Seccomp list output goes to stdout instead of stderr

[slowpeek]

Bug and expected behavior

• Some firejail output goes to stdout instead of stderr.

Reproduce
Steps to reproduce the behavior:

1. Run and see

   firejail --seccomp=\!name_to_handle_at pwd 2>/dev/null
   Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
   Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
   /etc/firejail
   

   It is not an artificial example btw. The seccomp filter comes from keepassxc profile inherited by keepassxc-cli hence the above lines are prepended to keepassxc-cli exported xml. FIREJAIL_QUIET=yes does suppress the lines but those are definitely debug information, it should not pollute stdout by default.

Environment

• ubuntu focal
• 0.9.64.4

Additional context
Source reference:

firejail/src/lib/syscall.c

Lines 1675 to 1695 in c50dd74

	void syscalls_in_list(const char *list, const char *slist, int fd, char **prelist, char **postlist, bool native) {
	(void) fd;
	SyscallCheckList sl;
	// these syscalls are used by firejail after the seccomp filter is initialized
	sl.slist = slist;
	sl.prelist = NULL;
	sl.postlist = NULL;
	syscall_check_list(list, syscall_in_list, 0, 0, &sl, native);
	if (!arg_quiet) {
	printf("Seccomp list in: %s,", list);
	if (sl.slist)
	printf(" check list: %s,", sl.slist);
	if (sl.prelist)
	printf(" prelist: %s,", sl.prelist);
	if (sl.postlist)
	printf(" postlist: %s", sl.postlist);
	printf("\n");
	}
	*prelist = sl.prelist;
	*postlist = sl.postlist;
	}

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

[rusty-snake]

1. IMHO we should print these messages only with arg_debug. Normal users likely doesn't even know what all those seccomp is.
2. For stdout vs. stderr we have Where to print debug messages (stdout or stderr)? #3749/Rework quiet, debug and normal console output #4275

[netblue30]

I'm sending them to stderr for now, we'll have to rework it for #3749 and #4275.