Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vscode: crashes without seccomp !chroot #4408

Closed
7 tasks done
mariodsantana opened this issue Jul 17, 2021 · 1 comment
Closed
7 tasks done

vscode: crashes without seccomp !chroot #4408

mariodsantana opened this issue Jul 17, 2021 · 1 comment

Comments

@mariodsantana
Copy link

mariodsantana commented Jul 17, 2021
edited
Loading

Recently, VS Code stopped working for me. I fixed it by adding seccomp !chroot to code.local

Bug and expected behavior

  • Describe the bug.
    code fails with and error that reference sys_chroot
  • What did you expect to happen?
    code runs like normal

No profile and disabling firejail

  • What changed calling firejail --noprofile /path/to/program in a terminal?
    it runs
  • What changed calling the program by path (e.g. /usr/bin/vlc)?
    it runs

Reproduce
Steps to reproduce the behavior:

  1. Run in bash firejail code
  2. See error Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Environment

  • Linux distribution and version (ie output of lsb_release -a, screenfetch or cat /etc/os-release
    Arch
  • Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)
> firejail --version
firejail version 0.9.66

Compile time support:
  - always force nonewprivs support is disabled
  - AppArmor support is enabled
  - AppImage support is enabled
  - chroot support is enabled
  - D-BUS proxy support is enabled
  - file and directory whitelisting support is enabled
  - file transfer support is enabled
  - firetunnel support is enabled
  - networking support is enabled
  - output logging is enabled
  - overlayfs support is disabled
  - private-home support is enabled
  - private-cache and tmpfs as user enabled
  - SELinux support is disabled
  - user namespace support is enabled
  - X11 sandboxing support is enabled

Additional context
Other context about the problem like related errors to understand the problem.

Checklist

  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • I have performed a short search for similar issues (to avoid opening a duplicate).
  • If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
  • Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
debug output 
$ firejail --debug code --verbose

Reading profile /etc/firejail/code.profile
Autoselecting /usr/bin/fish as shell
Building quoted command line: 'code' '--verbose' 
Command name #code#
Found code.profile profile in /etc/firejail directory
Reading profile /etc/firejail/code.local
Found code.local profile in /etc/firejail directory
Reading profile /etc/firejail/allow-common-devel.inc
Found allow-common-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.local
Found disable-common.local profile in /etc/firejail directory
Reading profile /etc/firejail/disable-passwdmgr.inc
Found disable-passwdmgr.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-programs.inc profile in /etc/firejail directory
[profile] combined protocol list: "unix,inet,inet6,netlink"
DISPLAY=:0 parsed as 0
Parent pid 42847, child pid 42850
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol 
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
5351 682 254:0 /etc /etc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5351 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
5352 5351 254:0 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5352 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
5353 682 254:0 /var /var ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5353 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
5354 5353 254:0 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5354 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
5355 682 254:0 /usr /usr ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5355 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/mario/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Generate private-tmp whitelist commands
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules/5.12.15-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Debug 553: whitelist /tmp/.X11-unix
Debug 574: expanded: /tmp/.X11-unix
Debug 585: new_name: /tmp/.X11-unix
Debug 599: dir: /tmp
Adding whitelist top level directory /tmp
Mounting tmpfs on /tmp, check owner: no
5403 5048 0:191 / /tmp rw,nosuid,nodev,relatime - tmpfs tmpfs rw,inode64
mountid=5403 fsname=/ dir=/tmp fstype=tmpfs
Debug 735: file: /tmp/.X11-unix; dirfd: 4; topdir: /tmp; rel: .X11-unix
Whitelisting /tmp/.X11-unix
5404 5403 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5404 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Not blacklist /home/mario/src
Disable /home/mario/imm
Disable /home/mario/ifs
Disable /home/mario/vmware
Disable /home/mario/clients
Disable /home/mario/ctas
Disable /home/mario/innuendo
Disable /home/mario/mace
Disable /home/mario/ss
Disable /home/mario/.node_repl_history
Disable /home/mario/.bash_history
Disable /home/mario/.sqlite_history
Not blacklist /home/mario/.python_history
Disable /home/mario/.local/share/fish/fish_history
Not blacklist /home/mario/.python-history
Not blacklist /home/mario/.python_history
Not blacklist /home/mario/.pythonhist
Disable /home/mario/.lesshst
Disable /home/mario/.viminfo
Disable /home/mario/.config/autostart
Disable /home/mario/.config/awesome
Disable /home/mario/.config/sway
Disable /home/mario/.xinitrc
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/mario/.Xauthority
5425 5362 254:0 /home/mario/.Xauthority /home/mario/.Xauthority ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5425 fsname=/home/mario/.Xauthority dir=/home/mario/.Xauthority fstype=ext4
Disable /home/mario/.config/kwalletrc
Mounting read-only /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM=
5427 5362 254:0 /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= /home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5427 fsname=/home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= dir=/home/mario/.cache/ksycoca5_en_g4965Ldiwvwf32EOw9aUGqGbtfM= fstype=ext4
Mounting read-only /home/mario/.config/kdeglobals
5428 5362 254:0 /home/mario/.config/kdeglobals /home/mario/.config/kdeglobals ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5428 fsname=/home/mario/.config/kdeglobals dir=/home/mario/.config/kdeglobals fstype=ext4
Mounting read-only /home/mario/.config/dconf
5429 5362 254:0 /home/mario/.config/dconf /home/mario/.config/dconf ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5429 fsname=/home/mario/.config/dconf dir=/home/mario/.config/dconf fstype=ext4
Disable /home/mario/.config/systemd
Disable /var/lib/systemd
Disable /usr/bin/systemd-run
Disable /run/user/1000/systemd
Disable /home/mario/.config/VirtualBox
Disable /home/mario/VirtualBox VMs
Disable /home/mario/.cache/libvirt
Disable /var/cache/libvirt
Disable /var/lib/libvirt
Disable /var/log/libvirt
Disable /var/cache/pacman
Disable /var/lib/clamav
Disable /var/lib/dkms
Disable /var/lib/pacman
Disable /var/lib/upower
Disable /var/spool/mail (requested /var/mail)
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /run/docker.sock (requested /var/run/docker.sock)
Disable /var/spool/cron
Disable /var/spool/mail
Disable /etc/cron.hourly
Disable /etc/cron.deny
Disable /etc/crontab
Disable /etc/cron.monthly
Disable /etc/cron.weekly
Disable /etc/cron.daily
Disable /etc/cron.d
Disable /etc/profile.d
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/dkms
Disable /etc/apparmor.d
Disable /etc/apparmor
Disable /etc/modules-load.d
Disable /etc/logrotate.d
Mounting read-only /home/mario/.bash_logout
5466 5362 254:0 /home/mario/.bash_logout /home/mario/.bash_logout ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5466 fsname=/home/mario/.bash_logout dir=/home/mario/.bash_logout fstype=ext4
Mounting read-only /home/mario/.bash_profile
5467 5362 254:0 /home/mario/.bash_profile /home/mario/.bash_profile ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5467 fsname=/home/mario/.bash_profile dir=/home/mario/.bash_profile fstype=ext4
Mounting read-only /home/mario/.bashrc
5468 5362 254:0 /home/mario/.bashrc /home/mario/.bashrc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5468 fsname=/home/mario/.bashrc dir=/home/mario/.bashrc fstype=ext4
Mounting read-only /home/mario/.config/fish
5469 5362 254:0 /home/mario/.config/fish /home/mario/.config/fish ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5469 fsname=/home/mario/.config/fish dir=/home/mario/.config/fish fstype=ext4
Mounting read-only /home/mario/.local/share/fish
5471 5470 0:25 /firejail/firejail.ro.file /home/mario/.local/share/fish/fish_history rw,nosuid,nodev master:11 - tmpfs tmpfs rw,size=6498840k,nr_inodes=819200,mode=755,inode64
mountid=5471 fsname=/firejail/firejail.ro.file dir=/home/mario/.local/share/fish/fish_history fstype=tmpfs
Disable /home/mario/.ssh/authorized_keys
Mounting read-only /home/mario/.ssh/config
5473 5362 254:0 /home/mario/.ssh/config /home/mario/.ssh/config ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5473 fsname=/home/mario/.ssh/config dir=/home/mario/.ssh/config fstype=ext4
Mounting read-only /home/mario/.emacs
5474 5362 254:0 /home/mario/.emacs /home/mario/.emacs ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5474 fsname=/home/mario/.emacs dir=/home/mario/.emacs fstype=ext4
Mounting reWarning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
ad-only /home/mario/.emacs.d
5475 5362 254:0 /home/mario/.emacs.d /home/mario/.emacs.d ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5475 fsname=/home/mario/.emacs.d dir=/home/mario/.emacs.d fstype=ext4
Mounting read-only /home/mario/.mailcap
5476 5362 254:0 /home/mario/.mailcap /home/mario/.mailcap ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5476 fsname=/home/mario/.mailcap dir=/home/mario/.mailcap fstype=ext4
Mounting read-only /home/mario/.tmux.conf
5477 5362 254:0 /home/mario/.tmux.conf /home/mario/.tmux.conf ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5477 fsname=/home/mario/.tmux.conf dir=/home/mario/.tmux.conf fstype=ext4
Mounting read-only /home/mario/.vim
5478 5362 254:0 /home/mario/.vim /home/mario/.vim ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5478 fsname=/home/mario/.vim dir=/home/mario/.vim fstype=ext4
Mounting read-only /home/mario/.viminfo
5479 5418 0:25 /firejail/firejail.ro.file /home/mario/.viminfo ro,nosuid,nodev master:11 - tmpfs tmpfs rw,size=6498840k,nr_inodes=819200,mode=755,inode64
mountid=5479 fsname=/firejail/firejail.ro.file dir=/home/mario/.viminfo fstype=tmpfs
Mounting read-only /home/mario/.vimrc
5480 5362 254:0 /home/mario/.vimrc /home/mario/.vimrc ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5480 fsname=/home/mario/.vimrc dir=/home/mario/.vimrc fstype=ext4
Mounting read-only /home/mario/.rustup
5481 5362 254:0 /home/mario/.rustup /home/mario/.rustup ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5481 fsname=/home/mario/.rustup dir=/home/mario/.rustup fstype=ext4
Mounting read-only /home/mario/.config/menus
5482 5362 254:0 /home/mario/.config/menus /home/mario/.config/menus ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5482 fsname=/home/mario/.config/menus dir=/home/mario/.config/menus fstype=ext4
Mounting read-only /home/mario/.gnome/apps
5483 5362 254:0 /home/mario/.gnome/apps /home/mario/.gnome/apps ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5483 fsname=/home/mario/.gnome/apps dir=/home/mario/.gnome/apps fstype=ext4
Mounting read-only /home/mario/.local/share/applications
5484 5362 254:0 /home/mario/.local/share/applications /home/mario/.local/share/applications ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5484 fsname=/home/mario/.local/share/applications dir=/home/mario/.local/share/applications fstype=ext4
Mounting read-only /home/mario/.config/mimeapps.list
5485 5362 254:0 /home/mario/.config/mimeapps.list /home/mario/.config/mimeapps.list ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5485 fsname=/home/mario/.config/mimeapps.list dir=/home/mario/.config/mimeapps.list fstype=ext4
Mounting read-only /home/mario/.config/user-dirs.dirs
5486 5362 254:0 /home/mario/.config/user-dirs.dirs /home/mario/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5486 fsname=/home/mario/.config/user-dirs.dirs dir=/home/mario/.config/user-dirs.dirs fstype=ext4
Mounting read-only /home/mario/.config/user-dirs.locale
5487 5362 254:0 /home/mario/.config/user-dirs.locale /home/mario/.config/user-dirs.locale ro,relatime master:1 - ext4 /dev/mapper/crypt_root rw
mountid=5487 fsname=/home/mario/.config/user-dirs.locale dir=/home/mario/.config/user-dirs.locale fstype=ext4
Not blacklist /home/mario/.cargo/credentials
Not blacklist /home/mario/.cargo/credentials.toml
Disable /home/mario/.cert
Disable /home/mario/.config/keybase
Disable /home/mario/.davfs2/secrets
Not blacklist /home/mario/.git-credentials
Disable /home/mario/.gnupg
Disable /home/mario/.local/share/kwalletd
Disable /home/mario/.pki
Disable /home/mario/.local/share/pki
Disable /home/mario/.ssh
Disable /etc/davfs2/secrets
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Warning (blacklisting): cannot open /etc/ssh/*: Permission denied
Disable /home/mario/.aws
Disable /home/mario/.config/gcloud
Disable /usr/local/sbin
Warning (blacklisting): cannot open /usr/local/sbin/at: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/busybox: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/chage: Permission denied
Disable /usr/bin/chage
Warning (blacklisting): cannot open /usr/local/sbin/chfn: Permission denied
Disable /usr/bin/chfn
Warning (blacklisting): cannot open /usr/local/sbin/chsh: Permission denied
Disable /usr/bin/chsh
Warning (blacklisting): cannot open /usr/local/sbin/crontab: Permission denied
Disable /usr/bin/crontab
Warning (blacklisting): cannot open /usr/local/sbin/evtest: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/expiry: Permission denied
Disable /usr/bin/expiry
Warning (blacklisting): cannot open /usr/local/sbin/fusermount: Permission denied
Disable /usr/bin/fusermount
Warning (blacklisting): cannot open /usr/local/sbin/gksu: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gksudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gpasswd: Permission denied
Disable /usr/bin/gpasswd
Warning (blacklisting): cannot open /usr/local/sbin/kdesudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ksu: Permission denied
Disable /usr/bin/ksu
Warning (blacklisting): cannot open /usr/local/sbin/mount: Permission denied
Disable /usr/bin/mount
Warning (blacklisting): cannot open /usr/local/sbin/mount.ecryptfs_private: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nc: Permission denied
Disable /usr/bin/nc
Warning (blacklisting): cannot open /usr/local/sbin/ncat: Permission denied
Disable /usr/bin/ncat
Warning (blacklisting): cannot open /usr/local/sbin/nmap: Permission denied
Disable /usr/bin/nmap
Warning (blacklisting): cannot open /usr/local/sbin/newgidmap: Permission denied
Disable /usr/bin/newgidmap
Warning (blacklisting): cannot open /usr/local/sbin/newgrp: Permission denied
Disable /usr/bin/newgrp
Warning (blacklisting): cannot open /usr/local/sbin/newuidmap: Permission denied
Disable /usr/bin/newuidmap
Warning (blacklisting): cannot open /usr/local/sbin/ntfs-3g: Permission denied
Disable /usr/bin/ntfs-3g
Warning (blacklisting): cannot open /usr/local/sbin/pkexec: Permission denied
Disable /usr/bin/pkexec
Warning (blacklisting): cannot open /usr/local/sbin/procmail: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/sg: Permission denied
Disable /usr/bin/sg
Warning (blacklisting): cannot open /usr/local/sbin/strace: Permission denied
Disable /usr/bin/strace
Warning (blacklisting): cannot open /usr/local/sbin/su: Permission denied
Disable /usr/bin/su
Warning (blacklisting): cannot open /usr/local/sbin/sudo: Permission denied
Disable /usr/bin/sudo
Warning (blacklisting): cannot open /usr/local/sbin/tcpdump: Permission denied
Disable /usr/bin/tcpdump
Warning (blacklisting): cannot open /usr/local/sbin/umount: Permission denied
Disable /usr/bin/umount
Warning (blacklisting): cannot open /usr/local/sbin/unix_chkpwd: Permission denied
Disable /usr/bin/unix_chkpwd
Warning (blacklisting): cannot open /usr/local/sbin/xev: Permission denied
Disable /usr/bin/xev
Warning (blacklisting): cannot open /usr/local/sbin/xinput: Permission denied
Disable /usr/bin/xinput
Disable /usr/lib/virtualbox
Disable /usr/lib/virtualbox (requested /usr/lib64/virtualbox)
Warning (blacklisting): cannot open /usr/local/sbin/lxterminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/lilyterm: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/pantheon-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/roxterm: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/roxterm-config: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/terminix: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tilix: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/urxvtc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/urxvtcd: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/bwrap: Permission denied
Disable /usr/bin/bwrap
Disable /home/mario/.mail
Disable /home/mario/Mail
Disable /proc/config.gz
Warning (blacklisting): cannot open /usr/local/sbin/dig: Permission denied
Disable /usr/bin/dig
Warning (blacklisting): cannot open /usr/local/sbin/dlint: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dns2tcp: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dnssec-*: Permission denied
Disable /usr/bin/dnssec-keymgr
Disable /usr/bin/dnssec-settime
Disable /usr/bin/dnssec-keygen
Disable /usr/bin/dnssec-signzone
Disable /usr/bin/dnssec-dsfromkey
Disable /usr/bin/dnssec-coverage
Disable /usr/bin/dnssec-checkds
Disable /usr/bin/dnssec-revoke
Disable /usr/bin/dnssec-verify
Disable /usr/bin/dnssec-keyfromlabel
Disable /usr/bin/dnssec-cds
Disable /usr/bin/dnssec-importkey
Warning (blacklisting): cannot open /usr/local/sbin/dnswalk: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/drill: Permission denied
Disable /usr/bin/drill
Warning (blacklisting): cannot open /usr/local/sbin/host: Permission denied
Disable /usr/bin/host
Warning (blacklisting): cannot open /usr/local/sbin/iodine: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/kdig: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/khost: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/knsupdate: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ldns-*: Permission denied
Disable /usr/bin/ldns-update
Disable /usr/bin/ldns-key2ds
Disable /usr/bin/ldns-rrsig
Disable /usr/bin/ldns-zsplit
Disable /usr/bin/ldns-revoke
Disable /usr/bin/ldns-zcat
Disable /usr/bin/ldns-gen-zone
Disable /usr/bin/ldns-compare-zones
Disable /usr/bin/ldns-nsec3-hash
Disable /usr/bin/ldns-dpa
Disable /usr/bin/ldns-testns
Disable /usr/bin/ldns-keyfetcher
Disable /usr/bin/ldns-mx
Disable /usr/bin/ldns-walk
Disable /usr/bin/ldns-signzone
Disable /usr/bin/ldns-keygen
Disable /usr/bin/ldns-read-zone
Disable /usr/bin/ldns-chaos
Disable /usr/bin/ldns-verify-zone
Disable /usr/bin/ldns-resolver
Disable /usr/bin/ldns-test-edns
Disable /usr/bin/ldns-notify
Disable /usr/bin/ldns-dane
Disable /usr/bin/ldns-config
Disable /usr/bin/ldns-version
Warning (blacklisting): cannot open /usr/local/sbin/ldnsd: Permission denied
Disable /usr/bin/ldnsd
Warning (blacklisting): cannot open /usr/local/sbin/nslookup: Permission denied
Disable /usr/bin/nslookup
Warning (blacklisting): cannot open /usr/local/sbin/resolvectl: Permission denied
Disable /usr/bin/resolvectl
Warning (blacklisting): cannot open /usr/local/sbin/unbound-host: Permission denied
Disable /usr/bin/unbound-host
Disable /run/user/1000/wayland-1.lock
Disable /home/mario/.config/KeePass
Disable /home/mario/.config/keepassx
Disable /home/mario/.config/keepassxc
Disable /home/mario/.local/share/KeePass
Disable /home/mario/.bitcoin
Disable /home/mario/.android
Disable /home/mario/.bitcoin
Not blacklist /home/mario/.cargo/registry
Not blacklist /home/mario/.cargo/git
Not blacklist /home/mario/.cargo/.package-cache
Disable /home/mario/.config/BraveSoftware
Not blacklist /home/mario/.config/Code
Not blacklist /home/mario/.config/Code - OSS
Disable /home/mario/.config/GIMP
Disable /home/mario/.config/Google
Disable /home/mario/.config/InSilmaril
Disable /home/mario/.config/Nextcloud
Disable /home/mario/.config/Riot
Disable /home/mario/.config/Signal
Disable /home/mario/.config/VirtualBox
Disable /home/mario/.config/brave
Disable /home/mario/.config/chromium
Disable /home/mario/DISPLAY=:0 parsed as 0
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 15 00 01 00000002   jeq 2 0010 (false 0011)
 0010: 06 00 00 7fff0000   ret ALLOW
 0011: 15 00 01 0000000a   jeq a 0012 (false 0013)
 0012: 06 00 00 7fff0000   ret ALLOW
 0013: 15 00 01 00000010   jeq 10 0014 (false 0015)
 0014: 06 00 00 7fff0000   ret ALLOW
 0015: 06 00 00 0005005f   ret ERRNO(95)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00050001   ret ERRNO(1)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 3e 00 0000009f   jeq adjtimex 0046 (false 0008)
 0008: 15 3d 00 00000131   jeq clock_adjtime 0046 (false 0009)
 0009: 15 3c 00 000000e3   jeq clock_settime 0046 (false 000a)
 000a: 15 3b 00 000000a4   jeq settimeofday 0046 (false 000b)
 000b: 15 3a 00 0000009a   jeq modify_ldt 0046 (false 000c)
 000c: 15 39 00 000000d4   jeq lookup_dcookie 0046 (false 000d)
 000d: 15 38 00 0000012a   jeq perf_event_open 0046 (false 000e)
 000e: 15 37 00 00000137   jeq process_vm_writev 0046 (false 000f)
 000f: 15 36 00 000000b0   jeq delete_module 0046 (false 0010)
 0010: 15 35 00 00000139   jeq finit_module 0046 (false 0011)
 0011: 15 34 00 000000af   jeq init_module 0046 (false 0012)
 0012: 15 33 00 000000a1   jeq chroot 0046 (false 0013)
 0013: 15 32 00 000000a5   jeq mount 0046 (false 0014)
 0014: 15 31 00 0000009b   jeq pivot_root 0046 (false 0015)
 0015: 15 30 00 000000a6   jeq umount2 0046 (false 0016)
 0016: 15 2f 00 0000009c   jeq _sysctl 0046 (false 0017)
 0017: 15 2e 00 000000b7   jeq afs_syscall 0046 (false 0018)
 0018: 15 2d 00 000000ae   jeq create_module 0046 (false 0019)
 0019: 15 2c 00 000000b1   jeq get_kernel_syms 0046 (false 001a)
 001a: 15 2b 00 000000b5   jeq getpmsg 0046 (false 001b)
 001b: 15 2a 00 000000b6   jeq putpmsg 0046 (false 001c)
 001c: 15 29 00 000000b2   jeq query_module 0046 (false 001d)
 001d: 15 28 00 000000b9   jeq security 0046 (false 001e)
 001e: 15 27 00 0000008b   jeq sysfs 0046 (false 001f)
 001f: 15 26 00 000000b8   jeq tuxcall 0046 (false 0020)
 0020: 15 25 00 00000086   jeq uselib 0046 (false 0021)
 0021: 15 24 00 00000088   jeq ustat 0046 (false 0022)
 0022: 15 23 00 000000ec   jeq vserver 0046 (false 0023)
 0023: 15 22 00 000000ad   jeq ioperm 0046 (false 0024)
 0024: 15 21 00 000000ac   jeq iopl 0046 (false 0025)
 0025: 15 20 00 000000f6   jeq kexec_load 0046 (false 0026)
 0026: 15 1f 00 00000140   jeq kexec_file_load 0046 (false 0027)
 0027: 15 1e 00 000000a9   jeq reboot 0046 (false 0028)
 0028: 15 1d 00 000000a7   jeq swapon 0046 (false 0029)
 0029: 15 1c 00 000000a8   jeq swapoff 0046 (false 002a)
 002a: 15 1b 00 00000130   jeq open_by_handle_at 0046 (false 002b)
 002b: 15 1a 00 0000012f   jeq name_to_handle_at 0046 (false 002c)
 002c: 15 19 00 000000fb   jeq ioprio_set 0046 (false 002d)
 002d: 15 18 00 00000067   jeq syslog 0046 (false 002e)
 002e: 15 17 00 0000012c   jeq fanotify_init 0046 (false 002f)
 002f: 15 16 00 000000f8   jeq add_key 0046 (false 0030)
 0030: 15 15 00 000000f9   jeq request_key 0046 (false 0031)
 0031: 15 14 00 000000ed   jeq mbind 0046 (false 0032)
 0032: 15 13 00 00000100   jeq migrate_pages 0046 (false 0033)
 0033: 15 12 00 00000117   jeq move_pages 0046 (false 0034)
 0034: 15 11 00 000000fa   jeq keyctl 0046 (false 0035)
 0035: 15 10 00 000000ce   jeq io_setup 0046 (false 0036)
 0036: 15 0f 00 000000cf   jeq io_destroy 0046 (false 0037)
 0037: 15 0e 00 000000d0   jeq io_getevents 0046 (false 0038)
 0038: 15 0d 00 000000d1   jeq io_submit 0046 (false 0039)
 0039: 15 0c 00 000000d2   jeq io_cancel 0046 (false 003a)
 003a: 15 0b 00 000000d8   jeq remap_file_pages 0046 (false 003b)
 003b: 15 0a 00 00000143   jeq userfaultfd 0046 (false 003c)
 003c: 15 09 00 000000a3   jeq acct 0046 (false 003d)
 003d: 15 08 00 00000141   jeq bpf 0046 (false 003e)
 003e: 15 07 00 000000b4   jeq nfsservctl 0046 (false 003f)
 003f: 15 06 00 000000ab   jeq setdomainname 0046 (false 0040)
 0040: 15 05 00 000000aa   jeq sethostname 0046 (false 0041)
 0041: 15 04 00 00000099   jeq vhangup 0046 (false 0042)
 0042: 15 03 00 00000065   jeq ptrace 0046 (false 0043)
 0043: 15 02 00 00000087   jeq personality 0046 (false 0044)
 0044: 15 01 00 00000136   jeq process_vm_readv 0046 (false 0045)
 0045: 06 00 00 7fff0000   ret ALLOW
 0046: 06 00 00 00050001   ret ERRNO(1)
.config/enchant
Disable /home/mario/.config/gconf
Not blacklist /home/mario/.config/git
Disable /home/mario/.config/kdeconnect
Disable /home/mario/.config/libreoffice
Disable /home/mario/.config/Microsoft
Disable /home/mario/.config/mpv
Disable /home/mario/.config/neomutt
Disable /home/mario/.config/pavucontrol.ini
Disable /home/mario/.config/Pinta
Disable /home/mario/.config/qutebrowser
Disable /home/mario/.config/teams
Disable /home/mario/.config/teams-for-linux
Disable /home/mario/.config/torbrowser
Disable /home/mario/.config/transmission
Disable /home/mario/.config/vivaldi
Disable /home/mario/.config/vlc
Disable /home/mario/.config/wireshark
Disable /home/mario/.config/zoomus.conf
Disable /home/mario/.cups
Disable /home/mario/.electrum
Disable /home/mario/.emacs
Disable /home/mario/.emacs.d
Not blacklist /home/mario/.gitconfig
Not blacklist /home/mario/.gradle
Not blacklist /home/mario/.java
Disable /home/mario/.links
Disable /home/mario/.local/share/JetBrains
Disable /home/mario/.local/share/qutebrowser
Disable /home/mario/.local/share/signal-cli
Disable /home/mario/.local/share/torbrowser
Disable /home/mario/.local/share/vlc
Disable /home/mario/.minecraft
Disable /home/mario/.mozilla
Not blacklist /home/mario/.node-gyp
Not blacklist /home/mario/.npm
Not blacklist /home/mario/.npmrc
Not blacklist /home/mario/.nvm
Not blacklist /home/mario/.pylint.d
Disable /home/mario/.subversion
Disable /home/mario/.thunderbird
Disable /home/mario/.tor-browser
Disable /home/mario/.vim
Disable /home/mario/.vimrc
Disable /home/mario/.vmware
Not blacklist /home/mario/.vscode
Not blacklist /home/mario/.vscode-oss
Disable /home/mario/.w3m
Disable /home/mario/.weechat
Disable /home/mario/.wget-hsts
Not blacklist /home/mario/.yarn
Not blacklist /home/mario/.yarn-config
Not blacklist /home/mario/.yarncache
Not blacklist /home/mario/.yarnrc
Disable /home/mario/.zoom
Disable /var/games/nethack
Disable /home/mario/.cache/BraveSoftware
Disable /home/mario/.cache/babl
Disable /home/mario/.cache/chromium
Disable /home/mario/.cache/gegl-0.4
Disable /home/mario/.cache/gimp
Disable /home/mario/.cache/keepassxc
Disable /home/mario/.cache/mozilla
Disable /home/mario/.cache/pip
Disable /home/mario/.cache/qutebrowser
Disable /home/mario/.cache/thunderbird
Disable /home/mario/.cache/vlc
Disable /home/mario/.cache/vmware
Mounting noexec /tmp
5655 5654 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5655 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
5656 5655 0:36 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5656 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting tmpfs on /home/mario/.cache, check owner: yes
5657 5362 0:192 / /home/mario/.cache rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=700,uid=1000,gid=1000,inode64
mountid=5657 fsname=/ dir=/home/mario/.cache fstype=tmpfs
Mounting read-only /tmp/.X11-unix
5658 5656 0:36 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec master:22 - tmpfs tmpfs rw,size=16247096k,nr_inodes=409600,inode64
mountid=5658 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /home/mario/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse
Current directory: /home/mario/src/pie/pie3
Install protocol filter: unix,inet,inet6,netlink
configuring 22 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 
Dual 32/64 bit seccomp filter configured
configuring 71 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
5664 5178 0:182 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=5664 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- mario    mario            568 seccomp
-rw-r--r-- mario    mario            432 seccomp.32
-rw-r--r-- mario    mario            114 seccomp.list
-rw-r--r-- mario    mario              0 seccomp.postexec
-rw-r--r-- mario    mario              0 seccomp.postexec32
-rw-r--r-- mario    mario            176 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
Child process initialized in 40.32 ms
Starting application
LD_PRELOAD=(null)
execvp argument 0: code
execvp argument 1: --verbose
Warning: an existing sandbox was detected. /usr/bin/code will run without any additional sandboxing features
Check failed: sys_chroot("/proc/self/fdinfo/") == 0

Parent is shutting down, bye...
@rusty-snake
Copy link
Collaborator

code.profile needs an electron redirect re-factoring too. (And the new codium alias + wusc adaptation).

@rusty-snake rusty-snake mentioned this issue Jul 29, 2021
Closed
7 tasks
@rusty-snake rusty-snake mentioned this issue Feb 4, 2022
Closed
7 tasks
@kmk3 kmk3 changed the title VS Code needs seccomp !chroot vscode: crashes without seccomp !chroot Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mariodsantana @rusty-snake