Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Warning: cannot find /var/run/utmp" but looks for "/dev/null/utmp" instead #4210

Closed
donob4n opened this issue Apr 24, 2021 · 8 comments
Closed

"Warning: cannot find /var/run/utmp" but looks for "/dev/null/utmp" instead #4210

donob4n opened this issue Apr 24, 2021 · 8 comments

Comments

@donob4n
Copy link

donob4n commented Apr 24, 2021

Hi I'm running firejail on Alpinelinux and see this warning in almost all apps that I try to run.

I took a look at source and noticed that in 'fs_var.c':

       if (stat(UTMP_FILE, &s) == 0)
                utmp_group = s.st_gid;
        else {
                fwarning("cannot find /var/run/utmp\n");
                return;
        }

The value of UTMP_FILE is /dev/null/utmp

Environment
Alpinelinux Edge
firejail version 0.9.64.4

debug output 
localhost:~/electrum$ firejail --debug electrum
Error: cannot read UID_MIN and/or GID_MIN from /etc/login.defs, using 1000 by default
Autoselecting /bin/ash as shell
Building quoted command line: 'electrum' 
Command name #electrum#
Found electrum.profile profile in /etc/firejail directory
Reading profile /etc/firejail/electrum.profile
Found allow-python2.inc profile in /etc/firejail directory
Reading profile /etc/firejail/allow-python2.inc
Found allow-python3.inc profile in /etc/firejail directory
Reading profile /etc/firejail/allow-python3.inc
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-shell.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-shell.inc
Found disable-xdg.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-xdg.inc
Found whitelist-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
DISPLAY=:0 parsed as 0
Enabling IPC namespace
Using the local network stack
Parent pid 28878, child pid 28879
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 2, uid 1000, gid 1000, nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1276 396 0:23 /@ROOT/etc /etc ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1276 fsname=/@ROOT/etc dir=/etc fstype=btrfs
Mounting noexec /etc
1277 1276 0:23 /@ROOT/etc /etc ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1277 fsname=/@ROOT/etc dir=/etc fstype=btrfs
Mounting read-only /var
1280 1279 0:23 /@ROOT/var/lib/docker/btrfs /var/lib/docker/btrfs rw,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1280 fsname=/@ROOT/var/lib/docker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Mounting read-only /var/lib/docker
1282 1281 0:23 /@ROOT/var/lib/docker/btrfs /var/lib/docker/btrfs rw,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1282 fsname=/@ROOT/var/lib/docker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Mounting read-only /var/lib/docker/btrfs
1283 1282 0:23 /@ROOT/var/lib/docker/btrfs /var/lib/docker/btrfs ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1283 fsname=/@ROOT/var/lib/docker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Mounting noexec /var
1289 1288 0:23 /@ROOT/var/lib/docker/btrfs /var/lib/docker/btrfs ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1289 fsname=/@ROOT/var/lib/docker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Mounting noexec /var/lib/docker
1292 1291 0:23 /@ROOT/var/lib/docker/btrfs /var/lib/docker/btrfs ro,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1292 fsname=/@ROOT/var/lib/docker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Mounting noexec /var/lib/docker/btrfs
1293 1292 0:23 /@ROOT/var/lib/docker/btrfs /var/lib/docker/btrfs ro,nosuid,nodev,noexec,relatime master:1 - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1293 fsname=/@ROOT/var/lib/docker/btrfs dir=/var/lib/docker/btrfs fstype=btrfs
Mounting read-only /usr
1294 396 0:23 /@ROOT/usr /usr ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1294 fsname=/@ROOT/usr dir=/usr fstype=btrfs
Mounting read-only /bin
1295 396 0:23 /@ROOT/bin /bin ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1295 fsname=/@ROOT/bin dir=/bin fstype=btrfs
Mounting read-only /sbin
1296 396 0:23 /@ROOT/sbin /sbin ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1296 fsname=/@ROOT/sbin dir=/sbin fstype=btrfs
Mounting read-only /lib
1297 396 0:23 /@ROOT/lib /lib ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1297 fsname=/@ROOT/lib dir=/lib fstype=btrfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/sudo
Warning: Looking: /dev/null/utmp 
Warning: cannot find /var/run/utmp
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/donoban/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
Mounting tmpfs on /dev
Process /dev/shm directory
Copying files in the new bin directory
Checking /usr/local/bin/electrum
firejail exec symlink detected
Checking /usr/bin/electrum
sbox run: /run/firejail/lib/fcopy /usr/bin/electrum /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.9 /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3 /run/firejail/mnt/bin 
sbox run: /run/firejail/lib/fcopy /usr/bin/python3.9 /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
4 programs installed in 2.08 ms
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /lib/modules
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Copying files in the new /etc directory:
Warning: file /etc/alternatives not found.
Warning: skipping alternatives for private /etc
copying /etc/ca-certificates to private /etc
Creating empty /run/firejail/mnt/etc/ca-certificates directory
sbox run: /run/firejail/lib/fcopy /etc/ca-certificates /run/firejail/mnt/etc/ca-certificates 
Warning: file /etc/crypto-policies not found.
Warning: skipping crypto-policies for private /etc
copying /etc/dconf to private /etc
Creating empty /run/firejail/mnt/etc/dconf directory
sbox run: /run/firejail/lib/fcopy /etc/dconf /run/firejail/mnt/etc/dconf 
copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /run/firejail/lib/fcopy /etc/fonts /run/firejail/mnt/etc/fonts 
copying /etc/machine-id to private /etc
sbox run: /run/firejail/lib/fcopy /etc/machine-id /run/firejail/mnt/etc 
Warning: file /etc/pki not found.
Warning: skipping pki for private /etc
copying /etc/resolv.conf to private /etc
sbox run: /run/firejail/lib/fcopy /etc/resolv.conf /run/firejail/mnt/etc 
copying /etc/ssl to private /etc
Creating empty /run/firejail/mnt/etc/ssl directory
sbox run: /run/firejail/lib/fcopy /etc/ssl /run/firejail/mnt/etc/ssl 
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 2.08 ms
Copying files in the new /usr/etc directory:
Warning: file /usr/etc/alternatives not found.
Warning: skipping alternatives for private /usr/etc
Warning: file /usr/etc/ca-certificates not found.
Warning: skipping ca-certificates for private /usr/etc
Warning: file /usr/etc/crypto-policies not found.
Warning: skipping crypto-policies for private /usr/etc
Warning: file /usr/etc/dconf not found.
Warning: skipping dconf for private /usr/etc
Warning: file /usr/etc/fonts not found.
Warning: skipping fonts for private /usr/etc
Warning: file /usr/etc/machine-id not found.
Warning: skipping machine-id for private /usr/etc
Warning: file /usr/etc/pki not found.
Warning: skipping pki for private /usr/etc
Warning: file /usr/etc/resolv.conf not found.
Warning: skipping resolv.conf for private /usr/etc
Warning: file /usr/etc/ssl not found.
Warning: skipping ssl for private /usr/etc
Mount-bind /run/firejail/mnt/usretc on top of /usr/etc
Private /usr/etc installed in 0.10 ms
Debug 456: new_name #/home/donoban/.electrum#, whitelist
Debug 571: fname #/home/donoban/.electrum#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.electrum
Debug 456: new_name #/home/donoban/.XCompose#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
        expanded: /home/donoban/.XCompose
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.alsaequal.bin#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.alsaequal.bin
        expanded: /home/donoban/.alsaequal.bin
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.asoundrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
        expanded: /home/donoban/.asoundrc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/ibus#, whitelist
Debug 571: fname #/home/donoban/.config/ibus#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/ibus
Debug 456: new_name #/home/donoban/.config/mimeapps.list#, whitelist
Debug 571: fname #/home/donoban/.config/mimeapps.list#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/mimeapps.list
Debug 456: new_name #/home/donoban/.config/pkcs11#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
        expanded: /home/donoban/.config/pkcs11
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/user-dirs.dirs#, whitelist
Debug 571: fname #/home/donoban/.config/user-dirs.dirs#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/user-dirs.dirs
Debug 456: new_name #/home/donoban/.config/user-dirs.locale#, whitelist
Debug 571: fname #/home/donoban/.config/user-dirs.locale#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/user-dirs.locale
Debug 456: new_name #/home/donoban/.drirc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
        expanded: /home/donoban/.drirc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.icons
        expanded: /home/donoban/.icons
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.local/share/applications#, whitelist
Debug 571: fname #/home/donoban/.local/share/applications#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.local/share/applications
Debug 456: new_name #/home/donoban/.local/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/icons
        expanded: /home/donoban/.local/share/icons
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.local/share/mime#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/mime
        expanded: /home/donoban/.local/share/mime
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.mime.types#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types
        expanded: /home/donoban/.mime.types
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.uim.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.uim.d
        expanded: /home/donoban/.uim.d
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/dconf#, whitelist
Debug 571: fname #/home/donoban/.config/dconf#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/dconf
Debug 456: new_name #/home/donoban/.cache/fontconfig#, whitelist
Debug 571: fname #/home/donoban/.cache/fontconfig#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.cache/fontconfig
Debug 456: new_name #/home/donoban/.config/fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/fontconfig
        expanded: /home/donoban/.config/fontconfig
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.fontconfig#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig
        expanded: /home/donoban/.fontconfig
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts
        expanded: /home/donoban/.fonts
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.fonts.conf#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
        expanded: /home/donoban/.fonts.conf
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.fonts.conf.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
        expanded: /home/donoban/.fonts.conf.d
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.fonts.d#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
        expanded: /home/donoban/.fonts.d
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.local/share/fonts#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts
        expanded: /home/donoban/.local/share/fonts
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.pangorc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
        expanded: /home/donoban/.pangorc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-2.0
        expanded: /home/donoban/.config/gtk-2.0
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/gtk-3.0#, whitelist
Debug 571: fname #/home/donoban/.config/gtk-3.0#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/gtk-3.0
Debug 456: new_name #/home/donoban/.config/gtk-4.0#, whitelist
Debug 571: fname #/home/donoban/.config/gtk-4.0#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/gtk-4.0
Debug 456: new_name #/home/donoban/.config/gtkrc#, whitelist
Debug 571: fname #/home/donoban/.config/gtkrc#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/gtkrc
Debug 456: new_name #/home/donoban/.config/gtkrc-2.0#, whitelist
Debug 571: fname #/home/donoban/.config/gtkrc-2.0#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/gtkrc-2.0
Debug 456: new_name #/home/donoban/.gnome2#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2
        expanded: /home/donoban/.gnome2
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.gnome2-private#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
        expanded: /home/donoban/.gnome2-private
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.gtk-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
        expanded: /home/donoban/.gtk-2.0
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
        expanded: /home/donoban/.gtkrc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.gtkrc-2.0#, whitelist
Debug 571: fname #/home/donoban/.gtkrc-2.0#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.gtkrc-2.0
Debug 456: new_name #/home/donoban/.kde/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
        expanded: /home/donoban/.kde/share/config/gtkrc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
        expanded: /home/donoban/.kde/share/config/gtkrc-2.0
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/gtkrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
        expanded: /home/donoban/.kde4/share/config/gtkrc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/gtkrc-2.0#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
        expanded: /home/donoban/.kde4/share/config/gtkrc-2.0
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.local/share/themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
        expanded: /home/donoban/.local/share/themes
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.themes#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes
        expanded: /home/donoban/.themes
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.cache/kioexec/krun#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
        expanded: /home/donoban/.cache/kioexec/krun
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/Kvantum#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
        expanded: /home/donoban/.config/Kvantum
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/Trolltech.conf#, whitelist
Debug 571: fname #/home/donoban/.config/Trolltech.conf#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/Trolltech.conf
Debug 456: new_name #/home/donoban/.config/QtProject.conf#, whitelist
Debug 571: fname #/home/donoban/.config/QtProject.conf#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/QtProject.conf
Debug 456: new_name #/home/donoban/.config/kdeglobals#, whitelist
Debug 571: fname #/home/donoban/.config/kdeglobals#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/kdeglobals
Debug 456: new_name #/home/donoban/.config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
        expanded: /home/donoban/.config/kio_httprc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/kioslaverc#, whitelist
Debug 571: fname #/home/donoban/.config/kioslaverc#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.config/kioslaverc
Debug 456: new_name #/home/donoban/.config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
        expanded: /home/donoban/.config/ksslcablacklist
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct
        expanded: /home/donoban/.config/qt5ct
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.config/qtcurve#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qtcurve
        expanded: /home/donoban/.config/qtcurve
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde/share/config/kdeglobals#, whitelist
Debug 571: fname #/home/donoban/.kde/share/config/kdeglobals#, cfg.homedir #/home/donoban#
Replaced whitelist path: whitelist /home/donoban/.kde/share/config/kdeglobals
Debug 456: new_name #/home/donoban/.kde/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
        expanded: /home/donoban/.kde/share/config/kio_httprc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
        expanded: /home/donoban/.kde/share/config/kioslaverc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
        expanded: /home/donoban/.kde/share/config/ksslcablacklist
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
        expanded: /home/donoban/.kde/share/config/oxygenrc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
        expanded: /home/donoban/.kde/share/icons
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/kdeglobals#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals
        expanded: /home/donoban/.kde4/share/config/kdeglobals
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/kio_httprc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc
        expanded: /home/donoban/.kde4/share/config/kio_httprc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/kioslaverc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc
        expanded: /home/donoban/.kde4/share/config/kioslaverc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/ksslcablacklist#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
        expanded: /home/donoban/.kde4/share/config/ksslcablacklist
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/config/oxygenrc#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
        expanded: /home/donoban/.kde4/share/config/oxygenrc
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.kde4/share/icons#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
        expanded: /home/donoban/.kde4/share/icons
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/home/donoban/.local/share/qt5ct#, whitelist
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
        expanded: /home/donoban/.local/share/qt5ct
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/var/lib/ca-certificates#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/ca-certificates
        expanded: /var/lib/ca-certificates
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/var/lib/dbus#, whitelist
Debug 456: new_name #/var/lib/menu-xdg#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
        expanded: /var/lib/menu-xdg
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/var/lib/uim#, whitelist
Removed whitelist/nowhitelist path: whitelist /var/lib/uim
        expanded: /var/lib/uim
        real path: (null)
        realpath: No such file or directory
Debug 456: new_name #/var/cache/fontconfig#, whitelist
Debug 456: new_name #/var/tmp#, whitelist
Debug 456: new_name #/var/run#, whitelist
Replaced whitelist path: whitelist /run
Debug 456: new_name #/var/lock#, whitelist
Replaced whitelist path: whitelist /run/lock
Debug 456: new_name #/tmp/.X11-unix#, whitelist
Mounting tmpfs on /tmp directory
Mounting tmpfs on /var directory
Drop privileges: pid 13, uid 1000, gid 1000, nogroups 0
Warning: cleaning all supplementary groups
Mounting a new /root directory
Mounting a new /home directory
Create a new user directory
Drop privileges: pid 14, uid 1000, gid 1000, nogroups 0
Warning: cleaning all supplementary groups
Whitelisting /home/donoban/.electrum
1363 1362 0:23 /@HOME/donoban/.electrum /home/donoban/.electrum rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1363 fsname=/@HOME/donoban/.electrum dir=/home/donoban/.electrum fstype=btrfs
Whitelisting /home/donoban/.config/ibus
1364 1362 0:23 /@HOME/donoban/.config/ibus /home/donoban/.config/ibus rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1364 fsname=/@HOME/donoban/.config/ibus dir=/home/donoban/.config/ibus fstype=btrfs
Whitelisting /home/donoban/.config/mimeapps.list
1365 1362 0:23 /@HOME/donoban/.config/mimeapps.list /home/donoban/.config/mimeapps.list rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1365 fsname=/@HOME/donoban/.config/mimeapps.list dir=/home/donoban/.config/mimeapps.list fstype=btrfs
Whitelisting /home/donoban/.config/user-dirs.dirs
1366 1362 0:23 /@HOME/donoban/.config/user-dirs.dirs /home/donoban/.config/user-dirs.dirs rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1366 fsname=/@HOME/donoban/.config/user-dirs.dirs dir=/home/donoban/.config/user-dirs.dirs fstype=btrfs
Whitelisting /home/donoban/.config/user-dirs.locale
1367 1362 0:23 /@HOME/donoban/.config/user-dirs.locale /home/donoban/.config/user-dirs.locale rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1367 fsname=/@HOME/donoban/.config/user-dirs.locale dir=/home/donoban/.config/user-dirs.locale fstype=btrfs
Whitelisting /home/donoban/.local/share/applications
1368 1362 0:23 /@HOME/donoban/.local/share/applications /home/donoban/.local/share/applications rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1368 fsname=/@HOME/donoban/.local/share/applications dir=/home/donoban/.local/share/applications fstype=btrfs
Whitelisting /home/donoban/.config/dconf
1369 1362 0:23 /@HOME/donoban/.config/dconf /home/donoban/.config/dconf rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1369 fsname=/@HOME/donoban/.config/dconf dir=/home/donoban/.config/dconf fstype=btrfs
Whitelisting /home/donoban/.cache/fontconfig
1370 1362 0:23 /@HOME/donoban/.cache/fontconfig /home/donoban/.cache/fontconfig rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1370 fsname=/@HOME/donoban/.cache/fontconfig dir=/home/donoban/.cache/fontconfig fstype=btrfs
Whitelisting /home/donoban/.config/gtk-3.0
1371 1362 0:23 /@HOME/donoban/.config/gtk-3.0 /home/donoban/.config/gtk-3.0 rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1371 fsname=/@HOME/donoban/.config/gtk-3.0 dir=/home/donoban/.config/gtk-3.0 fstype=btrfs
Whitelisting /home/donoban/.config/gtk-4.0
1372 1362 0:23 /@HOME/donoban/.config/gtk-4.0 /home/donoban/.config/gtk-4.0 rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1372 fsname=/@HOME/donoban/.config/gtk-4.0 dir=/home/donoban/.config/gtk-4.0 fstype=btrfs
Whitelisting /home/donoban/.config/gtkrc
1373 1362 0:23 /@HOME/donoban/.config/gtkrc /home/donoban/.config/gtkrc rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1373 fsname=/@HOME/donoban/.config/gtkrc dir=/home/donoban/.config/gtkrc fstype=btrfs
Whitelisting /home/donoban/.config/gtkrc-2.0
1374 1362 0:23 /@HOME/donoban/.config/gtkrc-2.0 /home/donoban/.config/gtkrc-2.0 rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1374 fsname=/@HOME/donoban/.config/gtkrc-2.0 dir=/home/donoban/.config/gtkrc-2.0 fstype=btrfs
Whitelisting /home/donoban/.gtkrc-2.0
1375 1362 0:23 /@HOME/donoban/.gtkrc-2.0 /home/donoban/.gtkrc-2.0 rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1375 fsname=/@HOME/donoban/.gtkrc-2.0 dir=/home/donoban/.gtkrc-2.0 fstype=btrfs
Whitelisting /home/donoban/.config/Trolltech.conf
1376 1362 0:23 /@HOME/donoban/.config/Trolltech.conf /home/donoban/.config/Trolltech.conf rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1376 fsname=/@HOME/donoban/.config/Trolltech.conf dir=/home/donoban/.config/Trolltech.conf fstype=btrfs
Whitelisting /home/donoban/.config/QtProject.conf
1377 1362 0:23 /@HOME/donoban/.config/QtProject.conf /home/donoban/.config/QtProject.conf rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1377 fsname=/@HOME/donoban/.config/QtProject.conf dir=/home/donoban/.config/QtProject.conf fstype=btrfs
Whitelisting /home/donoban/.config/kdeglobals
1378 1362 0:23 /@HOME/donoban/.config/kdeglobals /home/donoban/.config/kdeglobals rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1378 fsname=/@HOME/donoban/.config/kdeglobals dir=/home/donoban/.config/kdeglobals fstype=btrfs
Whitelisting /home/donoban/.config/kioslaverc
1379 1362 0:23 /@HOME/donoban/.config/kioslaverc /home/donoban/.config/kioslaverc rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1379 fsname=/@HOME/donoban/.config/kioslaverc dir=/home/donoban/.config/kioslaverc fstype=btrfs
Whitelisting /home/donoban/.kde/share/config/kdeglobals
1380 1362 0:23 /@HOME/donoban/.kde/share/config/kdeglobals /home/donoban/.kde/share/config/kdeglobals rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1380 fsname=/@HOME/donoban/.kde/share/config/kdeglobals dir=/home/donoban/.kde/share/config/kdeglobals fstype=btrfs
Whitelisting /var/lib/dbus
1381 1358 0:23 /@ROOT/var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1381 fsname=/@ROOT/var/lib/dbus dir=/var/lib/dbus fstype=btrfs
Whitelisting /var/cache/fontconfig
1382 1358 0:23 /@ROOT/var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1382 fsname=/@ROOT/var/cache/fontconfig dir=/var/cache/fontconfig fstype=btrfs
Whitelisting /var/tmp
1383 1358 0:148 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1383 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1384 1344 0:23 /@ROOT/tmp/.X11-unix /tmp/.X11-unix rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1384 fsname=/@ROOT/tmp/.X11-unix dir=/tmp/.X11-unix fstype=btrfs
Mounting read-only /home/donoban/.Xauthority
1388 1362 0:162 /donoban/.Xauthority /home/donoban/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1388 fsname=/donoban/.Xauthority dir=/home/donoban/.Xauthority fstype=tmpfs
Mounting read-only /home/donoban/.config/kdeglobals
1389 1378 0:23 /@HOME/donoban/.config/kdeglobals /home/donoban/.config/kdeglobals ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1389 fsname=/@HOME/donoban/.config/kdeglobals dir=/home/donoban/.config/kdeglobals fstype=btrfs
Mounting read-only /home/donoban/.config/kioslaverc
1390 1379 0:23 /@HOME/donoban/.config/kioslaverc /home/donoban/.config/kioslaverc ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1390 fsname=/@HOME/donoban/.config/kioslaverc dir=/home/donoban/.config/kioslaverc fstype=btrfs
Mounting read-only /home/donoban/.kde/share/config/kdeglobals
1391 1380 0:23 /@HOME/donoban/.kde/share/config/kdeglobals /home/donoban/.kde/share/config/kdeglobals ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1391 fsname=/@HOME/donoban/.kde/share/config/kdeglobals dir=/home/donoban/.kde/share/config/kdeglobals fstype=btrfs
Disable /run/user/1000/klauncherztrOYd.1.slave-socket
Disable /run/user/1000/kdeinit5__0
Mounting read-only /home/donoban/.config/dconf
1394 1369 0:23 /@HOME/donoban/.config/dconf /home/donoban/.config/dconf ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1394 fsname=/@HOME/donoban/.config/dconf dir=/home/donoban/.config/dconf fstype=btrfs
Disable /run/user/1000/systemd
Disable /run/user/1000/libvirt
Disable /run/docker.sock (requested /var/run/docker.sock)
Mounting read-only /home/donoban/.local/share/applications
1398 1368 0:23 /@HOME/donoban/.local/share/applications /home/donoban/.local/share/applications ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1398 fsname=/@HOME/donoban/.local/share/applications dir=/home/donoban/.local/share/applications fstype=btrfs
Mounting read-only /home/donoban/.config/mimeapps.list
1399 1365 0:23 /@HOME/donoban/.config/mimeapps.list /home/donoban/.config/mimeapps.list ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1399 fsname=/@HOME/donoban/.config/mimeapps.list dir=/home/donoban/.config/mimeapps.list fstype=btrfs
Mounting read-only /home/donoban/.config/user-dirs.dirs
1400 1366 0:23 /@HOME/donoban/.config/user-dirs.dirs /home/donoban/.config/user-dirs.dirs ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1400 fsname=/@HOME/donoban/.config/user-dirs.dirs dir=/home/donoban/.config/user-dirs.dirs fstype=btrfs
Mounting read-only /home/donoban/.config/user-dirs.locale
1401 1367 0:23 /@HOME/donoban/.config/user-dirs.locale /home/donoban/.config/user-dirs.locale ro,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1401 fsname=/@HOME/donoban/.config/user-dirs.locale dir=/home/donoban/.config/user-dirs.locale fstype=btrfs
Disable /sbin
Disable /usr/sbin
Not blacklist /usr/local/bin/busybox
Not blacklist /usr/bin/busybox
Not blacklist /bin/busybox
Not blacklist /usr/local/sbin/busybox
Not blacklist /usr/sbin/busybox
Not blacklist /sbin/busybox
Not blacklist /usr/local/bin/crontab
Not blacklist /usr/bin/crontab
Not blacklist /bin/crontab
Not blacklist /usr/local/sbin/crontab
Not blacklist /usr/sbin/crontab
Not blacklist /sbin/crontab
Not blacklist /usr/local/bin/mount
Not blacklist /usr/bin/mount
Not blacklist /bin/mount
Not blacklist /usr/local/sbin/mount
Not blacklist /usr/sbin/mount
Not blacklist /sbin/mount
Not blacklist /usr/local/bin/nc
Not blacklist /usr/bin/nc
Not blacklist /bin/nc
Not blacklist /usr/local/sbin/nc
Not blacklist /usr/sbin/nc
Not blacklist /sbin/nc
Not blacklist /usr/local/bin/su
Not blacklist /usr/bin/su
Not blacklist /bin/su
Not blacklist /usr/local/sbin/su
Not blacklist /usr/sbin/su
Not blacklist /sbin/su
Not blacklist /usr/local/bin/sudo
Not blacklist /usr/bin/sudo
Not blacklist /bin/sudo
Not blacklist /usr/local/sbin/sudo
Not blacklist /usr/sbin/sudo
Not blacklist /sbin/sudo
Not blacklist /usr/local/bin/umount
Not blacklist /usr/bin/umount
Not blacklist /bin/umount
Not blacklist /usr/local/sbin/umount
Not blacklist /usr/sbin/umount
Not blacklist /sbin/umount
Disable /.snapshots
Disable /run/user/1000/app
Warning: /run/user/1000/doc does not exist, skipping...
Disable /run/user/1000/.dbus-proxy
Disable /run/user/1000/.flatpak
Disable /run/user/1000/.flatpak-helper
Disable /usr/share/flatpak
Disable /run/user/1000/pipewire-0.lock
Disable /usr/include
Mounting noexec /home/donoban/.electrum
1412 1363 0:23 /@HOME/donoban/.electrum /home/donoban/.electrum rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1412 fsname=/@HOME/donoban/.electrum dir=/home/donoban/.electrum fstype=btrfs
Mounting noexec /home/donoban/.config/ibus
1413 1364 0:23 /@HOME/donoban/.config/ibus /home/donoban/.config/ibus rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1413 fsname=/@HOME/donoban/.config/ibus dir=/home/donoban/.config/ibus fstype=btrfs
Mounting noexec /home/donoban/.config/mimeapps.list
1414 1399 0:23 /@HOME/donoban/.config/mimeapps.list /home/donoban/.config/mimeapps.list ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1414 fsname=/@HOME/donoban/.config/mimeapps.list dir=/home/donoban/.config/mimeapps.list fstype=btrfs
Mounting noexec /home/donoban/.config/user-dirs.dirs
1415 1400 0:23 /@HOME/donoban/.config/user-dirs.dirs /home/donoban/.config/user-dirs.dirs ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1415 fsname=/@HOME/donoban/.config/user-dirs.dirs dir=/home/donoban/.config/user-dirs.dirs fstype=btrfs
Mounting noexec /home/donoban/.config/user-dirs.locale
1416 1401 0:23 /@HOME/donoban/.config/user-dirs.locale /home/donoban/.config/user-dirs.locale ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1416 fsname=/@HOME/donoban/.config/user-dirs.locale dir=/home/donoban/.config/user-dirs.locale fstype=btrfs
Mounting noexec /home/donoban/.local/share/applications
1417 1398 0:23 /@HOME/donoban/.local/share/applications /home/donoban/.local/share/applications ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1417 fsname=/@HOME/donoban/.local/share/applications dir=/home/donoban/.local/share/applications fstype=btrfs
Mounting noexec /home/donoban/.config/dconf
1418 1394 0:23 /@HOME/donoban/.config/dconf /home/donoban/.config/dconf ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1418 fsname=/@HOME/donoban/.config/dconf dir=/home/donoban/.config/dconf fstype=btrfs
Mounting noexec /home/donoban/.cache/fontconfig
1419 1370 0:23 /@HOME/donoban/.cache/fontconfig /home/donoban/.cache/fontconfig rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1419 fsname=/@HOME/donoban/.cache/fontconfig dir=/home/donoban/.cache/fontconfig fstype=btrfs
Mounting noexec /home/donoban/.config/gtk-3.0
1420 1371 0:23 /@HOME/donoban/.config/gtk-3.0 /home/donoban/.config/gtk-3.0 rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1420 fsname=/@HOME/donoban/.config/gtk-3.0 dir=/home/donoban/.config/gtk-3.0 fstype=btrfs
Mounting noexec /home/donoban/.config/gtk-4.0
1421 1372 0:23 /@HOME/donoban/.config/gtk-4.0 /home/donoban/.config/gtk-4.0 rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1421 fsname=/@HOME/donoban/.config/gtk-4.0 dir=/home/donoban/.config/gtk-4.0 fstype=btrfs
Mounting noexec /home/donoban/.config/gtkrc
1422 1373 0:23 /@HOME/donoban/.config/gtkrc /home/donoban/.config/gtkrc rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1422 fsname=/@HOME/donoban/.config/gtkrc dir=/home/donoban/.config/gtkrc fstype=btrfs
Mounting noexec /home/donoban/.config/gtkrc-2.0
1423 1374 0:23 /@HOME/donoban/.config/gtkrc-2.0 /home/donoban/.config/gtkrc-2.0 rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1423 fsname=/@HOME/donoban/.config/gtkrc-2.0 dir=/home/donoban/.config/gtkrc-2.0 fstype=btrfs
Mounting noexec /home/donoban/.gtkrc-2.0
1424 1375 0:23 /@HOME/donoban/.gtkrc-2.0 /home/donoban/.gtkrc-2.0 rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1424 fsname=/@HOME/donoban/.gtkrc-2.0 dir=/home/donoban/.gtkrc-2.0 fstype=btrfs
Mounting noexec /home/donoban/.config/Trolltech.conf
1425 1376 0:23 /@HOME/donoban/.config/Trolltech.conf /home/donoban/.config/Trolltech.conf rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1425 fsname=/@HOME/donoban/.config/Trolltech.conf dir=/home/donoban/.config/Trolltech.conf fstype=btrfs
Mounting noexec /home/donoban/.config/QtProject.conf
1426 1377 0:23 /@HOME/donoban/.config/QtProject.conf /home/donoban/.config/QtProject.conf rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1426 fsname=/@HOME/donoban/.config/QtProject.conf dir=/home/donoban/.config/QtProject.conf fstype=btrfs
Mounting noexec /home/donoban/.config/kdeglobals
1427 1389 0:23 /@HOME/donoban/.config/kdeglobals /home/donoban/.config/kdeglobals ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1427 fsname=/@HOME/donoban/.config/kdeglobals dir=/home/donoban/.config/kdeglobals fstype=btrfs
Mounting noexec /home/donoban/.config/kioslaverc
1428 1390 0:23 /@HOME/donoban/.config/kioslaverc /home/donoban/.config/kioslaverc ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1428 fsname=/@HOME/donoban/.config/kioslaverc dir=/home/donoban/.config/kioslaverc fstype=btrfs
Mounting noexec /home/donoban/.kde/share/config/kdeglobals
1429 1391 0:23 /@HOME/donoban/.kde/share/config/kdeglobals /home/donoban/.kde/share/config/kdeglobals ro,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=257,subvol=/@HOME
mountid=1429 fsname=/@HOME/donoban/.kde/share/config/kdeglobals dir=/home/donoban/.kde/share/config/kdeglobals fstype=btrfs
Mounting noexec /run/user/1000
1442 1430 0:26 /firejail/firejail.ro.file /run/user/1000/pipewire-0.lock rw,nosuid,nodev - tmpfs tmpfs rw,size=6520484k,nr_inodes=819200,mode=755,inode64
mountid=1442 fsname=/firejail/firejail.ro.file dir=/run/user/1000/pipewire-0.lock fstype=tmpfs
Warning: not remounting /run/user/1000/doc
Mounting noexec /dev/shm
1443 1326 0:155 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1443 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1445 1444 0:23 /@ROOT/tmp/.X11-unix /tmp/.X11-unix rw,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1445 fsname=/@ROOT/tmp/.X11-unix dir=/tmp/.X11-unix fstype=btrfs
Mounting noexec /tmp/.X11-unix
1446 1445 0:23 /@ROOT/tmp/.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,relatime - btrfs /dev/mapper/root rw,compress=zstd:3,ssd,space_cache,subvolid=256,subvol=/@ROOT
mountid=1446 fsname=/@ROOT/tmp/.X11-unix dir=/tmp/.X11-unix fstype=btrfs
Mounting noexec /var
1450 1447 0:148 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1450 fsname=/ dir=/var/tmp fstype=tmpfs
Disable /usr/lib/lua5.3/liblua-5.3.so.0.0.0 (requested /usr/lib/liblua-5.3.so.0)
Disable /usr/lib/lua5.3/liblua-5.3.so.0.0.0 (requested /usr/lib/liblua-5.3.so.0.0.0)
Disable /usr/lib/perl5
Disable /usr/share/perl5
Not blacklist /usr/local/bin/python2*
Not blacklist /usr/bin/python2*
Not blacklist /bin/python2*
Not blacklist /usr/local/sbin/python2*
Not blacklist /usr/sbin/python2*
Not blacklist /sbin/python2*
Not blacklist /usr/include/python2*
Not blacklist /usr/lib/python2*
Not blacklist /usr/local/lib/python2*
Not blacklist /usr/share/python2*
Not blacklist /usr/local/bin/python3
Not blacklist /usr/local/bin/python3.9
Not blacklist /usr/bin/python3
Not blacklist /usr/bin/python3.9
Not blacklist /bin/python3
Not blacklist /bin/python3.9
Not blacklist /usr/local/sbin/python3*
Not blacklist /usr/sbin/python3*
Not blacklist /sbin/python3*
Not blacklist /usr/include/python3*
Not blacklist /usr/lib/python3.9
Not blacklist /usr/lib64/python3*
Not blacklist /usr/local/lib/python3*
Not blacklist /usr/share/python3*
Not blacklist /home/donoban/.electrum
Mounting tmpfs on /home/donoban/.cache, check owner: yes
Error mounting tmpfs: fs.c:479 fs_tmpfs: Invalid argument
Error: proc 28878 cannot sync with peer: unexpected EOF
Peer 28879 unexpectedly exited with status 1
localhost:~/electrum$
@smitsohu
Copy link
Collaborator

smitsohu commented May 2, 2021
edited
Loading

The value of UTMP_FILE is /dev/null/utmp

This is musl, which doesn't support utmp out of the box.

The question is if Alpine has or you have a utmp file somewhere in the system, possibly in a non-default location.

If there is no utmp file, it is safe to just ignore the warning.

If there is a utmp file, and in a stable location, we can add the path to fs_var.c

@smitsohu
Copy link
Collaborator

smitsohu commented May 2, 2021

We should certainly update the warning so there is no mismatch with the actually checked path.

@smitsohu
Copy link
Collaborator

smitsohu commented May 2, 2021

The question is if Alpine has or you have a utmp file somewhere in the system, possibly in a non-default location.

A cursory search reveals there is a package utmps-openrc, but I'm not clear about the default utmp path

@donob4n
Copy link
Author

donob4n commented May 12, 2021

Thanks for checking but since alpine removed firejail package due enforcing policy against suid files I will close this issue.

@donob4n donob4n closed this as completed May 12, 2021
@smitsohu
Copy link
Collaborator

Error was fixed in ef4b0de

@kmk3
Copy link
Collaborator

kmk3 commented May 16, 2021

@donob4n commented 4 days ago:

Thanks for checking but since alpine removed firejail package due enforcing
policy against suid files I will close this issue.

That's unfortunate; AFAIK it can be built without being SUID. Links from
Alpine for reference:

@rusty-snake
Copy link
Collaborator

rusty-snake commented May 16, 2021
edited
Loading

AFAIK it can be built without being SUID

There is a ./configure --disable-suid. Anyway you need to chmod u+s later by hand. See #1846. (Related: #4273)

At the same time, the security record of firejail is quite poor, there have been numerous CVEs.

Well, if you look at the security records of firefox or linux ... Comparing the number of CVEs is IMHO not a good fact base. (Although the point raised is not entirely unjustified).

Additionally, the user who discussed firejail noted that many default profiles are broken anyway.

What kind of broken? According to my observation, the most profiles (especially those of much used software (= much tested)) work fine (if you use the latest firejail version ¹). "Broken things" like restricted file system access is intentional.

¹ if a program gets an update that requires an adjustment of it's profile, end-users get this fix with the next firejail-release which can take month. That's something to improve.

Given the fact that it is built SUID and executes arbitrary programs, any violation of the sandbox is potentially a privilege escalation directly to root.

Setting force-nonewprivs yes in firejail.config is a good mitigation and can be set by distributors too. But in the end it depends on the threat model.

For single-user desktops a user-to-root exploit which requires that an attacker can execute any command as user is rather harmless. A spyware does not need to be root to get the passwords you enter in firefox. Your important documents/pictures/videos can be encrypted by ransomware with user right. Yes, as root it could encrypt your full disk, that's annoying, but you can reinstall your OS. And being part of a botnet work with user right too.

For multi-user systems (where users do not (fully) trust each other) a user-to-root(-to-other-user) is one of the worst things you can thing off. And for servers there are better sandboxing solutions (systemd's native features for example, https://gist.github.com/rusty-snake/c6d773fc27ddde9071461e0fe4010610).

TBH a real world damage by firejail is unlikely as it is installed on to few systems. A malware targeting the mass of users would exploit systemd/the kernel/... to get root, against a targeted attack by a highly skilled attacker you are helpless anyway (or your system is unuseable). And the biggest security hole is still sitting in front of the computer.

Update: Some discussion on firejail's security #3046 #3849 (comment) #3527 #3082.

Without a plan to […] fix the broken profiles.

Always work but never finish 😉 . That's an never ending task.

I would prefer to see this package excluded from 3.14 release.

Sad but that's the way it is.

Shipping "security" tools which are based on an insecure design is extremely flawed conceptually.

👍

An alternative that would be acceptable is bubblejail

I follow the development of bubblejail since I discovered it and it is the best alternative to firejail I know. It currently does not have the development power in the background like firejail and far less profiles (7 and one generic). Therefore you need to write the most profiles for the programs you use by yourself, however it has a somewat declarative syntax (firejail's syntax is more imperative) and a GUI. Personally (as GNOME user) I don't like the Qt-GUI, but that is a matter of personal preference. In addition it has support for xdg-dbus-proxy and uses libseccomp. That's what makes it an alternative to firejail in contrast to self-hacked bubblewrap wrappers that come up in every "firejail is insecure" discussion.

@kmk3
Copy link
Collaborator

kmk3 commented May 22, 2021

@rusty-snake Thanks for the very detailed response (and thanks @donob4n for
bringing it up). I plan on creating a thread later to better understand what
happened (and to avoid spamming in here) and possibly come up with action
items. Are GitHub Discussions adequate for potentially long threads or should
it just be an issue?

@rusty-snake rusty-snake mentioned this issue Feb 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@smitsohu @donob4n @kmk3 @rusty-snake