Debian Bug report logs - #931051
firejail hangs on strace with the firefox or waterfox profile

version graph

Package: firejail; Maintainer for firejail is Reiner Herrmann <[email protected]>; Source for firejail is src:firejail (PTS, buildd, popcon).

Reported by: Vincent Lefevre <[email protected]>

Date: Tue, 25 Jun 2019 08:03:02 UTC

Severity: normal

Found in versions firejail/0.9.60-1, firejail/0.9.58.2-2

Forwarded to https://github.com/netblue30/firejail/issues/2809

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Reiner Herrmann <[email protected]>:
Bug#931051; Package firejail. (Tue, 25 Jun 2019 08:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Lefevre <[email protected]>:
New Bug report received and forwarded. Copy sent to Reiner Herrmann <[email protected]>. (Tue, 25 Jun 2019 08:03:05 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Vincent Lefevre <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: firejail hangs on strace with the firefox or waterfox profile
Date: Tue, 25 Jun 2019 10:00:32 +0200
Package: firejail
Version: 0.9.58.2-2
Severity: important

firejail hangs on strace with the firefox or waterfox profile.
Example with the ls command (which is simpler than a web browser):

zira:~> /usr/bin/firejail --allow-debuggers --profile=firefox strace /bin/ls
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2285, child pid 2286
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Post-exec seccomp protector enabled
Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
Child process initialized in 78.27 ms

and nothing else occurs. This makes impossible to try to see why
some application does not work in firejail.

Ditto when using --profile=/etc/firejail/firefox.profile directly
(as given as an example for --allow-debuggers in the firejail(1)
man page).

No problems with the default profile or without strace.

-- System Information:
Debian Release: 10.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-5-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firejail depends on:
ii  libapparmor1  2.13.2-10
ii  libc6         2.28-10

Versions of packages firejail recommends:
ii  firejail-profiles  0.9.58.2-2
ii  iproute2           4.20.0-2
ii  iptables           1.8.2-4
ii  xauth              1:1.0.10-1
ii  xpra               2.4.3+dfsg1-1

firejail suggests no packages.

-- no debconf information

Marked as found in versions firejail/0.9.60-1. Request was from Reiner Herrmann <[email protected]> to [email protected]. (Sat, 29 Jun 2019 16:51:02 GMT) (full text, mbox, link).

Information forwarded to [email protected]:
Bug#931051; Package firejail. (Sat, 29 Jun 2019 16:54:02 GMT) (full text, mbox, link).

Acknowledgement sent to Reiner Herrmann <[email protected]>:
Extra info received and forwarded to list. (Sat, 29 Jun 2019 16:54:02 GMT) (full text, mbox, link).

Message #12 received at [email protected] (full text, mbox, reply):

From: Reiner Herrmann <[email protected]>
To: Vincent Lefevre <[email protected]>, [email protected]
Subject: Re: Bug#931051: firejail hangs on strace with the firefox or waterfox profile
Date: Sat, 29 Jun 2019 18:45:32 +0200
[Message part 1 (text/plain, inline)]
Hi Vincent,

On Tue, Jun 25, 2019 at 10:00:32AM +0200, Vincent Lefevre wrote:
> zira:~> /usr/bin/firejail --allow-debuggers --profile=firefox strace /bin/ls
> Reading profile /etc/firejail/firefox.profile
> Reading profile /etc/firejail/firefox-common.profile
> Reading profile /etc/firejail/disable-common.inc
> Reading profile /etc/firejail/disable-interpreters.inc
> Reading profile /etc/firejail/disable-programs.inc
> Reading profile /etc/firejail/whitelist-common.inc
> Reading profile /etc/firejail/whitelist-var-common.inc
> Warning: networking feature is disabled in Firejail configuration file
> Parent pid 2285, child pid 2286
> Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
> Post-exec seccomp protector enabled
> Seccomp list in: @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, check list: @default-keep, prelist: adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice,
> Child process initialized in 78.27 ms
> 
> and nothing else occurs. This makes impossible to try to see why
> some application does not work in firejail.
> 
> Ditto when using --profile=/etc/firejail/firefox.profile directly
> (as given as an example for --allow-debuggers in the firejail(1)
> man page).
> 
> No problems with the default profile or without strace.

I can reproduce the problem.
When commenting out "apparmor" and the "seccomp.drop" line in the
profile, it is working. The reason is that strace needs to use the
ptrace syscall (which was disallowed by the profile) (and after allowing
it, apparmor also had further ptrace restrictions).

But it's strange that firejail just hangs instead of terminating.

Btw for debugging profiles maybe --trace or --tracelog could also help you.

I will ask upstream about your issue.

Kind regards,
  Reiner

[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://github.com/netblue30/firejail/issues/2809'. Request was from Reiner Herrmann <[email protected]> to [email protected]. (Sat, 29 Jun 2019 16:57:03 GMT) (full text, mbox, link).

Severity set to 'normal' from 'important' Request was from Reiner Herrmann <[email protected]> to [email protected]. (Sat, 15 Feb 2020 10:45:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 16:02:08 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.