Requesting rework of geekbench.profile

[ghost]

Description

Current profile for the crossplatform benchmarking utility Geekbench is not up-to-date and unusable.

Steps to Reproduce

1. Install current geekbench version 5.
2. Run firecfg
3. Run geekbench

Expected behavior

Geekbench should run confined to its jail.

Actual behavior

Denies execution during firejail start up procedure.

Behavior without a profile

Geekbench begins executing as expected.

Additional context

Geekbench exists in different versions. The current version is 5.x

Environment

• Linux distribution: Arch Linux
• Firejail version firejail version 0.9.66

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Reading profile /etc/firejail/geekbench.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1145925, child pid 1145930
Warning: skipping none for private /opt
Private /opt installed in 0.11 ms
Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench
5 programs installed in 9.01 ms
Standard C library installed in 2.31 ms
Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...
Error: proc 1145925 cannot sync with peer: unexpected EOF
Peer 1145930 unexpectedly exited with status 1

[smitsohu]

Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...

That's curious. Does firejail --noprofile --private-lib work?

If not, what does ls -l /usr/bin/firejail say?

[ghost]

firejail --noprofile --private-lib

Parent pid 1205021, child pid 1205022
Standard C library installed in 2.30 ms
Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...
Error: proc 1205021 cannot sync with peer: unexpected EOF
Peer 1205022 unexpectedly exited with status 1

ls -l /usr/bin/firejail

-rwsr-x--- 1 root firejail 515440 Aug 21 06:22 /usr/bin/firejail

[smitsohu]

-rwsr-x--- 1 root firejail 515440 Aug 21 06:22 /usr/bin/firejail

Thanks! I think this is a bug. Probably the reason is that our helper fldd is not a member of the firejail group.

[ghost]

Great, if it gets solved in the end all is well. What is the estimated timeframe for a fix to get merged to master? Is there any kind of manual workaround that can be applied in the meantime?

[rusty-snake]

ignore private-lib

[ghost]

ignore private-lib

For now, of my programs, only geekbench is affected. What would be the ignore private-lib equivalent for the *.local file.

[rusty-snake]

echo "ignore private-lib" >> ~/.config/firejail/geekbench.local

This will affect all program if their profile contains private-lib as I understand.

[ghost]

Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1227730, child pid 1227731
Warning: skipping none for private /opt
Private /opt installed in 0.06 ms
Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench
5 programs installed in 9.59 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.42 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 75.81 ms
Error: no suitable /sbin/geekbench executable found

Parent is shutting down, bye...

The geekbench binary is located at /opt/geekbench/geekbench5

[rusty-snake]

noblacklist /sbin
noblacklist /usr/sbin

---

Does anyone know if private-bin bash,geekbenc*,sh is intended or is this a typo and should be geekbench* (with a "h")?

[ghost]

noblacklist /sbin
noblacklist /usr/sbin./

Error: no suitable /sbin/geekbench executable found

ls -al | grep geekbench
lrwxrwxrwx  1 root root           25 Sep 23 21:29 geekbench -> /opt/geekbench/geekbench5

[rusty-snake]

Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench

firejail/src/firejail/fs_bin.c

Lines 162 to 169 in 452916a

	// If the absolute filename is indicated, directly use it. This
	// is required for the following cases:
	// - if user's $PATH order is not the same as the above
	// paths[] variable order
	if (!valid_full_path_file(fname)) {
	fwarning("invalid private-bin path %s\n", fname);
	return;
	}

[rusty-snake]

Does firejail --profile=geekbench /opt/geekbench/geekbench5 work?

[ghost]

[sapiens]$ firejail --profile=geekbench /opt/geekbench/geekbench5
Reading profile geekbench
Error: line 1 in geekbench is invalid

[rusty-snake]

Do you have a geekbench file/dir in your cwd?

[glitsj16]

Our current geekbench.profile has private-opt none, which stops the symlink in /usr/bin to find /opt/geekbench/geekbench5. Have you tried private-opt geekbench yet?

[ghost]

Ups, yes, I was in /sbin.

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin

[sapiens@pc ~]$ firejail --profile=geekbench /opt/geekbench/geekbench5
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1243215, child pid 1243216
Warning: skipping none for private /opt
Private /opt installed in 0.06 ms
Warning: invalid private-bin path /usr/bin/geekbench
Warning: invalid private-bin path /bin/geekbench
Warning: invalid private-bin path /usr/sbin/geekbench
Warning: invalid private-bin path /sbin/geekbench
5 programs installed in 9.41 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.06 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 77.10 ms
Error: no suitable /opt/geekbench/geekbench5 executable found

Parent is shutting down, bye...

[rusty-snake]

🤦 was to obvious

firejail/etc/profile-a-l/geekbench.profile

Line 47 in 452916a

private-opt none

Either use private-opt geekbench or, if du -sc /opt/geekbench is more than a few MB, ignore private-opt.

EDIT: Did not saw @glitsj16 comment until now.

[ghost]

[sapiens@pc ~]$ du -hsc /opt/geekbench
95M	/opt/geekbench
95M	total

What should the geekbench.local look now?

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-opt

Results in:

[sapiens@pc ~]$ geekbench
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1258300, child pid 1258301
9 programs installed in 12.67 ms
Standard C library installed in 1.75 ms
Error fldd: cannot access /usr/bin/firejail
Error: failed to run /run/firejail/lib/fldd, exiting...
Error: proc 1258300 cannot sync with peer: unexpected EOF
Peer 1258301 unexpectedly exited with status 1

[rusty-snake]

What should the geekbench.local look now?

All 4 lines (2 noblacklist and 2 ignore).

[ghost]

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-opt
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin

[sapiens@pc ~]$ geekbench
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1264114, child pid 1264115
9 programs installed in 11.40 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.45 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 78.47 ms
Error: no suitable /sbin/geekbench executable found

Parent is shutting down, bye...

[rusty-snake]

And with firejail --profile=geekbench /opt/geekbench/geekbench5?

[ghost]

With firejail --profile=geekbench /opt/geekbench/geekbench5 geekbench starts!

[ghost]

ignore private-libwas for the issue with the helper.
But why does just geekbench not work if I have ignore private-opt and noblacklist /sbin?

[glitsj16]

Linux distribution: Arch Linux
[...]
ls -l /usr/bin/firejail
-rwsr-x--- 1 root firejail 515440 Aug 21 06:22 /usr/bin/firejail

Just out of curiosity, did you create the firejail group yourself? I'm on Arch Linux too and can't recall ever seeing that when installing firejail via pacman. Not that @smitsohu 's reasoning is in any way off regarding our fldd helper. But it might be confusing for other AL users when seeing this thread.

[ghost]

Just out of curiosity, did you create the firejail group yourself?

https://wiki.archlinux.org/title/Firejail#Hardening_Firejail
https://firejail.wordpress.com/documentation-2/basic-usage/#suid

[ghost]

I still have some questions.

1. Why do I need firejail --profile=geekbench /opt/geekbench/geekbench5when I habe ignore private-opt and noblacklist /sbin
2. What is the estimated timeframe for a fix to get merged to master?

[smitsohu]

There is a fix in master for the private-lib part, you can give it a try.

[rusty-snake]

1. Why do I need firejail --profile=geekbench /opt/geekbench/geekbench5 when I habe ignore private-opt and noblacklist /sbin

That's what I want to findout first. My guess is private-bin, so try to ignore it.
What does firejail --profile=geekbench /proc/self/fd/3 /sbin 3</bin/ls show?

[ghost]

That's what I want to findout first. My guess is private-bin, so try to ignore it.

[sapiens@pc ~]$ cat .config/firejail/geekbench.local 
ignore private-opt
ignore private-bin
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin

With the above setting geekbench starts.

With the above settings, including ignore private-bin firejail --profile=geekbench /proc/self/fd/3 /sbin 3</bin/ls outbuts all binaries.

Without ignore private-bin:

[sapiens@pc ~]$ firejail --profile=geekbench /proc/self/fd/3 /sbin 3</bin/ls
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 58609, child pid 58610
9 programs installed in 14.10 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.26 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 81.38 ms
bash  firejail	geekbench  sh

Parent is shutting down, bye...

[ghost]

While we are on the topic, geekbench does not seem to have permissions to save the registration key if you have bought a licence.

[sapiens@pc ~]$ cat .config/firejail/geekbench.local
ignore private-opt
ignore private-bin
ignore private-lib
noblacklist /sbin
noblacklist /usr/sbin

[sapiens@pc ~]$ geekbench --unlock <redacted_email> <redacted_key>
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 79980, child pid 79981
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.15 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 121.88 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at support@primatelabs.com for more assistance.

Parent is shutting down, bye...

[rusty-snake]

Where and how does it store the license key? Does it need additional whitelists, libraries or D-Bus access?

edit: um, yes then it is clear what the problem is

firejail/etc/profile-a-l/geekbench.profile

Line 54 in 6988a80

read-only ${HOME}

edit2: adding read-write ${HOME}/.foo/bar/geekbench (together with mkdir) will not make it persistent without whitelist.

[ghost]

I have no idea where it is trying to save the key. How would I go about finding that out?

[rusty-snake]

firejail/etc/templates/profile.template

Lines 62 to 73 in 6988a80

	# It is common practice to add files/dirs containing program-specific configuration
	# (often ${HOME}/PROGRAMNAME or ${HOME}/.config/PROGRAMNAME) into disable-programs.inc
	# (keep list sorted) and then disable blacklisting below.
	# One way to retrieve the files a program uses is:
	# - launch binary with --private naming a sandbox
	# `firejail --name=test --ignore=private-bin [--profile=PROFILE] --private BINARY`
	# - work with the program, make some configuration changes and save them, open new documents,
	# install plugins if they exists, etc.
	# - join the sandbox with bash:
	# `firejail --join=test bash`
	# - look what has changed and use that information to populate blacklist and whitelist sections
	# `ls -aR`

[ghost]

Geekbench without any additonal parameters will not try to save the licence and Geekbench called via:
firejail --name=test --profile=geekbench --private /opt/geekbench/geekbench5 --unlock email@address.com xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx will immediately exit with the following message.

Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 107204, child pid 107205
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.97 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 111.70 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at support@primatelabs.com for more assistance.

Parent is shutting down, bye...

Geekbench is not an interactive program I can just leave running.

[sapiens@pc ~]$ sudo find / -name "geek*" -print
/etc/firejail/geekbench.profile
/usr/bin/geekbench
/usr/local/bin/geekbench
/var/lib/pacman/local/geekbench-5.4.1-1
/opt/geekbench
/opt/geekbench/geekbench5
/opt/geekbench/geekbench.plar
/opt/geekbench/geekbench_x86_64
/home/sapiens/.cache/yay/geekbench
/home/sapiens/.cache/yay/geekbench/geekbench-5.4.1-1-x86_64.pkg.tar.zst
/home/sapiens/.config/firejail/geekbench.local

I might just write the support.

[rusty-snake]

firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock email@address.com xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx && tree -a" (or && ls -lRa).

[ghost]

[sapiens@pc ~]$ firejail --name=test --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <redacted> <redacted> && ls -lRa"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 128882, child pid 128883
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.25 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 110.05 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at support@primatelabs.com for more assistance.

Parent is shutting down, bye...

I wrote the support, maybe they are willing to give us a shortcut to figuring this out.

[rusty-snake]

&& -> ;

firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock email@address.com xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx-xxxxx ; tree -a"

[ghost]

[sapiens@pc ~]$ firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; tree -a"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 135929, child pid 135930
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.93 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 112.24 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at support@primatelabs.com for more assistance.
.
├── .bashrc
├── .config
│   └── dconf
└── .Xauthority

2 directories, 2 files

[sapiens@pc ~]$ firejail --name=test --ignore=private-bin --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 133511, child pid 133512
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 2.08 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 112.71 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Could not unlock Geekbench. There was a problem saving your license 
information. Contact support at support@primatelabs.com for more assistance.
.:
total 4
drwx------ 3 sapiens sapiens 100 Sep 29 20:18 .
drwxr-xr-x 3 nobody  nobody   60 Sep 29 20:18 ..
-rw-r--r-- 1 sapiens sapiens 141 Sep 29 20:18 .bashrc
drwx------ 3 sapiens sapiens  60 Sep 29 20:18 .config
-rw------- 1 sapiens sapiens   0 Sep 29 20:18 .Xauthority

./.config:
total 0
drwx------ 3 sapiens sapiens  60 Sep 29 20:18 .
drwx------ 3 sapiens sapiens 100 Sep 29 20:18 ..
drwx------ 2 sapiens sapiens  40 Sep 29 20:18 dconf

./.config/dconf:
total 0
drwx------ 2 sapiens sapiens 40 Sep 29 20:18 .
drwx------ 3 sapiens sapiens 60 Sep 29 20:18 ..

Parent is shutting down, bye...

[rusty-snake]

It isn't a filesystem operation (most likely). I should know this sicen #4576 (comment).

1. firejail --ignore=private-bin --ignore=read-only --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
2. (if 1 fails) firejail --ignore="dbus-user none" --profile=geekbench /opt/geekbench/geekbench5 --unlock <email> <key>
3. (if 1 and 2 fail) firejail --noprofile --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
4. (if all fail) /opt/geekbench/geekbench5 --unlock <email> <key>

[ghost]

There it is! It's~/.geekbench5

[sapiens@pc ~]$ firejail --ignore=private-bin --ignore=read-only --profile=geekbench --private /bin/sh -c "/opt/geekbench/geekbench5 --unlock <email> <key> ; ls -lRa"
Reading profile /etc/firejail/geekbench.profile
Reading profile /home/sapiens/.config/firejail/geekbench.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 137724, child pid 137725
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping lsb-release for private /etc
Private /etc installed in 1.75 ms
Private /usr/etc installed in 0.00 ms
Warning: not remounting /run/user/1000/gvfs
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Child process initialized in 106.31 ms
Geekbench 5.4.1 Tryout : https://www.geekbench.com/

Thank you for purchasing Geekbench! All the limitations of tryout mode have 
been removed. Thank you for your purchase, and we hope you enjoy using 
Geekbench 5.
.:
total 8
drwx------ 3 sapiens sapiens 120 Sep 29 20:27 .
drwxr-xr-x 3 nobody  nobody   60 Sep 29 20:27 ..
-rw-r--r-- 1 sapiens sapiens 141 Sep 29 20:27 .bashrc
drwx------ 3 sapiens sapiens  60 Sep 29 20:27 .config
-rw-r--r-- 1 sapiens sapiens 113 Sep 29 20:27 .geekbench5
-rw------- 1 sapiens sapiens   0 Sep 29 20:27 .Xauthority

./.config:
total 0
drwx------ 3 sapiens sapiens  60 Sep 29 20:27 .
drwx------ 3 sapiens sapiens 120 Sep 29 20:27 ..
drwx------ 2 sapiens sapiens  40 Sep 29 20:27 dconf

./.config/dconf:
total 0
drwx------ 2 sapiens sapiens 40 Sep 29 20:27 .
drwx------ 3 sapiens sapiens 60 Sep 29 20:27 ..

Parent is shutting down, bye...

[rusty-snake]

Can you try this. (note the read-write must come after the read-only therefore it does not work from a .local).

diff --git a/etc/profile-a-l/geekbench.profile b/etc/profile-a-l/geekbench.profile
index 60f2f338..4812e136 100644
--- a/etc/profile-a-l/geekbench.profile
+++ b/etc/profile-a-l/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
 private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5

[ghost]

I needed to modify the patch a little, since it seems the ld.so.preload part hasn't reached Arch, yet! Also profiles are stored in /etc/firejail/* for me on Arch!

diff --git a/etc/firejail/geekbench.profile b/etc/firejail/geekbench.profile
index 60f2f338..4812e136 100644
--- a/etc/firejail/geekbench.profile
+++ b/etc/firejail/geekbench.profile
@@ -6,6 +6,10 @@ include geekbench.local
 # Persistent global definitions
 include globals.local
 
+noblacklist ${HOME}/.geekbench5
+noblacklist /sbin
+noblacklist /usr/sbin
+
 include disable-common.inc
 include disable-devel.inc
 include disable-exec.inc
@@ -13,6 +17,8 @@ include disable-interpreters.inc
 include disable-programs.inc
 include disable-xdg.inc
 
+mkdir ${HOME}/.geekbench5
+whitelist ${HOME}/.geekbench5
 include whitelist-common.inc
 include whitelist-usr-share-common.inc
 include whitelist-var-common.inc
@@ -39,16 +45,14 @@ shell none
 tracelog
 
 disable-mnt
-private-bin bash,geekbenc*,sh
+#private-bin bash,geekbench*,sh -- #4576
 private-cache
 private-dev
-private-etc alternatives,group,lsb-release,passwd
+private-etc alternatives,group,ld.so.preload,lsb-release,passwd
-private-lib gcc/*/*/libstdc++.so.*
-private-opt none
 private-tmp
 
 dbus-user none
 dbus-system none
 
-#memory-deny-write-execute - breaks on Arch (see issue #1803)
 read-only ${HOME}
+read-write ${HOME}/.geekbench5

Now geekbench runs smoothly!