Known Problems

     PulseAudio 7.0/8.0 issue
     Cannot install new software while Firejail is running
     AppArmor Problems
     OverlayFS Problems
     Cannot connect to ibus-daemon in a new network namespace
     Firefox crashing when using AMDGPU PRO driver


PulseAudio 7.0/8.0 issue

The srbchannel IPC mechanism, introduced in PulseAudio 6.0, was enabled by default in release 7.0. Many Linux users are reporting sound problems when running applications in Firejail sandbox. It affects among others Arch, Ubuntu 16.04 and Mint users. This problem was fixed PulseAudio version 9.0. The following configuration will mask the problem:

$ mkdir -p ~/.config/pulse
$ cd ~/.config/pulse
$ cp /etc/pulse/client.conf .
$ echo "enable-shm = no" >> client.conf

If you have problems with PulseAudio 9.x use the previous fix, or configure “enable-memfd = yes” in /etc/pulse/daemon.conf.

Cannot install new software while Firejail is running

File blacklisted in a running jail can’t be removed from outside of jail. This causes serious inconvenience when using Firejail with long running processes. For example, preventing user from updating system normally, as files like /bin/su, /bin/mount, /usr/bin/sudo are blacklisted by default. Also, admin commands for adding users and groups will fail.

Firejail implements blacklisting by mounting an empty, read-only file or directory on top of the original file. The kernel, at least the older kernels, will refuse to delete the file because it is a mount point in some other place in the system.

The problem is fixed in Linux kernels 3.18 or newer. This is the commit: vfs: Lazily remove mounts on unlinked files and directories


AppArmor Problems

  • By default, AppArmor Chromium configuration is broken. It doesn’t work, with our without Firejail
  • If Firejail is invoked with –trace argument, an empty /etc/ file is created. The file is used by the sandbox as a mount point in order to implement the tracing feature. AppArmor users will get the following message every time they start a confined application:

    Apr 26 08:53:22 netblue-VirtualBox kernel: [ 1158.336097] 
    audit:  type=1400 audit(1461675202.188:94): apparmor="DENIED"
    operation="open" profile="/usr/bin/evince" name="/etc/" 
    pid=3861 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

    AppArmor will prevent the linker from loading the file, but it will not crash the program. To get rid of these messages, remove /etc/ file:

    $ sudo rm /etc/
  • While running Evince PDF viewer under “firejail –net=none”, the process is killed immediately by AppArmor. This is the syslog message:

    Apr 26 08:57:21 netblue-VirtualBox kernel: [ 1393.575207] audit:
    type=1400 audit(1461675441.626:97): apparmor="DENIED"
    operation="connect" info="Failed name lookup - disconnected
    path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0"
    pid=3889 comm="evince" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=0

    It is an AppArmor bug, reported for Ubuntu here. To go around it, run the sandbox with “–protocol=unix” instead of “–net=none”. It disables IPv4 and IPv6 protocols, the effect will be the same as “–net=none”.

    $ firejail --protocol=unix evince

OverlayFS Problems

  • OverlayFS kernel support is broken in Debian kernels 4.5.0-0.bpo.1-amd64
  • When using Firejail’s –overlay or –overlay-tmpfs options together with –net, X11 socket is disabled. The user will not be able to run X11 applications in such a sandbox. The problem is being investigated.

Cannot connect to ibus-daemon in a new network namespace

ibus-daemon is used to change the system language, for example to switch between English (US) input and Japanese inputs. In a sandbox using a new network namespace ibus-daemon socket is disabled and keyboard switching capability is lost.


Firefox crashing when using AMDGPU PRO driver

Firefox segfaults when started with firejail if the system uses the AMDGPU PRO driver. Error message: “audit: type=1326 audit(1472897475.402:22): auid=1000 uid=1000 gid=1000 ses=3 pid=5039 comm=”firefox” exe=”/usr/lib/firefox/firefox” sig=31 arch=c000003e syscall=101 compat=0 ip=0x7f975fe29923 code=0x0”

AMDGPU PRO drivers tries to use ptrace, and it is killed by seccomp. Start the sandbox using –allow-debuggers flag:

$ firejail --allow-debuggers firefox