Hi Vincent, On Sat, Dec 03, 2022 at 07:59:43PM +0100, Vincent Lefevre wrote: > zira:~> firejail --allow-debuggers --profile=firefox gdb [...] > Could not find platform independent libraries <prefix> > Could not find platform dependent libraries <exec_prefix> > Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] > Python path configuration: > PYTHONHOME = (not set) > PYTHONPATH = (not set) > program name = '/usr/bin/python' > isolated = 0 > environment = 1 > user site = 1 > import site = 1 > sys._base_executable = '/usr/bin/python' > sys.base_prefix = '/usr' > sys.base_exec_prefix = '/usr' > sys.platlibdir = 'lib' > sys.executable = '/usr/bin/python' > sys.prefix = '/usr' > sys.exec_prefix = '/usr' > sys.path = [ > '/usr/lib/python310.zip', > '/usr/lib/python3.10', > '/usr/lib/lib-dynload', > ] > Fatal Python error: init_fs_encoding: failed to get the Python codec of the > filesystem encoding > Python runtime state: core initialized > ModuleNotFoundError: No module named 'encodings' > > Current thread 0x00007f32e84a9640 (most recent call first): > <no Python frame>
According to the firejail manpage, --allow-debuggers only takes care of allowing system calls commonly used by debugging tools (e.g. ptrace). It it not a parameter to broadly allow any debugger including their dependency chains. Debugging tools that have dependencies (like in your example gdb -> python3) need to be handled additionally (either by asking gdb to not use the python3 extensions, or by adding parameters that whitelist it). With the following command line I was able to get a gdb shell: > $ firejail --allow-debuggers --include=/etc/firejail/allow-python3.inc > --profile=firefox gdb > [...] > (gdb) Kind regards, Reiner
