54 /pulse /home/lws/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=2199 fsname=/pulse dir=/home/lws/.config/pulse fstype=tmpfs Create the new ld.so.preload file line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 01 00 00000029 jeq socket 0006 (false 0005) 0005: 06 00 00 7fff0000 ret ALLOW 0006: 20 00 00 00000010 ld data.args[0] 0007: 15 00 01 00000001 jeq 1 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 00000002 jeq 2 000a (false 000b) 000a: 06 00 00 7fff0000 ret ALLOW 000b: 15 00 01 0000000a jeq a 000c (false 000d) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 01 00000010 jeq 10 000e (false 000f) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 06 00 00 0005005f ret ERRNO(95) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00000000 ret KILL Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 01 000000a1 jeq chroot 0008 (false 0009) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 3f 00 0000009f jeq adjtimex 0049 (false 000a) 000a: 15 3e 00 00000131 jeq clock_adjtime 0049 (false 000b) 000b: 15 3d 00 000000e3 jeq clock_settime 0049 (false 000c) 000c: 15 3c 00 000000a4 jeq settimeofday 0049 (false 000d) 000d: 15 3b 00 0000009a jeq modify_ldt 0049 (false 000e) 000e: 15 3a 00 000000d4 jeq lookup_dcookie 0049 (false 000f) 000f: 15 39 00 0000012a jeq perf_event_open 0049 (false 0010) 0010: 15 38 00 00000137 jeq process_vm_writev 0049 (false 0011) 0011: 15 37 00 000000b0 jeq delete_module 0049 (false 0012) 0012: 15 36 00 00000139 jeq finit_module 0049 (false 0013) 0013: 15 35 00 000000af jeq init_module 0049 (false 0014) 0014: 15 34 00 0000009c jeq _sysctl 0049 (false 0015) 0015: 15 33 00 000000b7 jeq afs_syscall 0049 (false 0016) 0016: 15 32 00 000000ae jeq create_module 0049 (false 0017) 0017: 15 31 00 000000b1 jeq get_kernel_syms 0049 (false 0018) 0018: 15 30 00 000000b5 jeq getpmsg 0049 (false 0019) 0019: 15 2f 00 000000b6 jeq putpmsg 0049 (false 001a) 001a: 15 2e 00 000000b2 jeq query_module 0049 (false 001b) 001b: 15 2d 00 000000b9 jeq security 0049 (false 001c) 001c: 15 2c 00 0000008b jeq sysfs 0049 (false 001d) 001d: 15 2b 00 000000b8 jeq tuxcall 0049 (false 001e) 001e: 15 2a 00 00000086 jeq uselib 0049 (false 001f) 001f: 15 29 00 00000088 jeq ustat 0049 (false 0020) 0020: 15 28 00 000000ec jeq vserver 0049 (false 0021) 0021: 15 27 00 000000ad jeq ioperm 0049 (false 0022) 0022: 15 26 00 000000ac jeq iopl 0049 (false 0023) 0023: 15 25 00 000000f6 jeq kexec_load 0049 (false 0024) 0024: 15 24 00 00000140 jeq kexec_file_load 0049 (false 0025) 0025: 15 23 00 000000a9 jeq reboot 0049 (false 0026) 0026: 15 22 00 000000a7 jeq swapon 0049 (false 0027) 0027: 15 21 00 000000a8 jeq swapoff 0049 (false 0028) 0028: 15 20 00 00000130 jeq open_by_handle_at 0049 (false 0029) 0029: 15 1f 00 0000012f jeq name_to_handle_at 0049 (false 002a) 002a: 15 1e 00 000000fb jeq ioprio_set 0049 (false 002b) 002b: 15 1d 00 00000067 jeq syslog 0049 (false 002c) 002c: 15 1c 00 0000012c jeq fanotify_init 0049 (false 002d) 002d: 15 1b 00 00000138 jeq kcmp 0049 (false 002e) 002e: 15 1a 00 000000f8 jeq add_key 0049 (false 002f) 002f: 15 19 00 000000f9 jeq request_key 0049 (false 0030) 0030: 15 18 00 000000ed jeq mbind 0049 (false 0031) 0031: 15 17 00 00000100 jeq migrate_pages 0049 (false 0032) 0032: 15 16 00 00000117 jeq move_pages 0049 (false 0033) 0033: 15 15 00 000000fa jeq keyctl 0049 (false 0034) 0034: 15 14 00 000000ce jeq io_setup 0049 (false 0035) 0035: 15 13 00 000000cf jeq io_destroy 0049 (false 0036) 0036: 15 12 00 000000d0 jeq io_getevents 0049 (false 0037) 0037: 15 11 00 000000d1 jeq io_submit 0049 (false 0038) 0038: 15 10 00 000000d2 jeq io_cancel 0049 (false 0039) 0039: 15 0f 00 000000d8 jeq remap_file_pages 0049 (false 003a) 003a: 15 0e 00 00000143 jeq userfaultfd 0049 (false 003b) 003b: 15 0d 00 000000a3 jeq acct 0049 (false 003c) 003c: 15 0c 00 00000141 jeq bpf 0049 (false 003d) 003d: 15 0b 00 000000a1 jeq chroot 0049 (false 003e) 003e: 15 0a 00 000000a5 jeq mount 0049 (false 003f) 003f: 15 09 00 000000b4 jeq nfsservctl 0049 (false 0040) 0040: 15 08 00 0000009b jeq pivot_root 0049 (false 0041) 0041: 15 07 00 000000ab jeq setdomainname 0049 (false 0042) 0042: 15 06 00 000000aa jeq sethostname 0049 (false 0043) 0043: 15 05 00 000000a6 jeq umount2 0049 (false 0044) 0044: 15 04 00 00000099 jeq vhangup 0049 (false 0045) 0045: 15 03 00 00000065 jeq ptrace 0049 (false 0046) 0046: 15 02 00 00000087 jeq personality 0049 (false 0047) 0047: 15 01 00 00000136 jeq process_vm_readv 0049 (false 0048) 0048: 06 00 00 7fff0000 ret ALLOW 0049: 06 00 01 00000000 ret KILL Mount the new ld.so.preload file Current directory: /home/lws Install protocol filter: unix,inet,inet6,netlink configuring 16 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) Dual 32/64 bit seccomp filter configured Build default+drop seccomp filter sbox run: /run/firejail/lib/fseccomp default drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec !chroot (null) sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp (null) configuring 74 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1001, nogroups 1 No supplementary groups AppArmor enabled starting application LD_PRELOAD=(null) execvp argument 0: firefox ```

When I click on that facebook group I get the following in the console: ATTENTION: default value of option mesa_glthread overridden by environment. ATTENTION: default value of option mesa_glthread overridden by environment.

[rusty-snake]

Duplicate of #3219

[rusty-snake]

Either update firejail (to a version without vulnerabilities) or add !kcmp to seccomp.

[fpusersuggest]

thanks, but how should I add it ? because if I add !kcmp in the following way: seccomp !chroot !kcmp firefox don't start and it give the following error: Error: invalid syscall list entry !chroot !kcmp and exit. If I add in this other way:

seccomp !chroot
seccomp !kcmp

firefox freeze.

[rusty-snake]

seccomp syscall,syscall,syscall Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.

seccomp !chroot,!kcmp
               ^

[kmk3]

@fpusersuggest commented on Nov 18:

ubuntu 20.04

firejail version 0.9.62

I'd suggest using a more recent version; see:

• 4663

[rusty-snake]

https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1950683/comments/5:

The problem is discussed in https://github.com/netblue30/firejail/issues/4698 which in turn is marked as a duplicate of https://github.com/netblue30/firejail/issues/3219

The patch mentioned there solves the problem:

$ diff /etc/firejail/firefox-common.profile.orig /etc/firejail/firefox-common.profile
49c49
< seccomp !chroot
---
> seccomp !chroot,!kcmp

Whether that's a good solution security-wise or not I cannot comment on. Upstream recommends to upgrade firejail.

1. There's no other way, kcmp is required in those cases.
2. Newer firejail versions do this by default (ed142c62bf5ca01ca5a71a16282a40be8cd45409).