firefox: freeze with custom profile (seccomp) #4698

fpusersuggest · 2021-11-18T20:20:31Z

Description

Describe the bug
Hello, I have a custom profile for firefox.
If I go on a specific facebook group, that firefox tab freeze and I have to close it.
I found an error in the log and I like to know how to fix it.
This is the log:
nov 18 20:48:14 mypc audit[10931]: SECCOMP auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=10931 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7fe97668589d code=0x0
nov 18 20:48:14 mypc kernel: audit: type=1326 audit(1637264894.948:51): auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=10931 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7fe97668589d code=0x0

Steps to Reproduce

Run in bash LC_ALL=C firejail PROGRAM (LC_ALL=C to get a consistent output in English that can be understood by everybody)

$ LC_ALL=C firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 14951, child pid 14952
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Child process initialized in 182.72 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.

ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.

Click on '....'
I connect to facebook and then to the following facebook group
https://www.facebook.com/groups/477126719059034
after that the facebook tab freeze and I see the error in the log:
nov 18 20:55:56 audit[15170]: SECCOMP auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=15170 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0d6896189d code=0x0
nov 18 20:55:56 kernel: audit: type=1326 audit(1637265356.469:52): auid=1000 uid=1000 gid=1001 ses=1 subj=firejail-default pid=15170 comm=57656220436F6E74656E74 exe="/usr/lib/firefox/firefox" sig=31 arch=c000003e syscall=312 compat=0 ip=0x7f0d6896189d code=0x0

Expected behavior

browse facebook without freeze

Environment

Linux distribution and version (e.g. "Ubuntu 20.04" or "Arch Linux")
ubuntu 20.04
$ uname -a
Linux mypc 5.11.0-40-generic PulseAudio sandboxing #44~20.04.2-Ubuntu SMP Tue Oct 26 18:07:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Firejail version (firejail --version).
firejail version 0.9.62

Checklist

[x ] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Output of LC_ALL=C firejail --debug /path/to/program

$ LC_ALL=C firejail --debug firefox  2>&1>fire.debug
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/firefox-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
DISPLAY=:0 parsed as 0
Parent pid 41527, child pid 41528
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Debug 423: new_name #/home/lws/.cache/mozilla/firefox#, whitelist
Debug 531: fname #/home/lws/.cache/mozilla/firefox#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.mozilla#, whitelist
Debug 531: fname #/home/lws/.mozilla#, cfg.homedir #/home/lws#
Debug 423: new_name #/usr/share/mozilla#, whitelist
Debug 423: new_name #/usr/share/webext#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/alsa#, whitelist
Debug 423: new_name #/usr/share/applications#, whitelist
Debug 423: new_name #/usr/share/ca-certificates#, whitelist
Debug 423: new_name #/usr/share/crypto-policies#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/cursors#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/dconf#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/distro-info#, whitelist
Debug 423: new_name #/usr/share/drirc.d#, whitelist
Debug 423: new_name #/usr/share/enchant#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/enchant-2#, whitelist
Debug 423: new_name #/usr/share/fontconfig#, whitelist
Debug 423: new_name #/usr/share/fonts#, whitelist
Debug 423: new_name #/usr/share/gir-1.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/gjs-1.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/glib-2.0#, whitelist
Debug 423: new_name #/usr/share/glvnd#, whitelist
Debug 423: new_name #/usr/share/gtk-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/gtk-3.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/gtksourceview-3.0#, whitelist
Debug 423: new_name #/usr/share/gtksourceview-4#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/hunspell#, whitelist
Debug 423: new_name #/usr/share/hwdata#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/icons#, whitelist
Debug 423: new_name #/usr/share/knotifications5#, whitelist
Debug 423: new_name #/usr/share/icu#, whitelist
Debug 423: new_name #/usr/share/kservices5#, whitelist
Debug 423: new_name #/usr/share/Kvantum#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/kxmlgui5#, whitelist
Debug 423: new_name #/usr/share/libdrm#, whitelist
Debug 423: new_name #/usr/share/libthai#, whitelist
Debug 423: new_name #/usr/share/locale#, whitelist
Debug 423: new_name #/usr/share/mime#, whitelist
Debug 423: new_name #/usr/share/misc#, whitelist
Debug 423: new_name #/usr/share/Modules#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/myspell#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/p11-kit#, whitelist
Debug 423: new_name #/usr/share/pixmaps#, whitelist
Debug 423: new_name #/usr/share/pki#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/plasma#, whitelist
Debug 423: new_name #/usr/share/qt#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/qt4#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/qt5#, whitelist
Debug 423: new_name #/usr/share/sounds#, whitelist
Debug 423: new_name #/usr/share/tcl8.6#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/terminfo#, whitelist
Debug 423: new_name #/usr/share/themes#, whitelist
Debug 423: new_name #/usr/share/thumbnail.so#, whitelist
realpath: No such file or directory
Debug 423: new_name #/usr/share/X11#, whitelist
Debug 423: new_name #/usr/share/xml#, whitelist
Debug 423: new_name #/usr/share/zoneinfo#, whitelist
Debug 423: new_name #/home/lws/Scaricati#, whitelist
Debug 531: fname #/home/lws/Scaricati#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.pki#, whitelist
Debug 531: fname #/home/lws/.pki#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.local/share/pki#, whitelist
Debug 531: fname #/home/lws/.local/share/pki#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.XCompose#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.asoundrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/ibus#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/mimeapps.list#, whitelist
Debug 531: fname #/home/lws/.config/mimeapps.list#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.config/pkcs11#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/user-dirs.dirs#, whitelist
Debug 531: fname #/home/lws/.config/user-dirs.dirs#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.drirc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.icons#, whitelist
Debug 531: fname #/home/lws/.icons#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.local/share/applications#, whitelist
Debug 531: fname #/home/lws/.local/share/applications#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.local/share/icons#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.local/share/mime#, whitelist
Debug 531: fname #/home/lws/.local/share/mime#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.mime.types#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/dconf#, whitelist
Debug 531: fname #/home/lws/.config/dconf#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.cache/fontconfig#, whitelist
Debug 531: fname #/home/lws/.cache/fontconfig#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.config/fontconfig#, whitelist
Debug 531: fname #/home/lws/.config/fontconfig#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.fontconfig#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.fonts#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.fonts.conf#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.fonts.conf.d#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.fonts.d#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.local/share/fonts#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.pangorc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/gtk-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/gtk-3.0#, whitelist
Debug 531: fname #/home/lws/.config/gtk-3.0#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.config/gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/gtkrc-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.gnome2#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.gnome2-private#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.gtk-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.gtkrc-2.0#, whitelist
Debug 531: fname #/home/lws/.gtkrc-2.0#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.kde/share/config/gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/config/gtkrc-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/gtkrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/gtkrc-2.0#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.local/share/themes#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.themes#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.cache/kioexec/krun#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/Kvantum#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/Trolltech.conf#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/kdeglobals#, whitelist
Debug 531: fname #/home/lws/.config/kdeglobals#, cfg.homedir #/home/lws#
Debug 423: new_name #/home/lws/.config/kio_httprc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/kioslaverc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/ksslcablacklist#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.config/qt5ct#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/config/kdeglobals#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/config/kio_httprc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/config/kioslaverc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/config/ksslcablacklist#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/config/oxygenrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde/share/icons#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/kdeglobals#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/kio_httprc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/kioslaverc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/ksslcablacklist#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/config/oxygenrc#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.kde4/share/icons#, whitelist
realpath: No such file or directory
Debug 423: new_name #/home/lws/.local/share/qt5ct#, whitelist
realpath: No such file or directory
Debug 423: new_name #/var/lib/dbus#, whitelist
Debug 423: new_name #/var/lib/menu-xdg#, whitelist
realpath: No such file or directory
Debug 423: new_name #/var/cache/fontconfig#, whitelist
Debug 423: new_name #/var/tmp#, whitelist
Debug 423: new_name #/var/run#, whitelist
Debug 423: new_name #/var/lock#, whitelist
Debug 423: new_name #/tmp/.X11-unix#, whitelist
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Post-exec seccomp protector enabled
DISPLAY=:0 parsed as 0
Child process initialized in 178.53 ms
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.













$ cat fire.debug 
Autoselecting /bin/bash as shell
Building quoted command line: 'firefox' 
Command name #firefox#
Found firefox.profile profile in /etc/firejail directory
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Found firefox-common.profile profile in /etc/firejail directory
conditional BROWSER_ALLOW_DRM, ignore noexec ${HOME}
Found disable-common.inc profile in /etc/firejail directory
Found disable-devel.inc profile in /etc/firejail directory
Found disable-exec.inc profile in /etc/firejail directory
Found disable-interpreters.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Found whitelist-common.inc profile in /etc/firejail directory
Found whitelist-var-common.inc profile in /etc/firejail directory
conditional BROWSER_DISABLE_U2F, nou2f
Using the local network stack
conditional BROWSER_DISABLE_U2F, nou2f
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Build protocol filter: unix,inet,inet6,netlink
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6,netlink /run/firejail/mnt/seccomp/seccomp.protocol (null) 
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting noexec /etc
Mounting read-only /var
Mounting noexec /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/snd directory
mounting /run/firejail/mnt/dev/dri directory
mounting /run/firejail/mnt/dev/video0 file
mounting /run/firejail/mnt/dev/video1 file
Process /dev/shm directory
Generate private-tmp whitelist commands
blacklist /run/user/1000/bus
blacklist /run/dbus/system_bus_socket
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /proc/kmsg
Replaced whitelist path: whitelist /home/lws/.cache/mozilla/firefox
Replaced whitelist path: whitelist /home/lws/.mozilla
Removed whitelist/nowhitelist path: whitelist /usr/share/webext
	expanded: /usr/share/webext
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/crypto-policies
	expanded: /usr/share/crypto-policies
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/cursors
	expanded: /usr/share/cursors
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/dconf
	expanded: /usr/share/dconf
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/enchant
	expanded: /usr/share/enchant
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/gir-1.0
	expanded: /usr/share/gir-1.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/gjs-1.0
	expanded: /usr/share/gjs-1.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/gtk-2.0
	expanded: /usr/share/gtk-2.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/gtk-3.0
	expanded: /usr/share/gtk-3.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/gtksourceview-4
	expanded: /usr/share/gtksourceview-4
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/hwdata
	expanded: /usr/share/hwdata
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/Kvantum
	expanded: /usr/share/Kvantum
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/Modules
	expanded: /usr/share/Modules
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/myspell
	expanded: /usr/share/myspell
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/pki
	expanded: /usr/share/pki
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/qt
	expanded: /usr/share/qt
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/qt4
	expanded: /usr/share/qt4
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/tcl8.6
	expanded: /usr/share/tcl8.6
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /usr/share/thumbnail.so
	expanded: /usr/share/thumbnail.so
	real path: (null)
	Directory ${DOWNLOADS} resolved as Scaricati
Replaced whitelist path: whitelist /home/lws/Scaricati
Replaced whitelist path: whitelist /home/lws/.pki
Replaced whitelist path: whitelist /home/lws/.local/share/pki
Removed whitelist/nowhitelist path: whitelist ${HOME}/.XCompose
	expanded: /home/lws/.XCompose
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.asoundrc
	expanded: /home/lws/.asoundrc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ibus
	expanded: /home/lws/.config/ibus
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.config/mimeapps.list
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/pkcs11
	expanded: /home/lws/.config/pkcs11
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.config/user-dirs.dirs
Removed whitelist/nowhitelist path: whitelist ${HOME}/.drirc
	expanded: /home/lws/.drirc
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.icons
Replaced whitelist path: whitelist /home/lws/.local/share/applications
Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/icons
	expanded: /home/lws/.local/share/icons
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.local/share/mime
Removed whitelist/nowhitelist path: whitelist ${HOME}/.mime.types
	expanded: /home/lws/.mime.types
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.config/dconf
Replaced whitelist path: whitelist /home/lws/.cache/fontconfig
Replaced whitelist path: whitelist /home/lws/.config/fontconfig
Removed whitelist/nowhitelist path: whitelist ${HOME}/.fontconfig
	expanded: /home/lws/.fontconfig
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts
	expanded: /home/lws/.fonts
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf
	expanded: /home/lws/.fonts.conf
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.conf.d
	expanded: /home/lws/.fonts.conf.d
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.fonts.d
	expanded: /home/lws/.fonts.d
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/fonts
	expanded: /home/lws/.local/share/fonts
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.pangorc
	expanded: /home/lws/.pangorc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtk-2.0
	expanded: /home/lws/.config/gtk-2.0
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.config/gtk-3.0
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc
	expanded: /home/lws/.config/gtkrc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/gtkrc-2.0
	expanded: /home/lws/.config/gtkrc-2.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2
	expanded: /home/lws/.gnome2
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.gnome2-private
	expanded: /home/lws/.gnome2-private
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtk-2.0
	expanded: /home/lws/.gtk-2.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.gtkrc
	expanded: /home/lws/.gtkrc
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.gtkrc-2.0
Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc
	expanded: /home/lws/.kde/share/config/gtkrc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/gtkrc-2.0
	expanded: /home/lws/.kde/share/config/gtkrc-2.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc
	expanded: /home/lws/.kde4/share/config/gtkrc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/gtkrc-2.0
	expanded: /home/lws/.kde4/share/config/gtkrc-2.0
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/themes
	expanded: /home/lws/.local/share/themes
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.themes
	expanded: /home/lws/.themes
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.cache/kioexec/krun
	expanded: /home/lws/.cache/kioexec/krun
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Kvantum
	expanded: /home/lws/.config/Kvantum
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/Trolltech.conf
	expanded: /home/lws/.config/Trolltech.conf
	real path: (null)
	Replaced whitelist path: whitelist /home/lws/.config/kdeglobals
Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kio_httprc
	expanded: /home/lws/.config/kio_httprc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/kioslaverc
	expanded: /home/lws/.config/kioslaverc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/ksslcablacklist
	expanded: /home/lws/.config/ksslcablacklist
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.config/qt5ct
	expanded: /home/lws/.config/qt5ct
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kdeglobals
	expanded: /home/lws/.kde/share/config/kdeglobals
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kio_httprc
	expanded: /home/lws/.kde/share/config/kio_httprc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/kioslaverc
	expanded: /home/lws/.kde/share/config/kioslaverc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/ksslcablacklist
	expanded: /home/lws/.kde/share/config/ksslcablacklist
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/config/oxygenrc
	expanded: /home/lws/.kde/share/config/oxygenrc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde/share/icons
	expanded: /home/lws/.kde/share/icons
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kdeglobals
	expanded: /home/lws/.kde4/share/config/kdeglobals
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kio_httprc
	expanded: /home/lws/.kde4/share/config/kio_httprc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/kioslaverc
	expanded: /home/lws/.kde4/share/config/kioslaverc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/ksslcablacklist
	expanded: /home/lws/.kde4/share/config/ksslcablacklist
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/config/oxygenrc
	expanded: /home/lws/.kde4/share/config/oxygenrc
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.kde4/share/icons
	expanded: /home/lws/.kde4/share/icons
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist ${HOME}/.local/share/qt5ct
	expanded: /home/lws/.local/share/qt5ct
	real path: (null)
	Removed whitelist/nowhitelist path: whitelist /var/lib/menu-xdg
	expanded: /var/lib/menu-xdg
	real path: (null)
	Replaced whitelist path: whitelist /run
Replaced whitelist path: whitelist /run/lock
Mounting tmpfs on /tmp directory
Mounting tmpfs on /var directory
Mounting tmpfs on /usr/share directory
Mounting a new /home directory
Mounting a new /root directory
Create a new user directory
Whitelisting /home/lws/.cache/mozilla/firefox
1337 1335 8:2 /home/lws/.cache/mozilla/firefox /home/lws/.cache/mozilla/firefox rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1337 fsname=/home/lws/.cache/mozilla/firefox dir=/home/lws/.cache/mozilla/firefox fstype=ext4
Whitelisting /home/lws/.mozilla
1338 1335 8:2 /home/lws/.mozilla /home/lws/.mozilla rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1338 fsname=/home/lws/.mozilla dir=/home/lws/.mozilla fstype=ext4
Whitelisting /usr/share/mozilla
1339 1333 8:2 /usr/share/mozilla /usr/share/mozilla ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1339 fsname=/usr/share/mozilla dir=/usr/share/mozilla fstype=ext4
Whitelisting /usr/share/alsa
1340 1333 8:2 /usr/share/alsa /usr/share/alsa ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1340 fsname=/usr/share/alsa dir=/usr/share/alsa fstype=ext4
Whitelisting /usr/share/applications
1341 1333 8:2 /usr/share/applications /usr/share/applications ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1341 fsname=/usr/share/applications dir=/usr/share/applications fstype=ext4
Whitelisting /usr/share/ca-certificates
1342 1333 8:2 /usr/share/ca-certificates /usr/share/ca-certificates ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1342 fsname=/usr/share/ca-certificates dir=/usr/share/ca-certificates fstype=ext4
Whitelisting /usr/share/distro-info
1343 1333 8:2 /usr/share/distro-info /usr/share/distro-info ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1343 fsname=/usr/share/distro-info dir=/usr/share/distro-info fstype=ext4
Whitelisting /usr/share/drirc.d
1344 1333 8:2 /usr/share/drirc.d /usr/share/drirc.d ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1344 fsname=/usr/share/drirc.d dir=/usr/share/drirc.d fstype=ext4
Whitelisting /usr/share/enchant-2
1345 1333 8:2 /usr/share/enchant-2 /usr/share/enchant-2 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1345 fsname=/usr/share/enchant-2 dir=/usr/share/enchant-2 fstype=ext4
Whitelisting /usr/share/fontconfig
1346 1333 8:2 /usr/share/fontconfig /usr/share/fontconfig ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1346 fsname=/usr/share/fontconfig dir=/usr/share/fontconfig fstype=ext4
Whitelisting /usr/share/fonts
1347 1333 8:2 /usr/share/fonts /usr/share/fonts ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1347 fsname=/usr/share/fonts dir=/usr/share/fonts fstype=ext4
Whitelisting /usr/share/glib-2.0
1348 1333 8:2 /usr/share/glib-2.0 /usr/share/glib-2.0 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1348 fsname=/usr/share/glib-2.0 dir=/usr/share/glib-2.0 fstype=ext4
Whitelisting /usr/share/glvnd
1349 1333 8:2 /usr/share/glvnd /usr/share/glvnd ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1349 fsname=/usr/share/glvnd dir=/usr/share/glvnd fstype=ext4
Whitelisting /usr/share/gtksourceview-3.0
1350 1333 8:2 /usr/share/gtksourceview-3.0 /usr/share/gtksourceview-3.0 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1350 fsname=/usr/share/gtksourceview-3.0 dir=/usr/share/gtksourceview-3.0 fstype=ext4
Whitelisting /usr/share/hunspell
1351 1333 8:2 /usr/share/hunspell /usr/share/hunspell ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1351 fsname=/usr/share/hunspell dir=/usr/share/hunspell fstype=ext4
Whitelisting /usr/share/icons
1352 1333 8:2 /usr/share/icons /usr/share/icons ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1352 fsname=/usr/share/icons dir=/usr/share/icons fstype=ext4
Whitelisting /usr/share/knotifications5
1353 1333 8:2 /usr/share/knotifications5 /usr/share/knotifications5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1353 fsname=/usr/share/knotifications5 dir=/usr/share/knotifications5 fstype=ext4
Whitelisting /usr/share/icu
1354 1333 8:2 /usr/share/icu /usr/share/icu ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1354 fsname=/usr/share/icu dir=/usr/share/icu fstype=ext4
Whitelisting /usr/share/kservices5
1355 1333 8:2 /usr/share/kservices5 /usr/share/kservices5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1355 fsname=/usr/share/kservices5 dir=/usr/share/kservices5 fstype=ext4
Whitelisting /usr/share/kxmlgui5
1356 1333 8:2 /usr/share/kxmlgui5 /usr/share/kxmlgui5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1356 fsname=/usr/share/kxmlgui5 dir=/usr/share/kxmlgui5 fstype=ext4
Whitelisting /usr/share/libdrm
1357 1333 8:2 /usr/share/libdrm /usr/share/libdrm ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1357 fsname=/usr/share/libdrm dir=/usr/share/libdrm fstype=ext4
Whitelisting /usr/share/libthai
1358 1333 8:2 /usr/share/libthai /usr/share/libthai ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1358 fsname=/usr/share/libthai dir=/usr/share/libthai fstype=ext4
Whitelisting /usr/share/locale
1359 1333 8:2 /usr/share/locale /usr/share/locale ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1359 fsname=/usr/share/locale dir=/usr/share/locale fstype=ext4
Whitelisting /usr/share/mime
1360 1333 8:2 /usr/share/mime /usr/share/mime ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1360 fsname=/usr/share/mime dir=/usr/share/mime fstype=ext4
Whitelisting /usr/share/misc
1361 1333 8:2 /usr/share/misc /usr/share/misc ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1361 fsname=/usr/share/misc dir=/usr/share/misc fstype=ext4
Whitelisting /usr/share/p11-kit
1362 1333 8:2 /usr/share/p11-kit /usr/share/p11-kit ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1362 fsname=/usr/share/p11-kit dir=/usr/share/p11-kit fstype=ext4
Whitelisting /usr/share/pixmaps
1363 1333 8:2 /usr/share/pixmaps /usr/share/pixmaps ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1363 fsname=/usr/share/pixmaps dir=/usr/share/pixmaps fstype=ext4
Whitelisting /usr/share/plasma
1364 1333 8:2 /usr/share/plasma /usr/share/plasma ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1364 fsname=/usr/share/plasma dir=/usr/share/plasma fstype=ext4
Whitelisting /usr/share/qt5
1365 1333 8:2 /usr/share/qt5 /usr/share/qt5 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1365 fsname=/usr/share/qt5 dir=/usr/share/qt5 fstype=ext4
Whitelisting /usr/share/sounds
1366 1333 8:2 /usr/share/sounds /usr/share/sounds ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1366 fsname=/usr/share/sounds dir=/usr/share/sounds fstype=ext4
Whitelisting /usr/share/terminfo
1367 1333 8:2 /usr/share/terminfo /usr/share/terminfo ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1367 fsname=/usr/share/terminfo dir=/usr/share/terminfo fstype=ext4
Whitelisting /usr/share/themes
1368 1333 8:2 /usr/share/themes /usr/share/themes ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1368 fsname=/usr/share/themes dir=/usr/share/themes fstype=ext4
Whitelisting /usr/share/X11
1369 1333 8:2 /usr/share/X11 /usr/share/X11 ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1369 fsname=/usr/share/X11 dir=/usr/share/X11 fstype=ext4
Whitelisting /usr/share/xml
1370 1333 8:2 /usr/share/xml /usr/share/xml ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1370 fsname=/usr/share/xml dir=/usr/share/xml fstype=ext4
Whitelisting /usr/share/zoneinfo
1371 1333 8:2 /usr/share/zoneinfo /usr/share/zoneinfo ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1371 fsname=/usr/share/zoneinfo dir=/usr/share/zoneinfo fstype=ext4
Whitelisting /home/lws/Scaricati
1372 1335 8:2 /home/lws/Scaricati /home/lws/Scaricati rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1372 fsname=/home/lws/Scaricati dir=/home/lws/Scaricati fstype=ext4
Whitelisting /home/lws/.pki
1373 1335 8:2 /home/lws/.pki /home/lws/.pki rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1373 fsname=/home/lws/.pki dir=/home/lws/.pki fstype=ext4
Whitelisting /home/lws/.local/share/pki
1374 1335 8:2 /home/lws/.local/share/pki /home/lws/.local/share/pki rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1374 fsname=/home/lws/.local/share/pki dir=/home/lws/.local/share/pki fstype=ext4
Whitelisting /home/lws/.config/mimeapps.list
1375 1335 8:2 /home/lws/.config/mimeapps.list /home/lws/.config/mimeapps.list rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1375 fsname=/home/lws/.config/mimeapps.list dir=/home/lws/.config/mimeapps.list fstype=ext4
Whitelisting /home/lws/.config/user-dirs.dirs
1376 1335 8:2 /home/lws/.config/user-dirs.dirs /home/lws/.config/user-dirs.dirs rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1376 fsname=/home/lws/.config/user-dirs.dirs dir=/home/lws/.config/user-dirs.dirs fstype=ext4
Whitelisting /home/lws/.icons
1377 1335 8:2 /home/lws/.icons /home/lws/.icons rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1377 fsname=/home/lws/.icons dir=/home/lws/.icons fstype=ext4
Whitelisting /home/lws/.local/share/applications
1378 1335 8:2 /home/lws/.local/share/applications /home/lws/.local/share/applications rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1378 fsname=/home/lws/.local/share/applications dir=/home/lws/.local/share/applications fstype=ext4
Whitelisting /home/lws/.local/share/mime
1379 1335 8:2 /home/lws/.local/share/mime /home/lws/.local/share/mime rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1379 fsname=/home/lws/.local/share/mime dir=/home/lws/.local/share/mime fstype=ext4
Whitelisting /home/lws/.config/dconf
1380 1335 8:2 /home/lws/.config/dconf /home/lws/.config/dconf rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1380 fsname=/home/lws/.config/dconf dir=/home/lws/.config/dconf fstype=ext4
Whitelisting /home/lws/.cache/fontconfig
1381 1335 8:2 /home/lws/.cache/fontconfig /home/lws/.cache/fontconfig rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1381 fsname=/home/lws/.cache/fontconfig dir=/home/lws/.cache/fontconfig fstype=ext4
Whitelisting /home/lws/.config/fontconfig
1382 1335 8:2 /home/lws/.config/fontconfig /home/lws/.config/fontconfig rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1382 fsname=/home/lws/.config/fontconfig dir=/home/lws/.config/fontconfig fstype=ext4
Whitelisting /home/lws/.config/gtk-3.0
1383 1335 8:2 /home/lws/.config/gtk-3.0 /home/lws/.config/gtk-3.0 rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1383 fsname=/home/lws/.config/gtk-3.0 dir=/home/lws/.config/gtk-3.0 fstype=ext4
Whitelisting /home/lws/.gtkrc-2.0
1384 1335 8:2 /home/lws/.gtkrc-2.0 /home/lws/.gtkrc-2.0 rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1384 fsname=/home/lws/.gtkrc-2.0 dir=/home/lws/.gtkrc-2.0 fstype=ext4
Whitelisting /home/lws/.config/kdeglobals
1385 1335 8:2 /home/lws/.config/kdeglobals /home/lws/.config/kdeglobals rw,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1385 fsname=/home/lws/.config/kdeglobals dir=/home/lws/.config/kdeglobals fstype=ext4
Whitelisting /var/lib/dbus
1386 1331 8:2 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1386 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=ext4
Whitelisting /var/cache/fontconfig
1387 1331 8:2 /var/cache/fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1387 fsname=/var/cache/fontconfig dir=/var/cache/fontconfig fstype=ext4
Whitelisting /var/tmp
1388 1331 0:59 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1388 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Whitelisting /tmp/.X11-unix
1389 1324 0:50 /.X11-unix /tmp/.X11-unix rw,noatime master:69 - tmpfs tmpfs rw,inode64
mountid=1389 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /etc/X11/Xsession.d
Disable /etc/xdg/autostart
Mounting read-only /home/lws/.Xauthority
1396 1335 0:73 /lws/.Xauthority /home/lws/.Xauthority ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1396 fsname=/lws/.Xauthority dir=/home/lws/.Xauthority fstype=tmpfs
Mounting read-only /home/lws/.config/kdeglobals
1397 1385 8:2 /home/lws/.config/kdeglobals /home/lws/.config/kdeglobals ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1397 fsname=/home/lws/.config/kdeglobals dir=/home/lws/.config/kdeglobals fstype=ext4
Mounting read-only /home/lws/.config/dconf
1398 1380 8:2 /home/lws/.config/dconf /home/lws/.config/dconf ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1398 fsname=/home/lws/.config/dconf dir=/home/lws/.config/dconf fstype=ext4
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /etc/anacrontab
Disable /etc/cron.monthly
Disable /etc/cron.daily
Disable /etc/cron.weekly
Disable /etc/cron.hourly
Disable /etc/cron.d
Disable /etc/crontab
Disable /etc/profile.d
Disable /etc/rc0.d
Disable /etc/rc6.d
Disable /etc/rcS.d
Disable /etc/rc5.d
Disable /etc/rc3.d
Disable /etc/rc1.d
Disable /etc/rc2.d
Disable /etc/rc4.d
Disable /etc/kernel-img.conf
Disable /etc/kerneloops.conf
Disable /etc/kernel
Disable /etc/grub.d
Disable /etc/dkms
Disable /etc/apparmor.d
Disable /etc/apparmor
Disable /etc/selinux
Disable /etc/modules-load.d
Disable /etc/modules
Disable /etc/logrotate.conf
Disable /etc/logrotate.d
Disable /etc/adduser.conf
Mounting read-only /home/lws/.bashrc
1429 1335 0:73 /lws/.bashrc /home/lws/.bashrc ro,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1429 fsname=/lws/.bashrc dir=/home/lws/.bashrc fstype=tmpfs
Mounting read-only /home/lws/.local/share/applications
1430 1378 8:2 /home/lws/.local/share/applications /home/lws/.local/share/applications ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1430 fsname=/home/lws/.local/share/applications dir=/home/lws/.local/share/applications fstype=ext4
Not blacklist /home/lws/.pki
Not blacklist /home/lws/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/sbin (requested /sbin)
Disable /usr/local/sbin
Disable /usr/sbin
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/crontab
Disable /usr/bin/crontab (requested /bin/crontab)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/nc.openbsd (requested /usr/bin/nc)
Disable /usr/bin/nc.openbsd (requested /bin/nc)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/ntfs-3g
Disable /usr/bin/ntfs-3g (requested /bin/ntfs-3g)
Disable /usr/bin/pkexec
Disable /usr/bin/pkexec (requested /bin/pkexec)
Disable /usr/bin/newgrp (requested /usr/bin/sg)
Disable /usr/bin/newgrp (requested /bin/sg)
Disable /usr/bin/strace
Disable /usr/bin/strace (requested /bin/strace)
Disable /usr/bin/su
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/lib/virtualbox
Disable /usr/bin/urxvtc
Disable /usr/bin/urxvtc (requested /bin/urxvtc)
Disable /usr/bin/urxvtcd
Disable /usr/bin/urxvtcd (requested /bin/urxvtcd)
Disable /usr/bin/bwrap
Disable /usr/bin/bwrap (requested /bin/bwrap)
Disable /usr/bin/x86_64-linux-gnu-as (requested /usr/bin/as)
Disable /usr/bin/x86_64-linux-gnu-as (requested /bin/as)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/cc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/cc)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /usr/bin/c++filt)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/c++)
Disable /usr/bin/x86_64-linux-gnu-c++filt (requested /bin/c++filt)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/c++)
Disable /usr/bin/c89-gcc
Disable /usr/bin/c89-gcc (requested /usr/bin/c89)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/c89-gcc (requested /bin/c89)
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc (requested /usr/bin/c99)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/c99-gcc (requested /bin/c99)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /usr/bin/cpp-9)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp)
Disable /usr/bin/x86_64-linux-gnu-cpp-9 (requested /bin/cpp-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/g++-9)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/g++-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/gcc-ranlib)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /usr/bin/ld)
Disable /usr/bin/x86_64-linux-gnu-ld.bfd (requested /bin/ld)
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9)
Disable /usr/bin/c99-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /usr/bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /usr/bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /usr/bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/c99-gcc (requested /bin/c99-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-9 (requested /bin/x86_64-linux-gnu-gcc-nm-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-9 (requested /bin/x86_64-linux-gnu-gcc-ar)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib-9)
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-9 (requested /bin/x86_64-linux-gnu-gcc-ranlib)
Disable /usr/bin/c89-gcc (requested /bin/c89-gcc)
Disable /usr/bin/x86_64-linux-gnu-gcc-9 (requested /bin/x86_64-linux-gnu-gcc)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /usr/bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++)
Disable /usr/bin/x86_64-linux-gnu-g++-9 (requested /bin/x86_64-linux-gnu-g++-9)
Disable /usr/include
Disable /usr/bin/openssl
Disable /usr/bin/openssl (requested /bin/openssl)
Disable /usr/lib/valgrind
Mounting noexec /run/user/1000
1585 1580 0:25 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,noexec,relatime master:5 - tmpfs tmpfs rw,size=392800k,mode=755,inode64
mountid=1585 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Mounting noexec /dev/shm
1586 1311 0:68 /shm /dev/shm rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=1586 fsname=/shm dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1588 1587 0:50 /.X11-unix /tmp/.X11-unix rw,noatime master:69 - tmpfs tmpfs rw,inode64
mountid=1588 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1589 1588 0:50 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,noatime master:69 - tmpfs tmpfs rw,inode64
mountid=1589 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /var
1593 1590 0:59 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1593 fsname=/ dir=/var/tmp fstype=tmpfs
Disable /usr/bin/cpan5.30-x86_64-linux-gnu
Disable /usr/bin/cpan5.30-i386-linux-gnu
Disable /usr/bin/cpan
Disable /usr/bin/cpan5.30-x86_64-linux-gnu (requested /bin/cpan5.30-x86_64-linux-gnu)
Disable /usr/bin/cpan5.30-i386-linux-gnu (requested /bin/cpan5.30-i386-linux-gnu)
Disable /usr/bin/cpan (requested /bin/cpan)
Disable /usr/bin/perl
Disable /usr/bin/perl (requested /bin/perl)
Disable /usr/bin/python2.7
Disable /usr/bin/python2.7 (requested /usr/bin/python2)
Disable /usr/bin/python2.7 (requested /bin/python2.7)
Disable /usr/bin/python2.7 (requested /bin/python2)
Disable /usr/lib/python2.7
Disable /usr/local/lib/python2.7
Disable /usr/bin/python3-pasteurize
Disable /usr/bin/python3.8
Disable /usr/bin/python3-futurize
Disable /usr/bin/python3-wsdump
Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /usr/bin/python3.8-config)
Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /usr/bin/python3-config)
Disable /usr/bin/python3.8 (requested /usr/bin/python3)
Disable /usr/bin/python3-pasteurize (requested /bin/python3-pasteurize)
Disable /usr/bin/python3.8 (requested /bin/python3.8)
Disable /usr/bin/python3-futurize (requested /bin/python3-futurize)
Disable /usr/bin/python3-wsdump (requested /bin/python3-wsdump)
Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /bin/python3.8-config)
Disable /usr/bin/x86_64-linux-gnu-python3.8-config (requested /bin/python3-config)
Disable /usr/bin/python3.8 (requested /bin/python3)
Disable /usr/lib/python3.9
Disable /usr/lib/python3.8
Disable /usr/lib/python3
Disable /usr/local/lib/python3.8
Not blacklist /home/lws/.mozilla
Not blacklist /home/lws/.cache/mozilla
Mounting read-only /home/lws/.config/user-dirs.dirs
1626 1376 8:2 /home/lws/.config/user-dirs.dirs /home/lws/.config/user-dirs.dirs ro,relatime master:1 - ext4 /dev/sda2 rw,discard
mountid=1626 fsname=/home/lws/.config/user-dirs.dirs dir=/home/lws/.config/user-dirs.dirs fstype=ext4
Mounting read-only /tmp/.X11-unix
1627 1589 0:50 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,noatime master:69 - tmpfs tmpfs rw,inode64
mountid=1627 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Disable /sys/module
Disable /mnt
Disable /media
Disable /run/mount
Mounting noexec /run/firejail/mnt/pulse
Creating empty /home/lws/.config/pulse directory
Mounting /run/firejail/mnt/pulse on /home/lws/.config/pulse
2199 1335 0:54 /pulse /home/lws/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=2199 fsname=/pulse dir=/home/lws/.config/pulse fstype=tmpfs
Create the new ld.so.preload file
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 01 00 00000029   jeq socket 0006 (false 0005)
 0005: 06 00 00 7fff0000   ret ALLOW
 0006: 20 00 00 00000010   ld  data.args[0]
 0007: 15 00 01 00000001   jeq 1 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 00 01 00000002   jeq 2 000a (false 000b)
 000a: 06 00 00 7fff0000   ret ALLOW
 000b: 15 00 01 0000000a   jeq a 000c (false 000d)
 000c: 06 00 00 7fff0000   ret ALLOW
 000d: 15 00 01 00000010   jeq 10 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 06 00 00 0005005f   ret ERRNO(95)
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 40000003   jeq ARCH_32 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 15 30 00 00000015   jeq 15 0035 (false 0005)
 0005: 15 2f 00 00000034   jeq 34 0035 (false 0006)
 0006: 15 2e 00 0000001a   jeq 1a 0035 (false 0007)
 0007: 15 2d 00 0000011b   jeq 11b 0035 (false 0008)
 0008: 15 2c 00 00000155   jeq 155 0035 (false 0009)
 0009: 15 2b 00 00000156   jeq 156 0035 (false 000a)
 000a: 15 2a 00 0000007f   jeq 7f 0035 (false 000b)
 000b: 15 29 00 00000080   jeq 80 0035 (false 000c)
 000c: 15 28 00 0000015e   jeq 15e 0035 (false 000d)
 000d: 15 27 00 00000081   jeq 81 0035 (false 000e)
 000e: 15 26 00 0000006e   jeq 6e 0035 (false 000f)
 000f: 15 25 00 00000065   jeq 65 0035 (false 0010)
 0010: 15 24 00 00000121   jeq 121 0035 (false 0011)
 0011: 15 23 00 00000057   jeq 57 0035 (false 0012)
 0012: 15 22 00 00000073   jeq 73 0035 (false 0013)
 0013: 15 21 00 00000067   jeq 67 0035 (false 0014)
 0014: 15 20 00 0000015b   jeq 15b 0035 (false 0015)
 0015: 15 1f 00 0000015c   jeq 15c 0035 (false 0016)
 0016: 15 1e 00 00000087   jeq 87 0035 (false 0017)
 0017: 15 1d 00 00000095   jeq 95 0035 (false 0018)
 0018: 15 1c 00 0000007c   jeq 7c 0035 (false 0019)
 0019: 15 1b 00 00000157   jeq 157 0035 (false 001a)
 001a: 15 1a 00 000000fd   jeq fd 0035 (false 001b)
 001b: 15 19 00 00000150   jeq 150 0035 (false 001c)
 001c: 15 18 00 00000152   jeq 152 0035 (false 001d)
 001d: 15 17 00 0000015d   jeq 15d 0035 (false 001e)
 001e: 15 16 00 0000011e   jeq 11e 0035 (false 001f)
 001f: 15 15 00 0000011f   jeq 11f 0035 (false 0020)
 0020: 15 14 00 00000120   jeq 120 0035 (false 0021)
 0021: 15 13 00 00000056   jeq 56 0035 (false 0022)
 0022: 15 12 00 00000033   jeq 33 0035 (false 0023)
 0023: 15 11 00 0000007b   jeq 7b 0035 (false 0024)
 0024: 15 10 00 000000d9   jeq d9 0035 (false 0025)
 0025: 15 0f 00 000000f5   jeq f5 0035 (false 0026)
 0026: 15 0e 00 000000f6   jeq f6 0035 (false 0027)
 0027: 15 0d 00 000000f7   jeq f7 0035 (false 0028)
 0028: 15 0c 00 000000f8   jeq f8 0035 (false 0029)
 0029: 15 0b 00 000000f9   jeq f9 0035 (false 002a)
 002a: 15 0a 00 00000101   jeq 101 0035 (false 002b)
 002b: 15 09 00 00000112   jeq 112 0035 (false 002c)
 002c: 15 08 00 00000114   jeq 114 0035 (false 002d)
 002d: 15 07 00 00000126   jeq 126 0035 (false 002e)
 002e: 15 06 00 0000013d   jeq 13d 0035 (false 002f)
 002f: 15 05 00 0000013c   jeq 13c 0035 (false 0030)
 0030: 15 04 00 0000003d   jeq 3d 0035 (false 0031)
 0031: 15 03 00 00000058   jeq 58 0035 (false 0032)
 0032: 15 02 00 000000a9   jeq a9 0035 (false 0033)
 0033: 15 01 00 00000082   jeq 82 0035 (false 0034)
 0034: 06 00 00 7fff0000   ret ALLOW
 0035: 06 00 00 00000000   ret KILL
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 000000a1   jeq chroot 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 3f 00 0000009f   jeq adjtimex 0049 (false 000a)
 000a: 15 3e 00 00000131   jeq clock_adjtime 0049 (false 000b)
 000b: 15 3d 00 000000e3   jeq clock_settime 0049 (false 000c)
 000c: 15 3c 00 000000a4   jeq settimeofday 0049 (false 000d)
 000d: 15 3b 00 0000009a   jeq modify_ldt 0049 (false 000e)
 000e: 15 3a 00 000000d4   jeq lookup_dcookie 0049 (false 000f)
 000f: 15 39 00 0000012a   jeq perf_event_open 0049 (false 0010)
 0010: 15 38 00 00000137   jeq process_vm_writev 0049 (false 0011)
 0011: 15 37 00 000000b0   jeq delete_module 0049 (false 0012)
 0012: 15 36 00 00000139   jeq finit_module 0049 (false 0013)
 0013: 15 35 00 000000af   jeq init_module 0049 (false 0014)
 0014: 15 34 00 0000009c   jeq _sysctl 0049 (false 0015)
 0015: 15 33 00 000000b7   jeq afs_syscall 0049 (false 0016)
 0016: 15 32 00 000000ae   jeq create_module 0049 (false 0017)
 0017: 15 31 00 000000b1   jeq get_kernel_syms 0049 (false 0018)
 0018: 15 30 00 000000b5   jeq getpmsg 0049 (false 0019)
 0019: 15 2f 00 000000b6   jeq putpmsg 0049 (false 001a)
 001a: 15 2e 00 000000b2   jeq query_module 0049 (false 001b)
 001b: 15 2d 00 000000b9   jeq security 0049 (false 001c)
 001c: 15 2c 00 0000008b   jeq sysfs 0049 (false 001d)
 001d: 15 2b 00 000000b8   jeq tuxcall 0049 (false 001e)
 001e: 15 2a 00 00000086   jeq uselib 0049 (false 001f)
 001f: 15 29 00 00000088   jeq ustat 0049 (false 0020)
 0020: 15 28 00 000000ec   jeq vserver 0049 (false 0021)
 0021: 15 27 00 000000ad   jeq ioperm 0049 (false 0022)
 0022: 15 26 00 000000ac   jeq iopl 0049 (false 0023)
 0023: 15 25 00 000000f6   jeq kexec_load 0049 (false 0024)
 0024: 15 24 00 00000140   jeq kexec_file_load 0049 (false 0025)
 0025: 15 23 00 000000a9   jeq reboot 0049 (false 0026)
 0026: 15 22 00 000000a7   jeq swapon 0049 (false 0027)
 0027: 15 21 00 000000a8   jeq swapoff 0049 (false 0028)
 0028: 15 20 00 00000130   jeq open_by_handle_at 0049 (false 0029)
 0029: 15 1f 00 0000012f   jeq name_to_handle_at 0049 (false 002a)
 002a: 15 1e 00 000000fb   jeq ioprio_set 0049 (false 002b)
 002b: 15 1d 00 00000067   jeq syslog 0049 (false 002c)
 002c: 15 1c 00 0000012c   jeq fanotify_init 0049 (false 002d)
 002d: 15 1b 00 00000138   jeq kcmp 0049 (false 002e)
 002e: 15 1a 00 000000f8   jeq add_key 0049 (false 002f)
 002f: 15 19 00 000000f9   jeq request_key 0049 (false 0030)
 0030: 15 18 00 000000ed   jeq mbind 0049 (false 0031)
 0031: 15 17 00 00000100   jeq migrate_pages 0049 (false 0032)
 0032: 15 16 00 00000117   jeq move_pages 0049 (false 0033)
 0033: 15 15 00 000000fa   jeq keyctl 0049 (false 0034)
 0034: 15 14 00 000000ce   jeq io_setup 0049 (false 0035)
 0035: 15 13 00 000000cf   jeq io_destroy 0049 (false 0036)
 0036: 15 12 00 000000d0   jeq io_getevents 0049 (false 0037)
 0037: 15 11 00 000000d1   jeq io_submit 0049 (false 0038)
 0038: 15 10 00 000000d2   jeq io_cancel 0049 (false 0039)
 0039: 15 0f 00 000000d8   jeq remap_file_pages 0049 (false 003a)
 003a: 15 0e 00 00000143   jeq userfaultfd 0049 (false 003b)
 003b: 15 0d 00 000000a3   jeq acct 0049 (false 003c)
 003c: 15 0c 00 00000141   jeq bpf 0049 (false 003d)
 003d: 15 0b 00 000000a1   jeq chroot 0049 (false 003e)
 003e: 15 0a 00 000000a5   jeq mount 0049 (false 003f)
 003f: 15 09 00 000000b4   jeq nfsservctl 0049 (false 0040)
 0040: 15 08 00 0000009b   jeq pivot_root 0049 (false 0041)
 0041: 15 07 00 000000ab   jeq setdomainname 0049 (false 0042)
 0042: 15 06 00 000000aa   jeq sethostname 0049 (false 0043)
 0043: 15 05 00 000000a6   jeq umount2 0049 (false 0044)
 0044: 15 04 00 00000099   jeq vhangup 0049 (false 0045)
 0045: 15 03 00 00000065   jeq ptrace 0049 (false 0046)
 0046: 15 02 00 00000087   jeq personality 0049 (false 0047)
 0047: 15 01 00 00000136   jeq process_vm_readv 0049 (false 0048)
 0048: 06 00 00 7fff0000   ret ALLOW
 0049: 06 00 01 00000000   ret KILL
Mount the new ld.so.preload file
Current directory: /home/lws
Install protocol filter: unix,inet,inet6,netlink
configuring 16 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol (null) 
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) 
Dual 32/64 bit seccomp filter configured
Build default+drop seccomp filter
sbox run: /run/firejail/lib/fseccomp default drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec !chroot (null) 
sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp (null) 
configuring 74 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp (null) 
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1001, nogroups 1
No supplementary groups
AppArmor enabled
starting application
LD_PRELOAD=(null)
execvp argument 0: firefox

When I click on that facebook group I get the following in the console:
ATTENTION: default value of option mesa_glthread overridden by environment.
ATTENTION: default value of option mesa_glthread overridden by environment.

The text was updated successfully, but these errors were encountered:

rusty-snake · 2021-11-18T20:28:32Z

Duplicate of #3219

rusty-snake · 2021-11-18T20:29:49Z

Either update firejail (to a version without vulnerabilities) or add !kcmp to seccomp.

fpusersuggest · 2021-11-18T22:40:00Z

thanks, but how should I add it ?
because if I add !kcmp in the following way:
seccomp !chroot !kcmp
firefox don't start and it give the following error:
Error: invalid syscall list entry !chroot !kcmp
and exit. If I add in this other way:

seccomp !chroot
seccomp !kcmp

firefox freeze.

rusty-snake · 2021-11-19T06:53:29Z

seccomp syscall,syscall,syscall
Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.

seccomp !chroot,!kcmp
               ^

kmk3 · 2021-11-23T11:21:56Z

@fpusersuggest commented on Nov 18:

ubuntu 20.04

firejail version 0.9.62

I'd suggest using a more recent version; see:

How to install the latest version on Ubuntu and derivatives #4663

rusty-snake · 2021-11-29T15:28:48Z

https://bugs.launchpad.net/ubuntu/+source/firejail/+bug/1950683/comments/5:

The problem is discussed in #4698 which in turn is marked as a duplicate of #3219

The patch mentioned there solves the problem:
$ diff /etc/firejail/firefox-common.profile.orig /etc/firejail/firefox-common.profile
49c49
< seccomp !chroot
---
> seccomp !chroot,!kcmp
Whether that's a good solution security-wise or not I cannot comment on. Upstream recommends to upgrade firejail.

There's no other way, kcmp is required in those cases.
Newer firejail versions do this by default (ed142c6).

rusty-snake marked this as a duplicate of #3219 Nov 18, 2021

rusty-snake closed this as completed Nov 18, 2021

rusty-snake added the duplicate This issue or pull request already exists label Nov 18, 2021

kmk3 added the old-version Issues caused by using an old version of firejail label Sep 14, 2024

kmk3 changed the title ~~Firefox freeze with custom profile~~ firefox: freeze with custom profile (seccomp) Sep 14, 2024

kmk3 added the graphics Issues related to GPU acceleration and drivers (mesa, nvidia, etc) label Sep 14, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

firefox: freeze with custom profile (seccomp) #4698

firefox: freeze with custom profile (seccomp) #4698

fpusersuggest commented Nov 18, 2021

rusty-snake commented Nov 18, 2021

rusty-snake commented Nov 18, 2021

fpusersuggest commented Nov 18, 2021

rusty-snake commented Nov 19, 2021

kmk3 commented Nov 23, 2021

rusty-snake commented Nov 29, 2021

firefox: freeze with custom profile (seccomp) #4698

firefox: freeze with custom profile (seccomp) #4698

Comments

fpusersuggest commented Nov 18, 2021

Description

Steps to Reproduce

Expected behavior

Environment

Checklist

rusty-snake commented Nov 18, 2021

rusty-snake commented Nov 18, 2021

fpusersuggest commented Nov 18, 2021

rusty-snake commented Nov 19, 2021

kmk3 commented Nov 23, 2021

rusty-snake commented Nov 29, 2021