man: cannot use nvim as man pager

[ShellCode33]

Description

I'm unable to use nvim as man pager.

Steps to Reproduce

MANPAGER='nvim +Man!' firejail /usr/bin/man sendfile

Expected behavior

To show the man page.

Actual behavior

nvim: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied
/usr/bin/man: command exited with status 127: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page sendfile(2) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page sendfile(2) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$ MAN_PN=sendfile(2) nvim +Man!

Behavior without a profile

Works fine.

Additional context

I tried to create a man.local with the following content with no luck (I'm not familiar at all with Firejail):

private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim,nvim
whitelist /usr/lib/libluajit-*

(notice the nvim at the end of the private-bin statement)

Not sure it's relevant but just in case:

$ ldd /usr/bin/nvim
        linux-vdso.so.1 (0x000060215a8b2000)
        libluv.so.1 => /usr/lib/libluv.so.1 (0x000060215a3b1000)
        libtermkey.so.1 => /usr/lib/libtermkey.so.1 (0x000060215a3a5000)
        libvterm.so.0 => /usr/lib/libvterm.so.0 (0x000060215a392000)
        libmsgpackc.so.2 => /usr/lib/libmsgpackc.so.2 (0x000060215a389000)
        libtree-sitter.so.0 => /usr/lib/libtree-sitter.so.0 (0x000060215a35b000)
        libunibilium.so.4 => /usr/lib/libunibilium.so.4 (0x000060215a346000)
        libluajit-5.1.so.2 => /usr/lib/libluajit-5.1.so.2 (0x000060215a2b3000)
        libm.so.6 => /usr/lib/libm.so.6 (0x000060215a1c6000)
        libuv.so.1 => /usr/lib/libuv.so.1 (0x000060215a192000)
        libgcc_s.so.1 => /usr/lib/libgcc_s.so.1 (0x000060215a16d000)
        libc.so.6 => /usr/lib/libc.so.6 (0x0000602159f8b000)
        /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x000060215a8b4000)

Environment

• ArchLinux with hardened kernel from GraphenOS
• Firejail version: 0.9.72

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x] I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail /path/to/program

``` See above ```

Output of LC_ALL=C firejail --debug /path/to/program

``` Leaks a lot, I can send it in private if need be ```

[glitsj16]

nvim: error while loading shared libraries: libluajit-5.1.so.2: cannot open shared object file: Permission denied

Lua is blacklisted in disable-interpreters.inc (as are others):

https://github.com/netblue30/firejail/blob/8f55f6c9ab819f0a2883ea07955b0db3db859022/etc/inc/disable-interpreters.inc#L13-L20

You probably just need to allow it in the man sandbox. Try include allow-lua.inc in your man.local.

[ShellCode33]

It's better now, thanks a lot !

However I have new errors now, the man page opens, but is not displayed properly :

Here's the error I have:

Error detected while processing /etc/xdg/nvim/sysinit.vim:
line    2:
E484: Can't open file /usr/share/nvim/archlinux.vim
E484: Can't open file /usr/share/nvim/syntax/syntax.vim
E886: System error while opening ShaDa file /home/shellcode/.local/state/nvim/shada/main.shada for reading: permission denied
E303: Unable to create directory "/home/shellcode/.local/state/nvim/swap" for swap file, recovery impossible: permission denied
E303: Unable to open swap file for "[No Name]", recovery impossible

In man.local I tried to include nvim.profile but it doesn't seem to work. Any idea ?

[glitsj16]

In man.local I tried to include nvim.profile but it doesn't seem to work. Any idea ?

Yeah that won't work, but you're on the right track. You only need to cherrypick the nvim configuration paths and add those into man.local:

$ cat ~/.config/firejail/man.local
include allow-lua.inc

noblacklist ${HOME}/.vim
noblacklist ${HOME}/.vimrc
noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.local/state/nvim

whitelist /usr/share/nvim

What does that do?

[ShellCode33]

Still no luck, the error is different and doesn't give much information unfortunately:

/usr/bin/man: command exited with status 1: sed -e '/^[[:space:]]*$/{ N; /^[[:space:]]*\n[[:space:]]*$/D; }' | LESS=-ix8RmPm Manual page sendfile(2) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$PM Manual page sendfile(2) ?ltline %lt?L/%L.:byte %bB?s/%s..?e (END):?pB %pB\%.. (press h for help or q to quit)$ MAN_PN=sendfile(2) nvim +Man!

Here's what my man.local looks like:

private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim,nvim
include allow-lua.inc

noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.dotfiles/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.local/state/nvim

whitelist /usr/share/nvim

Is there a way to know exactly what is being denied ? I tried to use something like:

MANPAGER='nvim +Man!' firejail --allow-debuggers --profile=man strace /usr/bin/man sendfile

With no luck.

Here's the output of MANPAGER='nvim +Man!' firejail --debug /usr/bin/man sendfile :

Log

``` Reading profile /etc/firejail/man.profile Building quoted command line: '/usr/bin/man' 'sendfile' Command name #man# Found man.profile profile in /etc/firejail directory Reading profile /etc/firejail/man.local Found man.local profile in /etc/firejail directory Reading profile /etc/firejail/allow-lua.inc Found allow-lua.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-common.inc Found disable-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-devel.inc Found disable-devel.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-exec.inc Found disable-exec.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-interpreters.inc Found disable-interpreters.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-programs.inc Found disable-programs.inc profile in /etc/firejail directory Reading profile /etc/firejail/disable-xdg.inc Found disable-xdg.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-runuser-common.inc Found whitelist-runuser-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-usr-share-common.inc Found whitelist-usr-share-common.inc profile in /etc/firejail directory Reading profile /etc/firejail/whitelist-var-common.inc Found whitelist-var-common.inc profile in /etc/firejail directory [profile] combined protocol list: "unix" DISPLAY is not set Parent pid 122090, child pid 122091 Enabling IPC namespace Enabling IPC namespace Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces file Creating empty /run/firejail/mnt/seccomp/seccomp.namespaces.32 file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file sbox run: /run/firejail/lib/fnet ifup lo Network namespace enabled, only loopback interface available Build protocol filter: unix sbox run: /run/firejail/lib/fseccomp protocol build unix /run/firejail/mnt/seccomp/seccomp.protocol Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 1731 1204 0:26 /@/etc /etc ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1731 fsname=/@/etc dir=/etc fstype=btrfs Mounting noexec /etc 1732 1731 0:26 /@/etc /etc ro,nosuid,nodev,noexec,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1732 fsname=/@/etc dir=/etc fstype=btrfs Mounting read-only /var 1738 1733 0:26 /@var-log /var/log rw,noatime,nodiratime master:60 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=661,subvol=/@var-log mountid=1738 fsname=/@var-log dir=/var/log fstype=btrfs Mounting read-only /var/cache/pacman/pkg 1739 1734 0:26 /@cache-pacman-pkgs /var/cache/pacman/pkg ro,noatime,nodiratime master:50 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=665,subvol=/@cache-pacman-pkgs mountid=1739 fsname=/@cache-pacman-pkgs dir=/var/cache/pacman/pkg fstype=btrfs Mounting read-only /var/lib/docker 1740 1735 0:26 /@docker /var/lib/docker ro,noatime,nodiratime master:52 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=664,subvol=/@docker mountid=1740 fsname=/@docker dir=/var/lib/docker fstype=btrfs Mounting read-only /var/lib/libvirt 1741 1736 0:26 /@libvirt /var/lib/libvirt ro,noatime,nodiratime master:54 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=663,subvol=/@libvirt mountid=1741 fsname=/@libvirt dir=/var/lib/libvirt fstype=btrfs Mounting read-only /var/tmp 1742 1737 0:26 /@var-tmp /var/tmp ro,noatime,nodiratime master:58 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=662,subvol=/@var-tmp mountid=1742 fsname=/@var-tmp dir=/var/tmp fstype=btrfs Mounting read-only /var/log 1743 1738 0:26 /@var-log /var/log ro,noatime,nodiratime master:60 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=661,subvol=/@var-log mountid=1743 fsname=/@var-log dir=/var/log fstype=btrfs Mounting noexec /var 1754 1753 0:26 /@var-log /var/log ro,noatime,nodiratime master:60 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=661,subvol=/@var-log mountid=1754 fsname=/@var-log dir=/var/log fstype=btrfs Mounting noexec /var/cache/pacman/pkg 1755 1746 0:26 /@cache-pacman-pkgs /var/cache/pacman/pkg ro,nosuid,nodev,noexec,noatime,nodiratime master:50 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=665,subvol=/@cache-pacman-pkgs mountid=1755 fsname=/@cache-pacman-pkgs dir=/var/cache/pacman/pkg fstype=btrfs Mounting noexec /var/lib/docker 1756 1748 0:26 /@docker /var/lib/docker ro,nosuid,nodev,noexec,noatime,nodiratime master:52 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=664,subvol=/@docker mountid=1756 fsname=/@docker dir=/var/lib/docker fstype=btrfs Mounting noexec /var/lib/libvirt 1757 1750 0:26 /@libvirt /var/lib/libvirt ro,nosuid,nodev,noexec,noatime,nodiratime master:54 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=663,subvol=/@libvirt mountid=1757 fsname=/@libvirt dir=/var/lib/libvirt fstype=btrfs Mounting noexec /var/tmp 1758 1752 0:26 /@var-tmp /var/tmp ro,nosuid,nodev,noexecWarning: file gpreconv not found ,noatime,nodiratime master:58 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=662,subvol=/@var-tmp mountid=1758 fsname=/@var-tmp dir=/var/tmp fstype=btrfs Mounting noexec /var/log 1759 1754 0:26 /@var-log /var/log ro,nosuid,nodev,noexec,noatime,nodiratime master:60 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=661,subvol=/@var-log mountid=1759 fsname=/@var-log dir=/var/log fstype=btrfs Mounting read-only /usr 1760 1204 0:26 /@/usr /usr ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1760 fsname=/@/usr dir=/usr fstype=btrfs Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Generating a new machine-id installing a new /etc/machine-id Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Mounting tmpfs on /dev Process /dev/shm directory Copying files in the new bin directory Checking /usr/local/bin/apropos Checking /usr/bin/apropos sbox run: /run/firejail/lib/fcopy /usr/bin/whatis /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/apropos /run/firejail/mnt/bin Checking /usr/local/bin/bash Checking /usr/bin/bash sbox run: /run/firejail/lib/fcopy /usr/bin/bash /run/firejail/mnt/bin Checking /usr/local/bin/cat Checking /usr/bin/cat sbox run: /run/firejail/lib/fcopy /usr/bin/cat /run/firejail/mnt/bin Checking /usr/local/bin/catman Checking /usr/bin/catman sbox run: /run/firejail/lib/fcopy /usr/bin/catman /run/firejail/mnt/bin Checking /usr/local/bin/col Checking /usr/bin/col sbox run: /run/firejail/lib/fcopy /usr/bin/col /run/firejail/mnt/bin Checking /usr/local/bin/gpreconv Checking /usr/bin/gpreconv Checking /bin/gpreconv Checking /usr/games/gpreconv Checking /usr/local/games/gpreconv Checking /usr/local/sbin/gpreconv Checking /usr/sbin/gpreconv Checking /sbin/gpreconv Checking /usr/local/bin/groff Checking /usr/bin/groff sbox run: /run/firejail/lib/fcopy /usr/bin/groff /run/firejail/mnt/bin Checking /usr/local/bin/grotty Checking /usr/bin/grotty sbox run: /run/firejail/lib/fcopy /usr/bin/grotty /run/firejail/mnt/bin Checking /usr/local/bin/gunzip Checking /usr/bin/gunzip sbox run: /run/firejail/lib/fcopy /usr/bin/gunzip /run/firejail/mnt/bin Checking /usr/local/bin/gzip Checking /usr/bin/gzip sbox run: /run/firejail/lib/fcopy /usr/bin/gzip /run/firejail/mnt/bin Checking /usr/local/bin/less Checking /usr/bin/less sbox run: /run/firejail/lib/fcopy /usr/bin/less /run/firejail/mnt/bin Checking /usr/local/bin/man Checking /usr/bin/man sbox run: /run/firejail/lib/fcopy /usr/bin/man /run/firejail/mnt/bin Checking /usr/local/bin/most Checking /usr/bin/most sbox run: /run/firejail/lib/fcopy /usr/bin/most /run/firejail/mnt/bin Checking /usr/local/bin/nroff Checking /usr/bin/nroff sbox run: /run/firejail/lib/fcopy /usr/bin/nroff /run/firejail/mnt/bin Checking /usr/local/bin/preconv Checking /usr/bin/preconv sbox run: /run/firejail/lib/fcopy /usr/bin/preconv /run/firejail/mnt/bin Checking /usr/local/bin/sed Checking /usr/bin/sed sbox run: /run/firejail/lib/fcopy /usr/bin/sed /run/firejail/mnt/bin Checking /usr/local/bin/sh Checking /usr/bin/sh sbox run: /run/firejail/lib/fcopy /usr/bin/dash /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/sh /run/firejail/mnt/bin Checking /usr/local/bin/tbl Checking /usr/bin/tbl sbox run: /run/firejail/lib/fcopy /usr/bin/tbl /run/firejail/mnt/bin Checking /usr/local/bin/tr Checking /usr/bin/tr sbox run: /run/firejail/lib/fcopy /usr/bin/tr /run/firejail/mnt/bin Checking /usr/local/bin/troff Checking /usr/bin/troff sbox run: /run/firejail/lib/fcopy /usr/bin/troff /run/firejail/mnt/bin Checking /usr/local/bin/whatis Checking /usr/bin/whatis sbox run: /run/firejail/lib/fcopy /usr/bin/whatis /run29 programs installed in 93.30 ms /firejail/mnt/bin Checking /usr/local/bin/which Checking /usr/bin/which sbox run: /run/firejail/lib/fcopy /usr/bin/which /run/firejail/mnt/bin Checking /usr/local/bin/xtotroff Checking /usr/bin/xtotroff sbox run: /run/firejail/lib/fcopy /usr/bin/xtotroff /run/firejail/mnt/bin Checking /usr/local/bin/zcat Checking /usr/bin/zcat sbox run: /run/firejail/lib/fcopy /usr/bin/zcat /run/firejail/mnt/bin Checking /usr/local/bin/zsoelim Checking /usr/bin/zsoelim sbox run: /run/firejail/lib/fcopy /usr/bin/soelim /run/firejail/mnt/bin sbox run: /run/firejail/lib/fcopy /usr/bin/zsoelim /run/firejail/mnt/bin Checking /usr/local/bin/nvim Checking /usr/bin/nvim sbox run: /run/firejail/lib/fcopy /usr/bin/nvim /run/firejail/mnt/bin Checking /usr/local/bin/strace Checking /usr/bin/strace sbox run: /run/firejail/lib/fcopy /usr/bin/strace /run/firejail/mnt/bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Warning: file /etc/alternatives not found. Warning: skipping alternatives for private /etc Warning: file /etc/groff not found. Warning: skipping groff for private /etc Warning: file /etc/ld.so.preload not found. Warning: skipping ld.so.preload for private /etc Warning: file /etc/locale not found. Warning: skipping locale for private /etc Warning: file /etc/locale.alias not found. Warning: skipping locale.alias for private /etc Warning: file /etc/manpath.config not found. Warning: skipping manpath.config for private /etc Warning: file /etc/selinux not found. Warning: skipping selinux for private /etc Warning: file /etc/sysless not found. Warning: skipping sysless for private /etc Private /etc installed in 17.42 ms Creating empty /run/firejail/mnt/dbus directory Creating empty /run/firejail/mnt/dbus/user file blacklist /run/user/1000/bus Creating empty /run/firejail/mnt/dbus/system file blacklist /run/dbus/system_bus_socket blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /proc/kmsg Disable /mnt Disable /media Disable /run/mount Copying files in the new /etc directory: Copying /etc/fonts to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/fonts /run/firejail/mnt/etc/fonts Copying /etc/group to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/group /run/firejail/mnt/etc Copying /etc/ld.so.cache to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/ld.so.cache /run/firejail/mnt/etc Copying /etc/locale.conf to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/locale.conf /run/firejail/mnt/etc Copying /etc/login.defs to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/login.defs /run/firejail/mnt/etc Copying /etc/man_db.conf to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/man_db.conf /run/firejail/mnt/etc Copying /etc/passwd to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/passwd /run/firejail/mnt/etc Copying /etc/xdg to private /etc sbox run: /run/firejail/lib/fcopy --follow-link /etc/xdg /run/firejail/mnt/etc/xdg Mount-bind /run/firejail/mnt/etc on top of /etc Private /usr/etc installed in 0.01 ms Cannot find /usr/etc: No such file or directory Mount-bind /run/firejail/mnt/usretc on top of /usr/etc Cannot find /usr/etc: No such file or directory Debug 588: whitelist /usr/share/nvim Debug 609: expanded: /usr/share/nvim Debug 620: new_name: /usr/share/nvim Debug 630: dir: /usr/share Adding whitelist top level directory /usr/share Debug 588: whitelist /usr/share/groff Debug 609: expanded: /usr/share/groff Debug 620: new_name: /usr/share/groff Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/info Debug 609: expanded: /usr/share/info Debug 620: new_name: /usr/share/info Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/lintian Debug 609: expanded: /usr/share/lintian Debug 620: new_name: /usr/share/lintian Debug 630: dir: /usr/share Removed path: whitelist /usr/share/lintian new_name: /usr/share/lintian realpath: (null) No such file or directory Debug 588: whitelist /usr/share/man Debug 609: expanded: /usr/share/man Debug 620: new_name: /usr/share/man Debug 630: dir: /usr/share Debug 588: whitelist /var/cache/man Debug 609: expanded: /var/cache/man Debug 620: new_name: /var/cache/man Debug 630: dir: /var Adding whitelist top level directory /var Debug 588: whitelist ${RUNUSER}/bus Debug 609: expanded: /run/user/1000/bus Debug 620: new_name: /run/user/1000/bus Debug 630: dir: /run/user/1000 Adding whitelist top level directory /run/user/1000 Debug 588: whitelist ${RUNUSER}/dconf Debug 609: expanded: /run/user/1000/dconf Debug 620: new_name: /run/user/1000/dconf Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/gdm/Xauthority Debug 609: expanded: /run/user/1000/gdm/Xauthority Debug 620: new_name: /run/user/1000/gdm/Xauthority Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/gdm/Xauthority new_name: /run/user/1000/gdm/Xauthority realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/ICEauthority Debug 609: expanded: /run/user/1000/ICEauthority Debug 620: new_name: /run/user/1000/ICEauthority Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/ICEauthority new_name: /run/user/1000/ICEauthority realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/.mutter-Xwaylandauth.* Debug 609: expanded: /run/user/1000/.mutter-Xwaylandauth.* Debug 620: new_name: /run/user/1000/.mutter-Xwaylandauth.* Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/.mutter-Xwaylandauth.* new_name: /run/user/1000/.mutter-Xwaylandauth.* realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/pulse/native Debug 609: expanded: /run/user/1000/pulse/native Debug 620: new_name: /run/user/1000/pulse/native Debug 630: dir: /run/user/1000 Debug 588: whitelist ${RUNUSER}/pipewire-? Debug 609: expanded: /run/user/1000/pipewire-? Debug 620: new_name: /run/user/1000/pipewire-? Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/pipewire-? new_name: /run/user/1000/pipewire-? realpath: (null) No such file or directory Adding new profile command: whitelist /run/user/1000/pipewire-0 Debug 588: whitelist ${RUNUSER}/wayland-? Debug 609: expanded: /run/user/1000/wayland-? Debug 620: new_name: /run/user/1000/wayland-? Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/wayland-? new_name: /run/user/1000/wayland-? realpath: (null) No such file or directory Adding new profile command: whitelist /run/user/1000/wayland-1 Debug 588: whitelist ${RUNUSER}/xauth_* Debug 609: expanded: /run/user/1000/xauth_* Debug 620: new_name: /run/user/1000/xauth_* Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/xauth_* new_name: /run/user/1000/xauth_* realpath: (null) No such file or directory Debug 588: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 609: expanded: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 620: new_name: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] Debug 630: dir: /run/user/1000 Removed path: whitelist ${RUNUSER}/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] new_name: /run/user/1000/[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]]-[[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]][[:xdigit:]] realpath: (null) File name too long Debug 588: whitelist /usr/share/alsa Debug 609: expanded: /usr/share/alsa Debug 620: new_name: /usr/share/alsa Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/applications Debug 609: expanded: /usr/share/applications Debug 620: new_name: /usr/share/applications Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/ca-certificates Debug 609: expanded: /usr/share/ca-certificates Debug 620: new_name: /usr/share/ca-certificates Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/crypto-policies Debug 609: expanded: /usr/share/crypto-policies Debug 620: new_name: /usr/share/crypto-policies Debug 630: dir: /usr/share Removed path: whitelist /usr/share/crypto-policies new_name: /usr/share/crypto-policies realpath: (null) No such file or directory Debug 588: whitelist /usr/share/cursors Debug 609: expanded: /usr/share/cursors Debug 620: new_name: /usr/share/cursors Debug 630: dir: /usr/share Removed path: whitelist /usr/share/cursors new_name: /usr/share/cursors realpath: (null) No such file or directory Debug 588: whitelist /usr/share/dconf Debug 609: expanded: /usr/share/dconf Debug 620: new_name: /usr/share/dconf Debug 630: dir: /usr/share Removed path: whitelist /usr/share/dconf new_name: /usr/share/dconf realpath: (null) No such file or directory Debug 588: whitelist /usr/share/distro-info Debug 609: expanded: /usr/share/distro-info Debug 620: new_name: /usr/share/distro-info Debug 630: dir: /usr/share Removed path: whitelist /usr/share/distro-info new_name: /usr/share/distro-info realpath: (null) No such file or directory Debug 588: whitelist /usr/share/drirc.d Debug 609: expanded: /usr/share/drirc.d Debug 620: new_name: /usr/share/drirc.d Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/egl Debug 609: expanded: /usr/share/egl Debug 620: new_name: /usr/share/egl Debug 630: dir: /usr/share Removed path: whitelist /usr/share/egl new_name: /usr/share/egl realpath: (null) No such file or directory Debug 588: whitelist /usr/share/enchant Debug 609: expanded: /usr/share/enchant Debug 620: new_name: /usr/share/enchant Debug 630: dir: /usr/share Removed path: whitelist /usr/share/enchant new_name: /usr/share/enchant realpath: (null) No such file or directory Debug 588: whitelist /usr/share/enchant-2 Debug 609: expanded: /usr/share/enchant-2 Debug 620: new_name: /usr/share/enchant-2 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/enchant-2 new_name: /usr/share/enchant-2 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/file Debug 609: expanded: /usr/share/file Debug 620: new_name: /usr/share/file Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/fontconfig Debug 609: expanded: /usr/share/fontconfig Debug 620: new_name: /usr/share/fontconfig Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/fonts Debug 609: expanded: /usr/share/fonts Debug 620: new_name: /usr/share/fonts Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/fonts-config Debug 609: expanded: /usr/share/fonts-config Debug 620: new_name: /usr/share/fonts-config Debug 630: dir: /usr/share Removed path: whitelist /usr/share/fonts-config new_name: /usr/share/fonts-config realpath: (null) No such file or directory Debug 588: whitelist /usr/share/gir-1.0 Debug 609: expanded: /usr/share/gir-1.0 Debug 620: new_name: /usr/share/gir-1.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gjs-1.0 Debug 609: expanded: /usr/share/gjs-1.0 Debug 620: new_name: /usr/share/gjs-1.0 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/gjs-1.0 new_name: /usr/share/gjs-1.0 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/glib-2.0 Debug 609: expanded: /usr/share/glib-2.0 Debug 620: new_name: /usr/share/glib-2.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/glvnd Debug 609: expanded: /usr/share/glvnd Debug 620: new_name: /usr/share/glvnd Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtk-2.0 Debug 609: expanded: /usr/share/gtk-2.0 Debug 620: new_name: /usr/share/gtk-2.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtk-3.0 Debug 609: expanded: /usr/share/gtk-3.0 Debug 620: new_name: /usr/share/gtk-3.0 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/gtk-engines Debug 609: expanded: /usr/share/gtk-engines Debug 620: new_name: /usr/share/gtk-engines Debug 630: dir: /usr/share Removed path: whitelist /usr/share/gtk-engines new_name: /usr/share/gtk-engines realpath: (null) No such file or directory Debug 588: whitelist /usr/share/gtksourceview-3.0 Debug 609: expanded: /usr/share/gtksourceview-3.0 Debug 620: new_name: /usr/share/gtksourceview-3.0 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/gtksourceview-3.0 new_name: /usr/share/gtksourceview-3.0 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/gtksourceview-4 Debug 609: expanded: /usr/share/gtksourceview-4 Debug 620: new_name: /usr/share/gtksourceview-4 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/hunspell Debug 609: expanded: /usr/share/hunspell Debug 620: new_name: /usr/share/hunspell Debug 630: dir: /usr/share Removed path: whitelist /usr/share/hunspell new_name: /usr/share/hunspell realpath: (null) No such file or directory Debug 588: whitelist /usr/share/hwdata Debug 609: expanded: /usr/share/hwdata Debug 620: new_name: /usr/share/hwdata Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/icons Debug 609: expanded: /usr/share/icons Debug 620: new_name: /usr/share/icons Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/icu Debug 609: expanded: /usr/share/icu Debug 620: new_name: /usr/share/icu Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/knotifications5 Debug 609: expanded: /usr/share/knotifications5 Debug 620: new_name: /usr/share/knotifications5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/knotifications5 new_name: /usr/share/knotifications5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/kservices5 Debug 609: expanded: /usr/share/kservices5 Debug 620: new_name: /usr/share/kservices5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/kservices5 new_name: /usr/share/kservices5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/Kvantum Debug 609: expanded: /usr/share/Kvantum Debug 620: new_name: /usr/share/Kvantum Debug 630: dir: /usr/share Removed path: whitelist /usr/share/Kvantum new_name: /usr/share/Kvantum realpath: (null) No such file or directory Debug 588: whitelist /usr/share/kxmlgui5 Debug 609: expanded: /usr/share/kxmlgui5 Debug 620: new_name: /usr/share/kxmlgui5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/kxmlgui5 new_name: /usr/share/kxmlgui5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/libdrm Debug 609: expanded: /usr/share/libdrm Debug 620: new_name: /usr/share/libdrm Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/libthai Debug 609: expanded: /usr/share/libthai Debug 620: new_name: /usr/share/libthai Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/locale Debug 609: expanded: /usr/share/locale Debug 620: new_name: /usr/share/locale Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/mime Debug 609: expanded: /usr/share/mime Debug 620: new_name: /usr/share/mime Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/misc Debug 609: expanded: /usr/share/misc Debug 620: new_name: /usr/share/misc Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/Modules Debug 609: expanded: /usr/share/Modules Debug 620: new_name: /usr/share/Modules Debug 630: dir: /usr/share Removed path: whitelist /usr/share/Modules new_name: /usr/share/Modules realpath: (null) No such file or directory Debug 588: whitelist /usr/share/myspell Debug 609: expanded: /usr/share/myspell Debug 620: new_name: /usr/share/myspell Debug 630: dir: /usr/share Removed path: whitelist /usr/share/myspell new_name: /usr/share/myspell realpath: (null) No such file or directory Debug 588: whitelist /usr/share/p11-kit Debug 609: expanded: /usr/share/p11-kit Debug 620: new_name: /usr/share/p11-kit Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/perl Debug 609: expanded: /usr/share/perl Debug 620: new_name: /usr/share/perl Debug 630: dir: /usr/share Removed path: whitelist /usr/share/perl new_name: /usr/share/perl realpath: (null) No such file or directory Debug 588: whitelist /usr/share/perl5 Debug 609: expanded: /usr/share/perl5 Debug 620: new_name: /usr/share/perl5 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/pipewire Debug 609: expanded: /usr/share/pipewire Debug 620: new_name: /usr/share/pipewire Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/pixmaps Debug 609: expanded: /usr/share/pixmaps Debug 620: new_name: /usr/share/pixmaps Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/pki Debug 609: expanded: /usr/share/pki Debug 620: new_name: /usr/share/pki Debug 630: dir: /usr/share Removed path: whitelist /usr/share/pki new_name: /usr/share/pki realpath: (null) No such file or directory Debug 588: whitelist /usr/share/plasma Debug 609: expanded: /usr/share/plasma Debug 620: new_name: /usr/share/plasma Debug 630: dir: /usr/share Removed path: whitelist /usr/share/plasma new_name: /usr/share/plasma realpath: (null) No such file or directory Debug 588: whitelist /usr/share/publicsuffix Debug 609: expanded: /usr/share/publicsuffix Debug 620: new_name: /usr/share/publicsuffix Debug 630: dir: /usr/share Removed path: whitelist /usr/share/publicsuffix new_name: /usr/share/publicsuffix realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt Debug 609: expanded: /usr/share/qt Debug 620: new_name: /usr/share/qt Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/qt4 Debug 609: expanded: /usr/share/qt4 Debug 620: new_name: /usr/share/qt4 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt4 new_name: /usr/share/qt4 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt5 Debug 609: expanded: /usr/share/qt5 Debug 620: new_name: /usr/share/qt5 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt5 new_name: /usr/share/qt5 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt5ct Debug 609: expanded: /usr/share/qt5ct Debug 620: new_name: /usr/share/qt5ct Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt5ct new_name: /usr/share/qt5ct realpath: (null) No such file or directory Debug 588: whitelist /usr/share/qt6 Debug 609: expanded: /usr/share/qt6 Debug 620: new_name: /usr/share/qt6 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/qt6ct Debug 609: expanded: /usr/share/qt6ct Debug 620: new_name: /usr/share/qt6ct Debug 630: dir: /usr/share Removed path: whitelist /usr/share/qt6ct new_name: /usr/share/qt6ct realpath: (null) No such file or directory Debug 588: whitelist /usr/share/sounds Debug 609: expanded: /usr/share/sounds Debug 620: new_name: /usr/share/sounds Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/tcl8.6 Debug 609: expanded: /usr/share/tcl8.6 Debug 620: new_name: /usr/share/tcl8.6 Debug 630: dir: /usr/share Removed path: whitelist /usr/share/tcl8.6 new_name: /usr/share/tcl8.6 realpath: (null) No such file or directory Debug 588: whitelist /usr/share/tcltk Debug 609: expanded: /usr/share/tcltk Debug 620: new_name: /usr/share/tcltk Debug 630: dir: /usr/share Removed path: whitelist /usr/share/tcltk new_name: /usr/share/tcltk realpath: (null) No such file or directory Debug 588: whitelist /usr/share/terminfo Debug 609: expanded: /usr/share/terminfo Debug 620: new_name: /usr/share/terminfo Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/texlive Debug 609: expanded: /usr/share/texlive Debug 620: new_name: /usr/share/texlive Debug 630: dir: /usr/share Removed path: whitelist /usr/share/texlive new_name: /usr/share/texlive realpath: (null) No such file or directory Debug 588: whitelist /usr/share/texmf Debug 609: expanded: /usr/share/texmf Debug 620: new_name: /usr/share/texmf Debug 630: dir: /usr/share Removed path: whitelist /usr/share/texmf new_name: /usr/share/texmf realpath: (null) No such file or directory Debug 588: whitelist /usr/share/themes Debug 609: expanded: /usr/share/themes Debug 620: new_name: /usr/share/themes Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/thumbnail.so Debug 609: expanded: /usr/share/thumbnail.so Debug 620: new_name: /usr/share/thumbnail.so Debug 630: dir: /usr/share Removed path: whitelist /usr/share/thumbnail.so new_name: /usr/share/thumbnail.so realpath: (null) No such file or directory Debug 588: whitelist /usr/share/uim Debug 609: expanded: /usr/share/uim Debug 620: new_name: /usr/share/uim Debug 630: dir: /usr/share Removed path: whitelist /usr/share/uim new_name: /usr/share/uim realpath: (null) No such file or directory Debug 588: whitelist /usr/share/vulkan Debug 609: expanded: /usr/share/vulkan Debug 620: new_name: /usr/share/vulkan Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/X11 Debug 609: expanded: /usr/share/X11 Debug 620: new_name: /usr/share/X11 Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/xml Debug 609: expanded: /usr/share/xml Debug 620: new_name: /usr/share/xml Debug 630: dir: /usr/share Debug 588: whitelist /usr/share/zenity Debug 609: expanded: /usr/share/zenity Debug 620: new_name: /usr/share/zenity Debug 630: dir: /usr/share Removed path: whitelist /usr/share/zenity new_name: /usr/share/zenity realpath: (null) No such file or directory Debug 588: whitelist /usr/share/zoneinfo Debug 609: expanded: /usr/share/zoneinfo Debug 620: new_name: /usr/share/zoneinfo Debug 630: dir: /usr/share Debug 588: whitelist /var/lib/aspell Debug 609: expanded: /var/lib/aspell Debug 620: new_name: /var/lib/aspell Debug 630: dir: /var Removed path: whitelist /var/lib/aspell new_name: /var/lib/aspell realpath: (null) No such file or directory Debug 588: whitelist /var/lib/ca-certificates Debug 609: expanded: /var/lib/ca-certificates Debug 620: new_name: /var/lib/ca-certificates Debug 630: dir: /var Removed path: whitelist /var/lib/ca-certificates new_name: /var/lib/ca-certificates realpath: (null) No such file or directory Debug 588: whitelist /var/lib/dbus Debug 609: expanded: /var/lib/dbus Debug 620: new_name: /var/lib/dbus Debug 630: dir: /var Debug 588: whitelist /var/lib/menu-xdg Debug 609: expanded: /var/lib/menu-xdg Debug 620: new_name: /var/lib/menu-xdg Debug 630: dir: /var Removed path: whitelist /var/lib/menu-xdg new_name: /var/lib/menu-xdg realpath: (null) No such file or directory Debug 588: whitelist /var/lib/uim Debug 609: expanded: /var/lib/uim Debug 620: new_name: /var/lib/uim Debug 630: dir: /var Removed path: whitelist /var/lib/uim new_name: /var/lib/uim realpath: (null) No such file or directory Debug 588: whitelist /var/cache/fontconfig Debug 609: expanded: /var/cache/fontconfig Debug 620: new_name: /var/cache/fontconfig Debug 630: dir: /var Debug 588: whitelist /var/tmp Debug 609: expanded: /var/tmp Debug 620: new_name: /var/tmp Debug 630: dir: /var Debug 588: whitelist /var/run Debug 609: expanded: /var/run Debug 620: new_name: /var/run Debug 630: dir: /var Debug 588: whitelist /var/lock Debug 609: expanded: /var/lock Debug 620: new_name: /var/lock Debug 630: dir: /var Debug 588: whitelist /run/user/1000/pipewire-0 Debug 609: expanded: /run/user/1000/pipewire-0 Debug 620: new_name: /run/user/1000/pipewire-0 Debug 630: dir: /run/user/1000 Debug 588: whitelist /run/user/1000/wayland-1 Debug 609: expanded: /run/user/1000/wayland-1 Debug 620: new_name: /run/user/1000/wayland-1 Debug 630: dir: /run/user/1000 Mounting tmpfs on /usr/share, check owner: no 1817 1760 0:207 / /usr/share rw,nosuid,nodev,noatime,nodiratime - tmpfs tmpfs rw,mode=755,inode64 mountid=1817 fsname=/ dir=/usr/share fstype=tmpfs Mounting tmpfs on /var, check owner: no 1818 1744 0:208 / /var rw,nosuid,nodev,noexec,noatime,nodiratime - tmpfs tmpfs rw,mode=755,inode64 mountid=1818 fsname=/ dir=/var fstype=tmpfs Mounting tmpfs on /run/user/1000, check owner: no 1819 1771 0:209 / /run/user/1000 rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000,inode64 mountid=1819 fsname=/ dir=/run/user/1000 fstype=tmpfs Whitelisting /usr/share/nvim 1820 1817 0:26 /@/usr/share/nvim /usr/share/nvim ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1820 fsname=/@/usr/share/nvim dir=/usr/share/nvim fstype=btrfs Whitelisting /usr/share/groff 1821 1817 0:26 /@/usr/share/groff /usr/share/groff ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1821 fsname=/@/usr/share/groff dir=/usr/share/groff fstype=btrfs Whitelisting /usr/share/info 1822 1817 0:26 /@/usr/share/info /usr/share/info ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1822 fsname=/@/usr/share/info dir=/usr/share/info fstype=btrfs Whitelisting /usr/share/man 1823 1817 0:26 /@/usr/share/man /usr/share/man ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1823 fsname=/@/usr/share/man dir=/usr/share/man fstype=btrfs Whitelisting /var/cache/man 1824 1818 0:26 /@var/cache/man /var/cache/man ro,nosuid,nodev,noexec,noatime,nodiratime master:46 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=660,subvol=/@var mountid=1824 fsname=/@var/cache/man dir=/var/cache/man fstype=btrfs Whitelisting /run/user/1000/bus 1825 1819 0:23 /firejail/firejail.ro.file /run/user/1000/bus ro,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1825 fsname=/firejail/firejail.ro.file dir=/run/user/1000/bus fstype=tmpfs Whitelisting /run/user/1000/dconf 1826 1819 0:53 /dconf /run/user/1000/dconf rw,nosuid,nodev,relatime master:248 - tmpfs tmpfs rw,size=1211456k,nr_inodes=302864,mode=700,uid=1000,gid=1000,inode64 mountid=1826 fsname=/dconf dir=/run/user/1000/dconf fstype=tmpfs Whitelisting /run/user/1000/pulse/native 1827 1819 0:53 /pulse/native /run/user/1000/pulse/native rw,nosuid,nodev,relatime master:248 - tmpfs tmpfs rw,size=1211456k,nr_inodes=302864,mode=700,uid=1000,gid=1000,inode64 mountid=1827 fsname=/pulse/native dir=/run/user/1000/pulse/native fstype=tmpfs Whitelisting /usr/share/alsa 1828 1817 0:26 /@/usr/share/alsa /usr/share/alsa ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1828 fsname=/@/usr/share/alsa dir=/usr/share/alsa fstype=btrfs Whitelisting /usr/share/applications 1829 1817 0:26 /@/usr/share/applications /usr/share/applications ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1829 fsname=/@/usr/share/applications dir=/usr/share/applications fstype=btrfs Whitelisting /usr/share/ca-certificates 1830 1817 0:26 /@/usr/share/ca-certificates /usr/share/ca-certificates ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1830 fsname=/@/usr/share/ca-certificates dir=/usr/share/ca-certificates fstype=btrfs Whitelisting /usr/share/drirc.d 1831 1817 0:26 /@/usr/share/drirc.d /usr/share/drirc.d ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1831 fsname=/@/usr/share/drirc.d dir=/usr/share/drirc.d fstype=btrfs Whitelisting /usr/share/file 1832 1817 0:26 /@/usr/share/file /usr/share/file ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1832 fsname=/@/usr/share/file dir=/usr/share/file fstype=btrfs Whitelisting /usr/share/fontconfig 1833 1817 0:26 /@/usr/share/fontconfig /usr/share/fontconfig ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1833 fsname=/@/usr/share/fontconfig dir=/usr/share/fontconfig fstype=btrfs Whitelisting /usr/share/fonts 1834 1817 0:26 /@/usr/share/fonts /usr/share/fonts ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1834 fsname=/@/usr/share/fonts dir=/usr/share/fonts fstype=btrfs Whitelisting /usr/share/gir-1.0 1835 1817 0:26 /@/usr/share/gir-1.0 /usr/share/gir-1.0 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1835 fsname=/@/usr/share/gir-1.0 dir=/usr/share/gir-1.0 fstype=btrfs Whitelisting /usr/share/glib-2.0 1836 1817 0:26 /@/usr/share/glib-2.0 /usr/share/glib-2.0 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1836 fsname=/@/usr/share/glib-2.0 dir=/usr/share/glib-2.0 fstype=btrfs Whitelisting /usr/share/glvnd 1837 1817 0:26 /@/usr/share/glvnd /usr/share/glvnd ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1837 fsname=/@/usr/share/glvnd dir=/usr/share/glvnd fstype=btrfs Whitelisting /usr/share/gtk-2.0 1838 1817 0:26 /@/usr/share/gtk-2.0 /usr/share/gtk-2.0 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1838 fsname=/@/usr/share/gtk-2.0 dir=/usr/share/gtk-2.0 fstype=btrfs Whitelisting /usr/share/gtk-3.0 1839 1817 0:26 /@/usr/share/gtk-3.0 /usr/share/gtk-3.0 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1839 fsname=/@/usr/share/gtk-3.0 dir=/usr/share/gtk-3.0 fstype=btrfs Whitelisting /usr/share/gtksourceview-4 1840 1817 0:26 /@/usr/share/gtksourceview-4 /usr/share/gtksourceview-4 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1840 fsname=/@/usr/share/gtksourceview-4 dir=/usr/share/gtksourceview-4 fstype=btrfs Whitelisting /usr/share/hwdata 1841 1817 0:26 /@/usr/share/hwdata /usr/share/hwdata ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1841 fsname=/@/usr/share/hwdata dir=/usr/share/hwdata fstype=btrfs Whitelisting /usr/share/icons 1842 1817 0:26 /@/usr/share/icons /usr/share/icons ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1842 fsname=/@/usr/share/icons dir=/usr/share/icons fstype=btrfs Whitelisting /usr/share/icu 1843 1817 0:26 /@/usr/share/icu /usr/share/icu ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1843 fsname=/@/usr/share/icu dir=/usr/share/icu fstype=btrfs Whitelisting /usr/share/libdrm 1844 1817 0:26 /@/usr/share/libdrm /usr/share/libdrm ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1844 fsname=/@/usr/share/libdrm dir=/usr/share/libdrm fstype=btrfs Whitelisting /usr/share/libthai 1845 1817 0:26 /@/usr/share/libthai /usr/share/libthai ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1845 fsname=/@/usr/share/libthai dir=/usr/share/libthai fstype=btrfs Whitelisting /usr/share/locale 1846 1817 0:26 /@/usr/share/locale /usr/share/locale ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1846 fsname=/@/usr/share/locale dir=/usr/share/locale fstype=btrfs Whitelisting /usr/share/mime 1847 1817 0:26 /@/usr/share/mime /usr/share/mime ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1847 fsname=/@/usr/share/mime dir=/usr/share/mime fstype=btrfs Whitelisting /usr/share/misc 1848 1817 0:26 /@/usr/share/misc /usr/share/misc ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1848 fsname=/@/usr/share/misc dir=/usr/share/misc fstype=btrfs Whitelisting /usr/share/p11-kit 1849 1817 0:26 /@/usr/share/p11-kit /usr/share/p11-kit ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1849 fsname=/@/usr/share/p11-kit dir=/usr/share/p11-kit fstype=btrfs Whitelisting /usr/share/perl5 1850 1817 0:26 /@/usr/share/perl5 /usr/share/perl5 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1850 fsname=/@/usr/share/perl5 dir=/usr/share/perl5 fstype=btrfs Whitelisting /usr/share/pipewire 1851 1817 0:26 /@/usr/share/pipewire /usr/share/pipewire ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1851 fsname=/@/usr/share/pipewire dir=/usr/share/pipewire fstype=btrfs Whitelisting /usr/share/pixmaps 1852 1817 0:26 /@/usr/share/pixmaps /usr/share/pixmaps ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1852 fsname=/@/usr/share/pixmaps dir=/usr/share/pixmaps fstype=btrfs Whitelisting /usr/share/qt 1853 1817 0:26 /@/usr/share/qt /usr/share/qt ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1853 fsname=/@/usr/share/qt dir=/usr/share/qt fstype=btrfs Whitelisting /usr/share/qt6 1854 1817 0:26 /@/usr/share/qt6 /usr/share/qt6 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1854 fsname=/@/usr/share/qt6 dir=/usr/share/qt6 fstype=btrfs Whitelisting /usr/share/sounds 1855 1817 0:26 /@/usr/share/sounds /usr/share/sounds ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1855 fsname=/@/usr/share/sounds dir=/usr/share/sounds fstype=btrfs Whitelisting /usr/share/terminfo 1856 1817 0:26 /@/usr/share/terminfo /usr/share/terminfo ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1856 fsname=/@/usr/share/terminfo dir=/usr/share/terminfo fstype=btrfs Whitelisting /usr/share/themes 1857 1817 0:26 /@/usr/share/themes /usr/share/themes ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1857 fsname=/@/usr/share/themes dir=/usr/share/themes fstype=btrfs Whitelisting /usr/share/vulkan 1858 1817 0:26 /@/usr/share/vulkan /usr/share/vulkan ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1858 fsname=/@/usr/share/vulkan dir=/usr/share/vulkan fstype=btrfs Whitelisting /usr/share/X11 1859 1817 0:26 /@/usr/share/X11 /usr/share/X11 ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1859 fsname=/@/usr/share/X11 dir=/usr/share/X11 fstype=btrfs Whitelisting /usr/share/xml 1860 1817 0:26 /@/usr/share/xml /usr/share/xml ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1860 fsname=/@/usr/share/xml dir=/usr/share/xml fstype=btrfs Whitelisting /usr/share/zoneinfo 1861 1817 0:26 /@/usr/share/zoneinfo /usr/share/zoneinfo ro,noatime,nodiratime master:1 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=256,subvol=/@ mountid=1861 fsname=/@/usr/share/zoneinfo dir=/usr/share/zoneinfo fstype=btrfs Whitelisting /var/lib/dbus 1862 1818 0:26 /@var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,noatime,nodiratime master:46 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=660,subvol=/@var mountid=1862 fsname=/@var/lib/dbus dir=/var/lib/dbus fstype=btrfs Whitelisting /var/cache/fontconfig 1863 1818 0:26 /@var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime,nodiratime master:46 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=660,subvol=/@var mountid=1863 fsname=/@var/cache/fontconfig dir=/var/cache/fontconfig fstype=btrfs Whitelisting /var/tmp 1864 1818 0:199 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64 mountid=1864 fsname=/ dir=/var/tmp fstype=tmpfs Created symbolic link /var/run -> /run Created symbolic link /var/lock -> /run/lock Whitelisting /run/user/1000/pipewire-0 1865 1819 0:53 /pipewire-0 /run/user/1000/pipewire-0 rw,nosuid,nodev,relatime master:248 - tmpfs tmpfs rw,size=1211456k,nr_inodes=302864,mode=700,uid=1000,gid=1000,inode64 mountid=1865 fsname=/pipewire-0 dir=/run/user/1000/pipewire-0 fstype=tmpfs Whitelisting /run/user/1000/wayland-1 1866 1819 0:53 /wayland-1 /run/user/1000/wayland-1 rw,nosuid,nodev,relatime master:248 - tmpfs tmpfs rw,size=1211456k,nr_inodes=302864,mode=700,uid=1000,gid=1000,inode64 mountid=1866 fsname=/wayland-1 dir=/run/user/1000/wayland-1 fstype=tmpfs Disable /run/user/1000 Not blacklist /home/shellcode/.local/share/nvim Not blacklist /home/shellcode/.local/state/nvim Disable /home/shellcode/.dotfiles/.config/sway (requested /home/shellcode/.config/sway) Disable /etc/xdg/autostart Warning (blacklisting): cannot open /run/user/1000/*.slave-socket: Permission denied Warning (blacklisting): cannot open /run/user/1000/kdeinit5__*: Permission denied Warning (blacklisting): cannot open /run/user/1000/kdesud_*: Permission denied Mounting read-only /home/shellcode/.config/dconf 1870 1769 0:26 /@home/shellcode/.config/dconf /home/shellcode/.config/dconf ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1870 fsname=/@home/shellcode/.config/dconf dir=/home/shellcode/.config/dconf fstype=btrfs Warning (blacklisting): cannot open /run/user/1000/gnome-session-leader-fifo: Permission denied Warning (blacklisting): cannot open /run/user/1000/gnome-shell: Permission denied Warning (blacklisting): cannot open /run/user/1000/gsconnect: Permission denied Disable /home/shellcode/.config/systemd Disable /home/shellcode/.local/share/systemd Warning (blacklisting): cannot open /run/user/1000/systemd: Permission denied Warning (blacklisting): cannot open /run/user/1000/libvirt: Permission denied Warning (blacklisting): cannot open /run/user/1000/containers: Permission denied Warning (blacklisting): cannot open /run/user/1000/crun: Permission denied Warning (blacklisting): cannot open /run/user/1000/libpod: Permission denied Warning (blacklisting): cannot open /run/user/1000/runc: Permission denied Warning (blacklisting): cannot open /run/user/1000/toolbox: Permission denied Disable /run/docker.sock (requested /var/run/docker.sock) Mounting read-only /home/shellcode/.bash_logout 1874 1769 0:26 /@home/shellcode/.bash_logout /home/shellcode/.bash_logout ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1874 fsname=/@home/shellcode/.bash_logout dir=/home/shellcode/.bash_logout fstype=btrfs Mounting read-only /home/shellcode/.bash_profile 1875 1769 0:26 /@home/shellcode/.bash_profile /home/shellcode/.bash_profile ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1875 fsname=/@home/shellcode/.bash_profile dir=/home/shellcode/.bash_profile fstype=btrfs Mounting read-only /home/shellcode/.bashrc 1876 1769 0:26 /@home/shellcode/.bashrc /home/shellcode/.bashrc ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1876 fsname=/@home/shellcode/.bashrc dir=/home/shellcode/.bashrc fstype=btrfs Mounting read-only /home/shellcode/.dotfiles/.profile 1877 1769 0:26 /@home/shellcode/.dotfiles/.profile /home/shellcode/.dotfiles/.profile ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1877 fsname=/@home/shellcode/.dotfiles/.profile dir=/home/shellcode/.dotfiles/.profile fstype=btrfs Mounting read-only /home/shellcode/.ssh/config 1878 1769 0:26 /@home/shellcode/.ssh/config /home/shellcode/.ssh/config ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1878 fsname=/@home/shellcode/.ssh/config dir=/home/shellcode/.ssh/config fstype=btrfs Mounting read-only /home/shellcode/.dotfiles/.config/nvim 1879 1769 0:26 /@home/shellcode/.dotfiles/.config/nvim /home/shellcode/.dotfiles/.config/nvim ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1879 fsname=/@home/shellcode/.dotfiles/.config/nvim dir=/home/shellcode/.dotfiles/.config/nvim fstype=btrfs Mounting read-only /home/shellcode/.dotfiles 1883 1880 0:26 /@home/shellcode/.dotfiles/.config/nvim /home/shellcode/.dotfiles/.config/nvim ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1883 fsname=/@home/shellcode/.dotfiles/.config/nvim dir=/home/shellcode/.dotfiles/.config/nvim fstype=btrfs Mounting read-only /home/shellcode/.local/share/nvim 1884 1769 0:26 /@home/shellcode/.local/share/nvim /home/shellcode/.local/share/nvim ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1884 fsname=/@home/shellcode/.local/share/nvim dir=/home/shellcode/.local/share/nvim fstype=btrfs Mounting read-only /home/shellcode/.local/state/nvim 1885 1769 0:26 /@home/shellcode/.local/state/nvim /home/shellcode/.local/state/nvim ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1885 fsname=/@home/shellcode/.local/state/nvim dir=/home/shellcode/.local/state/nvim fstype=btrfs Mounting read-only /home/shellcode/.cargo/bin 1886 1769 0:26 /@home/shellcode/.cargo/bin /home/shellcode/.cargo/bin ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1886 fsname=/@home/shellcode/.cargo/bin dir=/home/shellcode/.cargo/bin fstype=btrfs Mounting read-only /home/shellcode/.rustup 1887 1769 0:26 /@home/shellcode/.rustup /home/shellcode/.rustup ro,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1887 fsname=/@home/shellcode/.rustup dir=/home/shellcode/.rustup fstype=btrfs Disable /tmp/ssh-XXXXXWarning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted X409B7Q Disable /home/shellcode/.gnupg Disable /home/shellcode/.local/share/pki Disable /home/shellcode/.pki Disable /home/shellcode/.ssh Disable /usr/local/sbin Disable /usr/local/bin/strace Disable /usr/bin/strace Disable /usr/lib/ssh Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper Disable /usr/lib/chromium/chrome-sandbox Disable /.snapshots Warning (blacklisting): cannot open /run/user/1000/.dbus-proxy: Permission denied Warning (blacklisting): cannot open /run/user/1000/.flatpak: Permission denied Warning (blacklisting): cannot open /run/user/1000/.flatpak-cache: Permission denied Warning (blacklisting): cannot open /run/user/1000/.flatpak-helper: Permission denied Warning (blacklisting): cannot open /run/user/1000/app: Permission denied Warning (blacklisting): cannot open /run/user/1000/doc: Permission denied Warning (blacklisting): cannot open /run/user/1000/snapd-session-agent.socket: Permission denied Disable /proc/config.gz Warning (blacklisting): cannot open /run/user/1000/*.lock: Permission denied Warning (blacklisting): cannot open /run/user/1000/inaccessible: Permission denied Warning (blacklisting): cannot open /run/user/1000/pk-debconf-socket: Permission denied Warning (blacklisting): cannot open /run/user/1000/update-notifier.pid: Permission denied Not blacklist /home/shellcode/.rustup Disable /usr/src Disable /usr/local/src Not blacklist /usr/include Disable /usr/local/include Mounting noexec /home/shellcode 1926 1904 0:23 /firejail/firejail.ro.dir /home/shellcode/.ssh ro,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1926 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.ssh fstype=tmpfs Mounting noexec /home/shellcode/.dotfiles/.config/sway 1927 1916 0:23 /firejail/firejail.ro.dir /home/shellcode/.dotfiles/.config/sway ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1927 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.dotfiles/.config/sway fstype=tmpfs Mounting noexec /home/shellcode/.config/dconf 1928 1906 0:26 /@home/shellcode/.config/dconf /home/shellcode/.config/dconf ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1928 fsname=/@home/shellcode/.config/dconf dir=/home/shellcode/.config/dconf fstype=btrfs Mounting noexec /home/shellcode/.config/systemd 1929 1907 0:23 /firejail/firejail.ro.dir /home/shellcode/.config/systemd ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1929 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.config/systemd fstype=tmpfs Mounting noexec /home/shellcode/.local/share/systemd 1930 1908 0:23 /firejail/firejail.ro.dir /home/shellcode/.local/share/systemd ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1930 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.local/share/systemd fstype=tmpfs Mounting noexec /home/shellcode/.bash_logout 1931 1909 0:26 /@home/shellcode/.bash_logout /home/shellcode/.bash_logout ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1931 fsname=/@home/shellcode/.bash_logout dir=/home/shellcode/.bash_logout fstype=btrfs Mounting noexec /home/shellcode/.bash_profile 1932 1910 0:26 /@home/shellcode/.bash_profile /home/shellcode/.bash_profile ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1932 fsname=/@home/shellcode/.bash_profile dir=/home/shellcode/.bash_profile fstype=btrfs Mounting noexec /home/shellcode/.bashrc 1933 1911 0:26 /@home/shellcode/.bashrc /home/shellcode/.bashrc ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1933 fsname=/@home/shellcode/.bashrc dir=/home/shellcode/.bashrc fstype=btrfs Mounting noexec /home/shellcode/.dotfiles/.profile 1934 1917 0:26 /@home/shellcode/.dotfileWarning: not remounting /home/shellcode/.ssh/config s/.profile /home/shellcode/.dotfiles/.profile ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1934 fsname=/@home/shellcode/.dotfiles/.profile dir=/home/shellcode/.dotfiles/.profile fstype=btrfs Mounting noexec /home/shellcode/.dotfiles/.config/nvim 1935 1918 0:26 /@home/shellcode/.dotfiles/.config/nvim /home/shellcode/.dotfiles/.config/nvim ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1935 fsname=/@home/shellcode/.dotfiles/.config/nvim dir=/home/shellcode/.dotfiles/.config/nvim fstype=btrfs Mounting noexec /home/shellcode/.dotfiles 1942 1941 0:26 /@home/shellcode/.dotfiles/.config/nvim /home/shellcode/.dotfiles/.config/nvim ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1942 fsname=/@home/shellcode/.dotfiles/.config/nvim dir=/home/shellcode/.dotfiles/.config/nvim fstype=btrfs Mounting noexec /home/shellcode/.local/share/nvim 1943 1919 0:26 /@home/shellcode/.local/share/nvim /home/shellcode/.local/share/nvim ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1943 fsname=/@home/shellcode/.local/share/nvim dir=/home/shellcode/.local/share/nvim fstype=btrfs Mounting noexec /home/shellcode/.local/state/nvim 1944 1920 0:26 /@home/shellcode/.local/state/nvim /home/shellcode/.local/state/nvim ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1944 fsname=/@home/shellcode/.local/state/nvim dir=/home/shellcode/.local/state/nvim fstype=btrfs Mounting noexec /home/shellcode/.cargo/bin 1945 1921 0:26 /@home/shellcode/.cargo/bin /home/shellcode/.cargo/bin ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1945 fsname=/@home/shellcode/.cargo/bin dir=/home/shellcode/.cargo/bin fstype=btrfs Mounting noexec /home/shellcode/.rustup 1946 1922 0:26 /@home/shellcode/.rustup /home/shellcode/.rustup ro,nosuid,nodev,noexec,noatime,nodiratime master:44 - btrfs /dev/mapper/archlinux rw,compress=zstd:3,ssd,space_cache=v2,subvolid=257,subvol=/@home mountid=1946 fsname=/@home/shellcode/.rustup dir=/home/shellcode/.rustup fstype=btrfs Mounting noexec /home/shellcode/.gnupg 1947 1923 0:23 /firejail/firejail.ro.dir /home/shellcode/.gnupg ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1947 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.gnupg fstype=tmpfs Mounting noexec /home/shellcode/.local/share/pki 1948 1924 0:23 /firejail/firejail.ro.dir /home/shellcode/.local/share/pki ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1948 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.local/share/pki fstype=tmpfs Mounting noexec /home/shellcode/.pki 1949 1925 0:23 /firejail/firejail.ro.dir /home/shellcode/.pki ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1949 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.pki fstype=tmpfs Mounting noexec /home/shellcode/.ssh 1950 1926 0:23 /firejail/firejail.ro.dir /home/shellcode/.ssh ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1950 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/.ssh fstype=tmpfs Mounting noexec /run/user/1000 1951 1867 0:23 /firejail/firejail.ro.dir /run/user/1000 ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1951 fsname=/firejail/firejail.ro.dir dir=/run/user/1000 fstype=tmpfs Mounting noexec /dev/shm 1952 1789 0:203 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=1952 fsname=/shm dir=/dev/shm fstype=tmpfs Mounting noexec /tmp 1954 1953 0:23 /firejail/firWarning: not remounting /home/shellcode/.ssh/config Warning: not remounting /home/shellcode/.cargo/bin Warning: not remounting /home/shellcode/.cargo/bin ejail.ro.dir /tmp/ssh-XXXXXX409B7Q ro,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1954 fsname=/firejail/firejail.ro.dir dir=/tmp/ssh-XXXXXX409B7Q fstype=tmpfs Mounting noexec /tmp/ssh-XXXXXX409B7Q 1955 1954 0:23 /firejail/firejail.ro.dir /tmp/ssh-XXXXXX409B7Q ro,nosuid,nodev,noexec,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=1955 fsname=/firejail/firejail.ro.dir dir=/tmp/ssh-XXXXXX409B7Q fstype=tmpfs Not blacklist /usr/local/bin/lua* Not blacklist /usr/bin/lua* Not blacklist /home/shellcode/.local/bin/lua* Disable /usr/include/luajit-2.1 Disable /usr/include/lua.h Disable /usr/include/lua.hpp Disable /usr/include/luaconf.h Disable /usr/include/lualib.h Not blacklist /usr/lib/liblua++.so Not blacklist /usr/lib/liblua++.so.5.4 Not blacklist /usr/lib/liblua++.so.5.4.6 Not blacklist /usr/lib/liblua++5.4.so Not blacklist /usr/lib/liblua.so Not blacklist /usr/lib/liblua.so.5.4 Not blacklist /usr/lib/liblua.so.5.4.6 Not blacklist /usr/lib/liblua5.4.so Not blacklist /usr/lib/libluajit-5.1.so Not blacklist /usr/lib/libluajit-5.1.so.2 Not blacklist /usr/lib/libluajit-5.1.so.2.1.1700008891 Not blacklist /usr/lib/lua Not blacklist /usr/lib64/liblua++.so Not blacklist /usr/lib64/liblua++.so.5.4 Not blacklist /usr/lib64/liblua++.so.5.4.6 Not blacklist /usr/lib64/liblua++5.4.so Not blacklist /usr/lib64/liblua.so Not blacklist /usr/lib64/liblua.so.5.4 Not blacklist /usr/lib64/liblua.so.5.4.6 Not blacklist /usr/lib64/liblua5.4.so Not blacklist /usr/lib64/libluajit-5.1.so Not blacklist /usr/lib64/libluajit-5.1.so.2 Not blacklist /usr/lib64/libluajit-5.1.so.2.1.1700008891 Not blacklist /usr/lib64/lua Not blacklist /usr/share/lua* Disable /usr/include/node Disable /usr/lib/perl5 Disable /usr/lib/perl5 (requested /usr/lib64/perl5) Disable /usr/share/perl5 Disable /usr/lib/ruby Disable /usr/lib/ruby (requested /usr/lib64/ruby) Disable /usr/include/python3.11 Disable /usr/lib/python3.11 Disable /usr/lib/python3.11 (requested /usr/lib64/python3.11) Disable /home/shellcode/.cache/babl Disable /home/shellcode/.cache/chromium Disable /home/shellcode/.cache/gegl-0.4 Disable /home/shellcode/.cache/keepassxc Disable /home/shellcode/.cache/mozilla Not blacklist /home/shellcode/.cache/nvim Disable /home/shellcode/.cache/pip Disable /home/shellcode/.cargo Disable /home/shellcode/.config/Signal Disable /home/shellcode/.config/chromium Disable /home/shellcode/.dotfiles/.config/chromium-flags.conf (requested /home/shellcode/.config/chromium-flags.conf) Disable /home/shellcode/.config/deluge Disable /home/shellcode/.dotfiles/.config/electron-flags.conf (requested /home/shellcode/.config/electron-flags.conf) Disable /home/shellcode/.config/flameshot Disable /home/shellcode/.dotfiles/.config/git (requested /home/shellcode/.config/git) Disable /home/shellcode/.config/keepassxc Disable /home/shellcode/.config/libreoffice Not blacklist /home/shellcode/.config/nvim Disable /home/shellcode/.config/pavucontrol.ini Disable /home/shellcode/.config/remmina Disable /home/shellcode/.config/transmission Not blacklist /home/shellcode/.local/share/man Disable /home/shellcode/.local/share/remmina Disable /home/shellcode/.mozilla Disable /home/shellcode/.wget-hsts Warning (blacklisting): cannot open /run/user/1000/*firefox*: Permission denied Warning (blacklisting): cannot open /run/user/1000/akonadi: Permission denied Warning (blacklisting): cannot open /run/user/1000/psd/*firefox*: Permission denied Directory ${DOCUMENTS} resolved as documents Disable /home/shellcode/documents Directory ${MUSIC} resolved as media/music Disable /home/shellcode/media/music Directory ${PICTURES} resolved as media/pictures Disable /home/shellcode/media/pictures Directory ${VIDEOS} resolved as media/videos Disable /home/shellcode/media/videos Mounting read-only /home/shellcode 2068 1996 0:23 /firejail/firejail.ro.dir /home/shellcode/media/videos ro,nosuid,nodev,relatime master:12 - tmpfs run rw,mode=755,inode64 mountid=2068 fsname=/firejail/firejail.ro.dir dir=/home/shellcode/media/videos fstype=tmpfs Disable /tmp/.X11-unix Mounting tmpfs on /home/shelDISPLAY is not set line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 04 00 c000003e jeq ARCH_64 0006 (false 0002) 0002: 20 00 00 00000000 ld data.syscall-number 0003: 15 01 00 00000167 jeq unknown 0005 (false 0004) 0004: 06 00 00 7fff0000 ret ALLOW 0005: 05 00 00 00000009 jmp 000f 0006: 20 00 00 00000004 ld data.architecture 0007: 15 01 00 c000003e jeq ARCH_64 0009 (false 0008) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 20 00 00 00000000 ld data.syscall-number 000a: 35 01 00 40000000 jge X32_ABI 000c (false 000b) 000b: 35 01 00 00000000 jge read 000d (false 000c) 000c: 06 00 00 00050001 ret ERRNO(1) 000d: 15 01 00 00000029 jeq socket 000f (false 000e) 000e: 06 00 00 7fff0000 ret ALLOW 000f: 20 00 00 00000010 ld data.args[0] 0010: 15 00 01 00000001 jeq 1 0011 (false 0012) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 06 00 00 0005005f ret ERRNO(95) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 30 00 00000015 jeq 15 0035 (false 0005) 0005: 15 2f 00 00000034 jeq 34 0035 (false 0006) 0006: 15 2e 00 0000001a jeq 1a 0035 (false 0007) 0007: 15 2d 00 0000011b jeq 11b 0035 (false 0008) 0008: 15 2c 00 00000155 jeq 155 0035 (false 0009) 0009: 15 2b 00 00000156 jeq 156 0035 (false 000a) 000a: 15 2a 00 0000007f jeq 7f 0035 (false 000b) 000b: 15 29 00 00000080 jeq 80 0035 (false 000c) 000c: 15 28 00 0000015e jeq 15e 0035 (false 000d) 000d: 15 27 00 00000081 jeq 81 0035 (false 000e) 000e: 15 26 00 0000006e jeq 6e 0035 (false 000f) 000f: 15 25 00 00000065 jeq 65 0035 (false 0010) 0010: 15 24 00 00000121 jeq 121 0035 (false 0011) 0011: 15 23 00 00000057 jeq 57 0035 (false 0012) 0012: 15 22 00 00000073 jeq 73 0035 (false 0013) 0013: 15 21 00 00000067 jeq 67 0035 (false 0014) 0014: 15 20 00 0000015b jeq 15b 0035 (false 0015) 0015: 15 1f 00 0000015c jeq 15c 0035 (false 0016) 0016: 15 1e 00 00000087 jeq 87 0035 (false 0017) 0017: 15 1d 00 00000095 jeq 95 0035 (false 0018) 0018: 15 1c 00 0000007c jeq 7c 0035 (false 0019) 0019: 15 1b 00 00000157 jeq 157 0035 (false 001a) 001a: 15 1a 00 000000fd jeq fd 0035 (false 001b) 001b: 15 19 00 00000150 jeq 150 0035 (false 001c) 001c: 15 18 00 00000152 jeq 152 0035 (false 001d) 001d: 15 17 00 0000015d jeq 15d 0035 (false 001e) 001e: 15 16 00 0000011e jeq 11e 0035 (false 001f) 001f: 15 15 00 0000011f jeq 11f 0035 (false 0020) 0020: 15 14 00 00000120 jeq 120 0035 (false 0021) 0021: 15 13 00 00000056 jeq 56 0035 (false 0022) 0022: 15 12 00 00000033 jeq 33 0035 (false 0023) 0023: 15 11 00 0000007b jeq 7b 0035 (false 0024) 0024: 15 10 00 000000d9 jeq d9 0035 (false 0025) 0025: 15 0f 00 000000f5 jeq f5 0035 (false 0026) 0026: 15 0e 00 000000f6 jeq f6 0035 (false 0027) 0027: 15 0d 00 000000f7 jeq f7 0035 (false 0028) 0028: 15 0c 00 000000f8 jeq f8 0035 (false 0029) 0029: 15 0b 00 000000f9 jeq f9 0035 (false 002a) 002a: 15 0a 00 00000101 jeq 101 0035 (false 002b) 002b: 15 09 00 00000112 jeq 112 0035 (false 002c) 002c: 15 08 00 00000114 jeq 114 0035 (false 002d) 002d: 15 07 00 00000126 jeq 126 0035 (false 002e) 002e: 15 06 00 0000013d jeq 13d 0035 (false 002f) 002f: 15 05 00 0000013c jeq 13c 0035 (false 0030) 0030: 15 04 00 0000003d jeq 3d 0035 (false 0031) 0031: 15 03 00 00000058 jeq 58 0035 (false 0032) 0032: 15 02 00 000000a9 jeq a9 0035 (false 0033) 0033: 15 01 00 00000082 jeq 82 0035 (false 0034) 0034: 06 00 00 7fff0000 ret ALLOW 0035: 06 00 00 00050001 ret ERRNO(1) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 47 00 0000009f jeq adjtimex 004f (false 0008) 0008: 15 46 00 00000131 jeq clock_adjtime 004f (false 0009) 0009: 15 45 00 000000e3 jeq clock_settime 004f (false 000a) 000a: 15 44 00 000000a4 jeq settimeofday 004f (false 000b) 000b: 15 43 00 0000009a jeq modify_ldt 004f (false 000c) 000c: 15 42 00 000000d4 jeq lookup_dcookie 004f (false 000d) 000d: 15 41 00 0000012a jeq perf_event_open 004f (false 000e) 000e: 15 40 00 000001b6 jeq pidfd_getfd 004f (false 000f) 000f: 15 3f 00 00000137 jeq process_vm_writev 004f (false 0010) 0010: 15 3e 00 000000b0 jeq delete_module 004f (false 0011) 0011: 15 3d 00 00000139 jeq finit_module 004f (false 0012) 0012: 15 3c 00 000000af jeq init_module 004f (false 0013) 0013: 15 3b 00 000000a1 jeq chroot 004f (false 0014) 0014: 15 3a 00 000001af jeq fsconfig 004f (false 0015) 0015: 15 39 00 000001b0 jeq fsmount 004f (false 0016) 0016: 15 38 00 000001ae jeq fsopen 004f (false 0017) 0017: 15 37 00 000001b1 jeq fspick 004f (false 0018) 0018: 15 36 00 000000a5 jeq mount 004f (false 0019) 0019: 15 35 00 000001ad jeq move_mount 004f (false 001a) 001a: 15 34 00 000001ac jeq open_tree 004f (false 001b) 001b: 15 33 00 0000009b jeq pivot_root 004f (false 001c) 001c: 15 32 00 000000a6 jeq umount2 004f (false 001d) 001d: 15 31 00 0000009c jeq _sysctl 004f (false 001e) 001e: 15 30 00 000000b7 jeq afs_syscall 004f (false 001f) 001f: 15 2f 00 000000ae jeq create_module 004f (false 0020) 0020: 15 2e 00 000000b1 jeq get_kernel_syms 004f (false 0021) 0021: 15 2d 00 000000b5 jeq getpmsg 004f (false 0022) 0022: 15 2c 00 000000b6 jeq putpmsg 004f (false 0023) 0023: 15 2b 00 000000b2 jeq query_module 004f (false 0024) 0024: 15 2a 00 000000b9 jeq security 004f (false 0025) 0025: 15 29 00 0000008b jeq sysfs 004f (false 0026) 0026: 15 28 00 000000b8 jeq tuxcall 004f (false 0027) 0027: 15 27 00 00000086 jeq uselib 004f (false 0028) 0028: 15 26 00 00000088 jeq ustat 004f (false 0029) 0029: 15 25 00 000000ec jeq vserver 004f (false 002a) 002a: 15 24 00 000000ad jeq ioperm 004f (false 002b) 002b: 15 23 00 000000ac jeq iopl 004f (false 002c) 002c: 15 22 00 000000f6 jeq kexec_load 004f (false 002d) 002d: 15 21 00 00000140 jeq kexec_file_load 004f (false 002e) 002e: 15 20 00 000000a9 jeq reboot 004f (false 002f) 002f: 15 1f 00 000000a7 jeq swapon 004f (false 0030) 0030: 15 1e 00 000000a8 jeq swapoff 004f (false 0031) 0031: 15 1d 00 00000130 jeq open_by_handle_at 004f (false 0032) 0032: 15 1c 00 0000012f jeq name_to_handle_at 004f (false 0033) 0033: 15 1b 00 000000fb jeq ioprio_set 004f (false 0034) 0034: 15 1a 00 00000067 jeq syslog 004f (false 0035) 0035: 15 19 00 0000012c jeq fanotify_init 004f (false 0036) 0036: 15 18 00 000000f8 jeq add_key 004f (false 0037) 0037: 15 17 00 000000f9 jeq request_key 004f (false 0038) 0038: 15 16 00 000000ed jeq mbind 004f (false 0039) 0039: 15 15 00 00000100 jeq migrate_pages 004f (false 003a) 003a: 15 14 00 00000117 jeq move_pages 004f (false 003b) 003b: 15 13 00 000000fa jeq keyctl 004f (false 003c) 003c: 15 12 00 000000ce jeq io_setup 004f (false 003d) 003d: 15 11 00 000000cf jeq io_destroy 004f (false 003e) 003e: 15 10 00 000000d0 jeq io_getevents 004f (false 003f) 003f: 15 0f 00 000000d1 jeq io_submit 004f (false 0040) 0040: 15 0e 00 000000d2 jeq io_cancel 004f (false 0041) 0041: 15 0d 00 000000d8 jeq remap_file_pages 004f (false 0042) 0042: 15 0c 00 000000ee jeq set_mempolicy 004f (false 0043) 0043: 15 0b 00 00000116 jeq vmsplice 004f (false 0044) 0044: 15 0a 00 00000143 jeq userfaultfd 004f (false 0045) 0045: 15 09 00 000000a3 jeq acct 004f (false 0046) 0046: 15 08 00 00000141 jeq bpf 004f (false 0047) 0047: 15 07 00 000000b4 jeq nfsservctl 004f (false 0048) 0048: 15 06 00 000000ab jeq setdomainname 004f (false 0049) 0049: 15 05 00 000000aa jeq sethostname 004f (false 004a) 004a: 15 04 00 00000099 jeq vhangup 004f (false 004b) 004b: 15 03 00 00000065 jeq ptrace 004f (false 004c) 004c: 15 02 00 00000087 jeq personality 004f (false 004d) 004d: 15 01 00 00000136 jeq process_vm_readv 004f (false 004e) 004e: 06 00 00 7fff0000 ret ALLOW 004f: 06 00 01 00050001 ret ERRNO(1) line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 05 00000009 jeq mmap 0008 (false 000d) 0008: 20 00 00 00000020 ld data.args[10] 0009: 54 00 00 00000006 and 00000006 000a: 15 00 01 00000006 jeq 6 000b (false 000c) 000b: 06 00 00 00050001 ret ERRNO(1) 000c: 06 00 00 7fff0000 ret ALLOW 000d: 15 00 05 0000000a jeq a 000e (false 0013) 000e: 20 00 00 00000020 ld data.args[10] 000f: 54 00 00 00000004 and 00000004 0010: 15 00 01 00000004 jeq 4 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 05 00000149 jeq 149 0014 (false 0019) 0014: 20 00 00 00000020 ld data.args[10] 0015: 54 00 00 00000004 and 00000004 0016: 15 00 01 00000004 jeq 4 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 15 00 05 0000001e jeq 1e 001a (false 001f) 001a: 20 00 00 00000020 ld data.args[10] 001b: 54 00 00 00008000 and 00008000 001c: 15 00 01 00008000 jeq 8000 001d (false 001e) 001d: 06 00 00 00050001 ret ERRNO(1) 001e: 06 00 00 7fff0000 ret ALLOW 001f: 15 00 01 0000013f jeq 13f 0020 (false 0021) 0020: 06 00 00 00050001 ret ERRNO(1) 0021: 06 00 00 7fff0000 ret ALLOW 0022: 06 00 00 7fff0000 ret ALLOW line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 01 0000005a jeq 5a 0005 (false 0006) 0005: 06 00 00 00050001 ret ERRNO(1) 0006: 15 00 05 000000c0 jeq c0 0007 (false 000c) 0007: 20 00 00 00000020 ld data.args[10] 0008: 54 00 00 00000006 and 00000006 0009: 15 00 01 00000006 jeq 6 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 05 0000007d jeq 7d 000d (false 0012) 000d: 20 00 00 00000020 ld data.args[10] 000e: 54 00 00 00000004 and 00000004 000f: 15 00 01 00000004 jeq 4 0010 (false 0011) 0010: 06 00 00 00050001 ret ERRNO(1) 0011: 06 00 00 7fff0000 ret ALLOW 0012: 15 00 05 0000017c jeq 17c 0013 (false 0018) 0013: 20 00 00 00000020 ld data.args[10] 0014: 54 00 00 00000004 and 00000004 0015: 15 00 01 00000004 jeq 4 0016 (false 0017) 0016: 06 00 00 00050001 ret ERRNO(1) 0017: 06 00 00 7fff0000 ret ALLOW 0018: 15 00 05 0000018d jeq 18d 0019 (false 001e) 0019: 20 00 00 00000020 ld data.args[10] 001a: 54 00 00 00008000 and 00008000 001b: 15 00 01 00008000 jeq 8000 001c (false 001d) 001c: 06 00 00 00050001 ret ERRNO(1) 001d: 06 00 00 7fff0000 ret ALLOW 001e: 15 00 01 00000164 jeq 164 001f (false 0020) 001f: 06 00 00 00050001 ret ERRNO(1) 0020: 06 00 00 7fff0000 ret ALLOW 0021: 06 00 00 7fff0000 ret ALLOW line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 c000003e jeq ARCH_64 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 35 01 00 40000000 jge X32_ABI 0006 (false 0005) 0005: 35 01 00 00000000 jge read 0007 (false 0006) 0006: 06 00 00 00050001 ret ERRNO(1) 0007: 15 00 04 00000038 jeq clone 0008 (false 000c) 0008: 20 00 00 00000010 ld data.args[0] 0009: 45 00 01 7e020000 jset 7e020000 000a (false 000b) 000a: 06 00 00 00050001 ret ERRNO(1) 000b: 06 00 00 7fff0000 ret ALLOW 000c: 15 00 01 000001b3 jeq 1b3 000d (false 000e) 000d: 06 00 00 00050026 ret ERRNO(38) 000e: 15 00 04 00000110 jeq 110 000f (false 0013) 000f: 20 00 00 00000010 ld data.args[0] 0010: 45 00 01 7e020080 jset 7e020080 0011 (false 0012) 0011: 06 00 00 00050001 ret ERRNO(1) 0012: 06 00 00 7fff0000 ret ALLOW 0013: 15 00 04 00000134 jeq 134 0014 (false 0018) 0014: 20 00 00 00000018 ld data.args[8] 0015: 15 01 00 00000000 jeq 0 0017 (false 0016) 0016: 45 00 01 7e020080 jset 7e020080 0017 (false 0018) 0017: 06 00 00 00050001 ret ERRNO(1) 0018: 06 00 00 7fff0000 ret ALLOW 0019: 06 00 00 7fff0000 ret ALLOW line OP JT JF K ================================= 0000: 20 00 00 00000004 ld data.architecture 0001: 15 01 00 40000003 jeq ARCH_32 0003 (false 0002) 0002: 06 00 00 7fff0000 ret ALLOW 0003: 20 00 00 00000000 ld data.syscall-number 0004: 15 00 04 00000078 jeq 78 0005 (false 0009) 0005: 20 00 00 00000010 ld data.args[0] 0006: 45 00 01 7e020000 jset 7e020000 0007 (false 0008) 0007: 06 00 00 00050001 ret ERRNO(1) 0008: 06 00 00 7fff0000 ret ALLOW 0009: 15 00 01 000001b3 jeq 1b3 000a (false 000b) 000a: 06 00 00 00050026 ret ERRNO(38) 000b: 15 00 04 00000136 jeq 136 000c (false 0010) 000c: 20 00 00 00000010 ld data.args[0] 000d: 45 00 01 7e020080 jset 7e020080 000e (false 000f) 000e: 06 00 00 00050001 ret ERRNO(1) 000f: 06 00 00 7fff0000 ret ALLOW 0010: 15 00 04 0000015a jeq 15a 0011 (false 0015) 0011: 20 00 00 00000018 ld data.args[8] 0012: 15 01 00 00000000 jeq 0 0014 (false 0013) 0013: 45 00 01 7e020080 jset 7e020080 0014 (false 0015) 0014: 06 00 00 00050001 ret ERRNO(1) 0015: 06 00 00 7fff0000 ret ALLOW 0016: 06 00 00 7fff0000 ret ALLOW lcode/.cache, check owner: yes 2070 1996 0:210 / /home/shellcode/.cache rw,nosuid,nodev,noexec,noatime,nodiratime - tmpfs tmpfs rw,mode=755,uid=1000,gid=1000,inode64 mountid=2070 fsname=/ dir=/home/shellcode/.cache fstype=tmpfs Disable /sys/fs Disable /sys/module disable pulseaudio blacklist /home/shellcode/.config/pulse disable pipewire Current directory: /home/shellcode/dev Install protocol filter: unix configuring 19 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dual 32/64 bit seccomp filter configured configuring 80 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp seccomp filter configured Install memory write&execute filter configuring 35 seccomp entries in /run/firejail/mnt/seccomp/seccomp.mdwx sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.mdwx configuring 34 seccomp entries in /run/firejail/mnt/seccomp/seccomp.mdwx.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.mdwx.32 Build restrict-namespaces filter sbox run: /run/firejail/lib/fseccomp restrict-namespaces /run/firejail/mnt/seccomp/seccomp.namespaces cgroup,ipc,net,mnt,pid,time,user,uts restrict-namespaces filter configured Build restrict-namespaces filter sbox run: /run/firejail/lib/fseccomp restrict-namespaces.32 /run/firejail/mnt/seccomp/seccomp.namespaces.32 cgroup,ipc,net,mnt,pid,time,user,uts restrict-namespaces filter configured Install namespaces filter configuring 26 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces configuring 23 seccomp entries in /run/firejail/mnt/seccomp/seccomp.namespaces.32 sbox run: /run/firejail/lib/fsec-print /run/firejail/mnt/seccomp/seccomp.namespaces.32 Mounting read-only /run/firejail/mnt/seccomp 2074 1728 0:149 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=2074 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 240 . drwxr-xr-x root root 320 .. -rw-r--r-- shellcod shellcod 640 seccomp -rw-r--r-- shellcod shellcod 432 seccomp.32 -rw-r--r-- shellcod shellcod 288 seccomp.list -rw-r--r-- shellcod shellcod 280 seccomp.mdwx -rw-r--r-- shellcod shellcod 272 seccomp.mdwx.32 -rw-r--r-- shellcod shellcod 208 seccomp.namespaces -rw-r--r-- shellcod shellcod 184 seccomp.namespaces.32 -rw-r--r-- shellcod shellcod 0 seccomp.postexec -rw-r--r-- shellcod shellcod 0 seccomp.postexec32 -rw-r--r-- shellcod shellcod 152 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.mdwx /run/firejail/mnt/seccomp/seccomp.mdwx.32 /run/firejail/mnt/seccomp/seccomp.namespaces /run/firejail/mnt/seccomp/seccomp.namespaces.32 nogroups command not ignored nogroups command not ignored Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 No supplementary groups AppArmor enabled Closing non-standard file descriptors Child process initialized in 338.37 ms Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/man execvp argument 1: sendfile sendfile(2) System Calls Manual sendfile(2) NAME sendfile - transfer data between file descriptors LIBRARY Standard C library (libc, -lc) SYNOPSIS #include ssize_t sendfile(int out_fd, int in_fd, off_t *_Nullable offset, size_t count); DESCRIPTION sendfile() copies data between one file descriptor and another. Because this copying is done within the kernel, sendfile() is more efficient than the combination of read(2) and write(2), which would require transferring data to and from user space. in_fd should be a file descriptor opened for reading and out_fd should be a descriptor opened for writing. If offset is not NULL, then it points to a variable holding the file offset from which sendfile() will start reading data from in_fd. When sendfile() returns, this variable will be set to the offset of the byte following the last byte that was read. If offset is not NULL, then sendfile() does not modify the file offset of in_fd; otherwise the file offset is adjusted to reflect the number of bytes read from in_fd. If offset is NULL, then data will be read from in_fd starting at the file offset, and the file offset will be updated by the call. count is the number of bytes to copy between the file descriptors. The in_fd argument must correspond to a file which supports mmap(2)-like operations (i.e., it cannot be a socket). Before Linux 2.6.33, out_fd must refer to a socket. Since Linux 2.6.33 it can be any file. If it is a regular file, then sendfile() changes the file offset appropriately. RETURN VALUE If the transfer was successful, the number of bytes written to out_fd is returned. Note that a successful call to sendfile() may write fewer bytes than requested; the caller should be prepared to retry the call if there were unsent bytes. See also NOTES. On error, -1 is returned, and errno is set to indicate the error. ERRORS EAGAIN Nonblocking I/O has been selected using O_NONBLOCK and the write would block. EBADF The input file was not opened for reading or the output file was not opened for writing. EFAULT Bad address. EINVAL Descriptor is not valid or locked, or an mmap(2)-like operation is not available for in_fd, or count is negative. EINVAL out_fd has the O_APPEND flag set. This is not currently supported by sendfile(). EIO Unspecified error while reading from in_fd. ENOMEM Insufficient memory to read from in_fd. EOVERFLOW count is too large, the operation would result in exceeding the maximum size of either the input file or the output file. ESPIPE offset is not NULL but the input file is not seekable. VERSIONS Other UNIX systems implement sendfile() with different semantics and prototypes. It should not be used in portable programs. STANDARDS None. HISTORY Linux 2.2, glibc 2.1. In Linux 2.4 and earlier, out_fd could also refer to a regular file; this possibility went away in the Linux 2.6.x kernel series, but was restored in Linux 2.6.33. The original Linux sendfile() system call was not designed to handle large file offsets. Consequently, Linux 2.4 added sendfile64(), with a wider type for the offset argument. The glibc sendfile() wrapper function transparently deals with the kernel differences. NOTES sendfile() will transfer at most 0x7ffff000 (2,147,479,552) bytes, returning the number of bytes actually transferred. (This is true on both 32-bit and 64-bit systems.) If you plan to use sendfile() for sending files to a TCP socket, but need to send some header data in front of the file contents, you will find it useful to employ the TCP_CORK option, described in tcp(7), to minimize the number of packets and to tune performance. Applications may wish to fall back to read(2) and write(2) in the case where sendfile() fails with EINVAL or ENOSYS. If out_fd refers to a socket or pipe with zero-copy support, callers must ensure the transferred portions of the file referred to by in_fd remain unmodified until the reader on the other end of out_fd has consumed the transferred data. The Linux-specific splice(2) call supports transferring data between arbitrary file descriptors provided one (or both) of them is a pipe. SEE ALSO copy_file_range(2), mmap(2), open(2), socket(2), splice(2) Linux man-pages 6.05.01 2023-07-15 sendfile(2) Parent is shutting down, bye... ```

[ShellCode33]

I tried to copy the whole nvim.profile into man.local and tweak it a bit:

private-bin apropos,bash,cat,catman,col,gpreconv,groff,grotty,gunzip,gzip,less,man,most,nroff,preconv,sed,sh,tbl,tr,troff,whatis,which,xtotroff,zcat,zsoelim,nvim,strace
include allow-lua.inc

noblacklist ${HOME}/.vim
noblacklist ${HOME}/.vimrc
noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.dotfiles/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.local/state/nvim

whitelist /usr/share/nvim

include whitelist-runuser-common.inc

ipc-namespace
machine-id
net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
tracelog
x11 none

private-dev

dbus-user none
dbus-system none

read-only ${HOME}/.config
read-only ${HOME}/.dotfiles
read-only ${HOME}/.dotfiles/.config
read-write ${HOME}/.config/nvim
read-write ${HOME}/.dotfiles/config/nvim
read-write ${HOME}/.local/share/nvim
read-write ${HOME}/.local/state/nvim
read-write ${HOME}/.vim
read-write ${HOME}/.vimrc
restrict-namespaces

Still the same error

[kmk3]

@glitsj16 on Nov 30:

Yeah that won't work, but you're on the right track. You only need to cherrypick the nvim configuration paths and add those into man.local:

$ cat ~/.config/firejail/man.local
include allow-lua.inc

noblacklist ${HOME}/.vim
noblacklist ${HOME}/.vimrc
noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.local/state/nvim

whitelist /usr/share/nvim

What does that do?

I managed to get it working with the following in man.local:

ignore memory-deny-write-execute

# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc

noblacklist ${HOME}/.vim
noblacklist ${HOME}/.vimrc
noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.local/state/nvim

whitelist /usr/share/nvim

read-write ${HOME}/.local/state/nvim

Note: The read-write entry is only needed to avoid warnings.

@ShellCode33 Does that work for you?

[ShellCode33]

Works like a charm, thanks a lot ! The key thing seems to be ignore memory-deny-write-execute, I'd be glad to know why w+x memory is required though.

Small additional note, I had errors you apparently didn't have which seem to be related to my/your nvim config.

The first one I had to solve was related to nvim swap mechanism, I don't want them anyway so instead of changing the firejail profile, I disabled it in my nvim config:

vim.opt.swapfile = false

The second one I've been unable to solve for now is related to treesitter:

Error detected while processing User Autocommands for "VeryLazy":
Parser dir ' /home/shellcode/.local/share/nvim/lazy/nvim-treesitter/parser ' should be read/write (see README on how to configure an alternative install location) /home/shellcode/.local/share
/nvim/lazy/nvim-treesitter/parser '

I'm not sure why the write permission is required for ~/.local/share/nvim/lazy/nvim-treesitter/parser as it only contains .so files.

I tried to add read-write ${HOME}/.local/share/nvim/lazy/nvim-treesitter/parser to man.local but it doesn't work. Still the same error.

This is not an error that prevents me from reading the man page, but the warning is annoying:

[kmk3]

@ShellCode33 on Nov 30:

Works like a charm, thanks a lot !

No problem.

The key thing seems to be ignore memory-deny-write-execute, I'd be glad to know why w+x memory is required though.

Probably for executing Vimscript, Lua, etc.

Small additional note, I had errors you apparently didn't have which seem to be related to my/your nvim config.

The first one I had to solve was related to nvim swap mechanism, I don't want them anyway so instead of changing the firejail profile, I disabled it in my nvim config:

vim.opt.swapfile = false

With the default configuration, if the swapfile and shada file are disabled in the command line, then it should work without any read-write entries:

MANPAGER='nvim -n -i NONE +Man!' firejail /usr/bin/man sendfile

The second one I've been unable to solve for now is related to treesitter:

Error detected while processing User Autocommands for "VeryLazy":
Parser dir ' /home/shellcode/.local/share/nvim/lazy/nvim-treesitter/parser ' should be read/write (see README on how to configure an alternative install location) /home/shellcode/.local/share
/nvim/lazy/nvim-treesitter/parser '

I tried to add read-write ${HOME}/.local/share/nvim/lazy/nvim-treesitter/parser to man.local but it doesn't work. Still the same error.

This is not an error that prevents me from reading the man page, but the warning is annoying:

Note that there are multiple read-only nvim entries:

$ grep -R '^read-only .*nvim' /etc/firejail/
/etc/firejail/disable-common.inc:read-only ${HOME}/.config/nvim
/etc/firejail/disable-common.inc:read-only ${HOME}/.local/share/nvim
/etc/firejail/disable-common.inc:read-only ${HOME}/.local/state/nvim

In this case the read-write command might need to match the existing read-only command:

read-write ${HOME}/.local/share/nvim

[ShellCode33]

Thanks for your reply. I tried to add all these read-write statements but it doesn't seem to work. I think the issue might be that man.profile first include man.local and THEN include disable-common.inc. Therefore the read-write directive is overridden by the read-only one. Any advice on how to workaround that ?

[kmk3]

Thanks for your reply. I tried to add all these read-write statements but it doesn't seem to work. I think the issue might be that man.profile first include man.local and THEN include disable-common.inc. Therefore the read-write directive is overridden by the read-only one. Any advice on how to workaround that ?

Good catch; though the read-write entries did remove the warnings when I was testing, so maybe something changed in 0.9.73.

How about the following?

# ignore entries from disable-common.inc
ignore read-only ${HOME}/.local/share/nvim
ignore read-only ${HOME}/.local/state/nvim

# because of read-only ${HOME}
read-write ${HOME}/.local/share/nvim
read-write ${HOME}/.local/state/nvim

[ShellCode33]

Nop still doesn't work :/

Here's what my man.local looks like so far:

ignore memory-deny-write-execute

# Allow lua (blacklisted by disable-interpreters.inc)
include allow-lua.inc

noblacklist ${HOME}/.cache/nvim
noblacklist ${HOME}/.config/nvim
noblacklist ${HOME}/.local/share/nvim
noblacklist ${HOME}/.local/state/nvim

whitelist /usr/share/nvim

# ignore entries from disable-common.inc
ignore read-only ${HOME}/.local/share/nvim
ignore read-only ${HOME}/.local/state/nvim

read-write ${HOME}/.local/share/nvim
read-write ${HOME}/.local/state/nvim

restrict-namespaces

[kmk3]

Nop still doesn't work :/

Is the error still about treesitter read/write?

What is the neovim and treesitter plugin version?

How is treesitter configured in neovim?

Does it still happen with firejail-git?

If you join the sandbox, what are the permissions in the treesitter directories?

Can you create files in them?

Example:

MANPAGER='nvim -n -i NONE +Man!' firejail --name=nvim /usr/bin/man sendfile

# in another shell
firejail --join=nvim
ls -l    ~/.local/share/nvim/lazy/nvim-treesitter/parser
mkdir -p ~/.local/share/nvim/lazy/nvim-treesitter/parser
touch    ~/.local/share/nvim/lazy/nvim-treesitter/parser/test
ls -l    ~/.local/share/nvim/lazy/nvim-treesitter/parser

[ShellCode33]

Is the error still about treesitter read/write?

Yes it is

---

What is the neovim and treesitter plugin version?

Neovim up to date with ArchLinux repo

$ nvim --version
NVIM v0.9.4
Build type: Release
LuaJIT 2.1.1700008891

I don't know what is the version of Treesitter but it is built into Neovim, so for reproducibility purposes, having neovim 0.9.4 would give the same Treesitter version.

However I use the nvim-treesitter plugin which - from what I understand - is a common interface for other plugins to build onto. And I'm on b41bbcb (almost the head). I might be wrong but I don't think this plugin is relevant.

---

How is treesitter configured in neovim?

I use LazyVim which configures it for me, its Treesitter configuration can be found here ("Full spec" must be selected)

My whole neovim config can be found here.

---

Does it still happen with firejail-git?

Yes it does, the exact same error

$ firejail --version
firejail version 0.9.73

---

Can you create files in them?

No

$ touch    ~/.local/share/nvim/lazy/nvim-treesitter/parser/test
touch: cannot touch '/home/shellcode/.local/share/nvim/lazy/nvim-treesitter/parser/test': Read-only file system

Full logs of the commands you provided

``` $ firejail --join=29029 Switching to pid 29000, the first child process inside the sandbox Changing root to /proc/29000/root Child process initialized in 24.71 ms $ ls -l ~/.local/share/nvim/lazy/nvim-treesitter/parser total 12172 -rwx------ 1 shellcode shellcode 1127520 Nov 30 19:42 bash.so -rwx------ 1 shellcode shellcode 98088 Nov 30 19:42 cmake.so -rwx------ 1 shellcode shellcode 3339232 Nov 30 19:43 cpp.so -rwx------ 1 shellcode shellcode 699960 Nov 30 19:42 c.so -rwx------ 1 shellcode shellcode 31936 Nov 30 19:42 diff.so -rwx------ 1 shellcode shellcode 60616 Nov 30 19:42 dockerfile.so -rwx------ 1 shellcode shellcode 29296 Nov 30 19:42 html.so -rwx------ 1 shellcode shellcode 578448 Nov 30 19:42 javascript.so -rwx------ 1 shellcode shellcode 23616 Nov 30 19:42 jsdoc.so -rwx------ 1 shellcode shellcode 40296 Nov 30 19:42 json5.so -rwx------ 1 shellcode shellcode 17896 Nov 30 19:42 jsonc.so -rwx------ 1 shellcode shellcode 19648 Nov 30 19:42 json.so -rwx------ 1 shellcode shellcode 105664 Nov 30 19:42 luadoc.so -rwx------ 1 shellcode shellcode 23808 Nov 30 19:42 luap.so -rwx------ 1 shellcode shellcode 65656 Nov 30 19:42 lua.so -rwx------ 1 shellcode shellcode 339872 Nov 30 19:42 markdown_inline.so -rwx------ 1 shellcode shellcode 353088 Nov 30 19:42 markdown.so -rwx------ 1 shellcode shellcode 44224 Nov 30 19:42 ninja.so -rwx------ 1 shellcode shellcode 512408 Nov 30 19:42 python.so -rwx------ 1 shellcode shellcode 36032 Nov 30 19:42 query.so -rwx------ 1 shellcode shellcode 23616 Nov 30 19:42 regex.so -rwx------ 1 shellcode shellcode 73904 Nov 30 19:43 ron.so -rwx------ 1 shellcode shellcode 67200 Nov 30 19:42 rst.so -rwx------ 1 shellcode shellcode 979328 Nov 30 19:43 rust.so -rwx------ 1 shellcode shellcode 36712 Nov 30 19:42 toml.so -rwx------ 1 shellcode shellcode 1204680 Nov 30 19:43 tsx.so -rwx------ 1 shellcode shellcode 1163704 Nov 30 19:43 typescript.so -rwx------ 1 shellcode shellcode 101568 Nov 30 19:42 vimdoc.so -rwx------ 1 shellcode shellcode 1013000 Nov 30 19:43 vim.so -rwx------ 1 shellcode shellcode 194944 Nov 30 19:42 yaml.so $ mkdir -p ~/.local/share/nvim/lazy/nvim-treesitter/parser $ touch ~/.local/share/nvim/lazy/nvim-treesitter/parser/test touch: cannot touch '/home/shellcode/.local/share/nvim/lazy/nvim-treesitter/parser/test': Read-only file system ```

---

Process tree in case that's useful:

shellco+    9053  1.1  1.9 2765948 231148 ?      Sl   19:13   0:36 /usr/bin/wezterm-gui
shellco+    9060  0.0  0.0  14132 10396 pts/0    Ss   19:13   0:01  \_ /usr/bin/zsh
shellco+   28999  0.0  0.0   4472  2816 pts/0    S+   20:03   0:00  |   \_ firejail /usr/bin/man sendfile
shellco+   29000  0.0  0.0   6096  3304 pts/0    S+   20:03   0:00  |       \_ firejail /usr/bin/man sendfile
shellco+   29013  0.0  0.0   8776  4416 pts/0    S+   20:03   0:00  |           \_ /usr/bin/man sendfile
shellco+   29023  0.0  0.0  13720  8192 pts/0    Sl+  20:03   0:00  |               \_ nvim -n -i NONE +Man!
shellco+   29029  0.7  0.2  29672 25088 ?        Ssl  20:03   0:02  |                   \_ nvim --embed -n -i NONE +Man!

---

Note: my man.local hasn't changed between my last comment and this one

---

Again, thanks a lot for your help