Hi Vincent, On Tue, Jun 25, 2019 at 10:00:32AM +0200, Vincent Lefevre wrote: > zira:~> /usr/bin/firejail --allow-debuggers --profile=firefox strace /bin/ls > Reading profile /etc/firejail/firefox.profile > Reading profile /etc/firejail/firefox-common.profile > Reading profile /etc/firejail/disable-common.inc > Reading profile /etc/firejail/disable-interpreters.inc > Reading profile /etc/firejail/disable-programs.inc > Reading profile /etc/firejail/whitelist-common.inc > Reading profile /etc/firejail/whitelist-var-common.inc > Warning: networking feature is disabled in Firejail configuration file > Parent pid 2285, child pid 2286 > Warning: An abstract unix socket for session D-BUS might still be available. > Use --net or remove unix from --protocol set. > Post-exec seccomp protector enabled > Seccomp list in: > @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@resources,@swap,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,ni_syscall,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount,umount2,userfaultfd,vhangup,vmsplice, > check list: @default-keep, prelist: > adjtimex,clock_adjtime,clock_settime,settimeofday,modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,delete_module,finit_module,init_module,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,ioperm,iopl,kexec_load,kexec_file_load,reboot,set_mempolicy,migrate_pages,move_pages,mbind,swapon,swapoff,acct,add_key,bpf,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,mount,name_to_handle_at,nfsservctl,open_by_handle_at,personality,pivot_root,process_vm_readv,ptrace,remap_file_pages,request_key,setdomainname,sethostname,syslog,umount2,userfaultfd,vhangup,vmsplice, > Child process initialized in 78.27 ms > > and nothing else occurs. This makes impossible to try to see why > some application does not work in firejail. > > Ditto when using --profile=/etc/firejail/firefox.profile directly > (as given as an example for --allow-debuggers in the firejail(1) > man page). > > No problems with the default profile or without strace.
I can reproduce the problem. When commenting out "apparmor" and the "seccomp.drop" line in the profile, it is working. The reason is that strace needs to use the ptrace syscall (which was disallowed by the profile) (and after allowing it, apparmor also had further ptrace restrictions). But it's strange that firejail just hangs instead of terminating. Btw for debugging profiles maybe --trace or --tracelog could also help you. I will ask upstream about your issue. Kind regards, Reiner
signature.asc
Description: PGP signature
