Package: firejail Version: 0.9.44.8-2 Severity: normal Dear Maintainer,
if I play a youtube video with mpv without using firejail it works well but if I use the included firejail profile for mpv it fails. firejail --debug mpv https://www.youtube.com/embed/ucRWyGKBVzo Autoselecting /bin/bash as shell Command name #mpv# Found mpv profile in /etc/firejail directory Reading profile /etc/firejail/mpv.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Checking /usr/local/bin/mpv firejail exec symlink detected Checking /usr/bin/mpv Checking /usr/local/bin/youtube-dl Checking /usr/local/bin/python2.7 Checking /usr/bin/python2.7 DISPLAY :0, 0 Using the local network stack Parent pid 4361, child pid 4362 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/martin/.config/firejail Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Copying files in the new home: Checking /usr/local/bin/mpv firejail exec symlink detected Checking /usr/bin/mpv running: /run/firejail/mnt/cp -a /usr/bin/mpv /run/firejail/mnt/bin/mpvChecking /usr/local/bin/youtube-dl running: /run/firejail/mnt/cp -a /usr/local/bin/youtube-dl /run/firejail/mnt/bin/youtube-dlChecking /usr/local/bin/python2.7 Checking /usr/bin/python2.7 Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin Mount-bind /run/firejail/mnt/bin on top of /usr/bin Mount-bind /run/firejail/mnt/bin on top of /bin Mount-bind /run/firejail/mnt/bin on top of /usr/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/games Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin Mount-bind /run/firejail/mnt/bin on top of /usr/sbin Mount-bind /run/firejail/mnt/bin on top of /sbin Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /home/martin/.zsh_history Disable /home/martin/.bash_history Mounting read-only /home/martin/.local/share/applications Disable /home/martin/.config/autostart Disable /etc/xdg/autostart Disable /etc/X11/Xsession.d Disable /var/spool/cron Disable /var/spool/anacron Disable /run/acpid.socket Disable /etc/cron.d Disable /etc/cron.hourly Disable /etc/cron.monthly Disable /etc/cron.weekly Disable /etc/cron.daily Disable /etc/profile.d Disable /etc/rc.local Disable /etc/anacrontab Mounting read-only /home/martin/.profile Mounting read-only /home/martin/.bashrc Mounting read-only /home/martin/.bash_logout Mounting read-only /home/martin/.zshrc Mounting read-only /home/martin/.profile Mounting read-only /home/martin/.nano Disable /home/martin/.ssh Disable /home/martin/.gnupg Disable /etc/shadow Disable /etc/gshadow Disable /etc/passwd- Disable /etc/group- Disable /etc/shadow- Disable /etc/gshadow- Disable /etc/ssh Disable /sbin Disable /usr/sbin Disable /usr/local/sbin Disable /home/martin/.FBReader Disable /home/martin/.config/Atom Disable /home/martin/.config/gthumb Disable /home/martin/.config/transmission Disable /home/martin/.config/libreoffice Disable /home/martin/.config/eog Disable /home/martin/.config/spotify Disable /home/martin/.config/vlc Not blacklist /home/martin/.config/mpv Disable /home/martin/.config/totem Disable /home/martin/.thunderbird Disable /home/martin/.config/midori Disable /home/martin/.mozilla Disable /home/martin/.config/chromium Disable /home/martin/.config/google-chrome Disable /home/martin/.config/google-chrome-beta Disable /home/martin/.config/vivaldi Disable /home/martin/.config/epiphany Disable /home/martin/.config/evolution Disable /home/martin/.local/share/evolution Disable /home/martin/.cache/evolution Disable /home/martin/.config/tox Disable /home/martin/.cache/gajim Disable /home/martin/.local/share/gajim Disable /home/martin/.config/gajim Disable /home/martin/.steam Disable /home/martin/.gitconfig Disable /home/martin/.cache/mozilla Disable /home/martin/.cache/epiphany Disable /home/martin/.cache/spotify Disable /home/martin/.cache/thunderbird Disable /home/martin/.local/share/epiphany Disable /home/martin/.local/share/spotify Disable /home/martin/.local/share/totem Disable /usr/include Disable /usr/lib/valgrind Disable /usr/share/perl-openssl-defaults Disable /usr/share/perl Disable /usr/share/perl5 Disable /usr/lib/perl5 Disable /usr/lib/ruby Disable /home/martin/.pki/nssdb Disable /sys/fs DISPLAY :0, 0 Dropping all capabilities Set protocol filter: unix,inet,inet6 Dual i386/amd64 seccomp filter configured SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! BLACKLIST 165 mount BLACKLIST 166 umount2 BLACKLIST 101 ptrace BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 175 init_module BLACKLIST 313 finit_module BLACKLIST 174 create_module BLACKLIST 176 delete_module BLACKLIST 172 iopl BLACKLIST 173 ioperm BLACKLIST 251 ioprio_set BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 103 syslog BLACKLIST 310 process_vm_readv BLACKLIST 311 process_vm_writev BLACKLIST 139 sysfs BLACKLIST 156 _sysctl BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 134 uselib BLACKLIST 163 acct BLACKLIST 154 modify_ldt BLACKLIST 155 pivot_root BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 237 mbind BLACKLIST 239 get_mempolicy BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 278 vmsplice BLACKLIST 161 chroot BLACKLIST 184 tuxcall BLACKLIST 169 reboot BLACKLIST 180 nfsservctl BLACKLIST 177 get_kernel_syms RETURN_ALLOW Save seccomp filter, size 880 bytes noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set starting application LD_PRELOAD=(null) execvp argument 0: mpv execvp argument 1: https://www.youtube.com/embed/ucRWyGKBVzo Child process initialized monitoring pid 6 Playing: https://www.youtube.com/embed/ucRWyGKBVzo [ytdl_hook] youtube-dl failed, trying to play URL directly ... [ffmpeg] tls: The TLS connection was non-properly terminated. Failed to recognize file format. Exiting... (Errors when loading file) Sandbox monitor: waitpid 6 retval 6 status 512 Parent is shutting down, bye... firejail --trace mpv https://www.youtube.com/embed/ucRWyGKBVzo Reading profile /etc/firejail/mpv.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Parent pid 4833, child pid 4834 Child process initialized 6:mpv:fopen /proc/filesystems:0x563a656d6070 6:mpv:access /etc/selinux/config:-1 6:mpv:fopen /proc/self/status:0x563a6570d820 6:mpv:opendir /sys/devices/system/node:0x563a6570d820 6:mpv:fopen /sys/devices/system/node/node0/meminfo:0x563a65715860 6:mpv:fopen /proc/self/status:0x563a6570d820 6:mpv:mkdir /home:-1 6:mpv:mkdir /home/martin:-1 6:mpv:mkdir /home/martin/.config:-1 6:mpv:mkdir /home/martin/.config/mpv:-1 Playing: https://www.youtube.com/embed/ucRWyGKBVzo 6:mpv:access /etc/fonts/fonts.conf:0 6:mpv:access /etc/fonts/conf.d:0 6:mpv:opendir /etc/fonts/conf.d:0x7fe88c06fc50 6:mpv:access /etc/fonts/conf.d/10-scale-bitmap-fonts.conf:0 6:mpv:access /etc/fonts/conf.d/11-lcdfilter-default.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-dejavu-lgc-sans-mono.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-dejavu-lgc-sans.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-dejavu-lgc-serif.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-dejavu-sans-mono.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-dejavu-sans.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-dejavu-serif.conf:0 6:mpv:access /etc/fonts/conf.d/20-unhint-small-vera.conf:0 6:mpv:access /etc/fonts/conf.d/30-0-google-crosextra-caladea-fontconfig.conf:0 6:mpv:access /etc/fonts/conf.d/30-0-google-crosextra-carlito-fontconfig.conf:0 6:mpv:access /etc/fonts/conf.d/30-metric-aliases.conf:0 6:mpv:access /etc/fonts/conf.d/30-urw-aliases.conf:0 6:mpv:access /etc/fonts/conf.d/31-cantarell.conf:0 6:mpv:access /etc/fonts/conf.d/40-nonlatin.conf:0 6:mpv:access /etc/fonts/conf.d/45-latin.conf:0 6:mpv:access /etc/fonts/conf.d/49-sansserif.conf:0 6:mpv:access /etc/fonts/conf.d/50-user.conf:0 6:mpv:access /home/martin/.config/fontconfig/conf.d:-1 6:mpv:access /home/martin/.config/fontconfig/conf.d:-1 6:mpv:access /home/martin/.config/fontconfig/fonts.conf:0 6:mpv:access /home/martin/.config/fontconfig/fonts.conf:0 6:mpv:access /home/martin/.fonts.conf.d:-1 6:mpv:access /home/martin/.fonts.conf.d:-1 6:mpv:access /home/martin/.fonts.conf:-1 6:mpv:access /home/martin/.fonts.conf:-1 6:mpv:access /etc/fonts/conf.d/51-local.conf:0 6:mpv:access /etc/fonts/local.conf:-1 6:mpv:access /etc/fonts/local.conf:-1 6:mpv:access /etc/fonts/conf.d/57-dejavu-sans-mono.conf:0 6:mpv:access /etc/fonts/conf.d/57-dejavu-sans.conf:0 6:mpv:access /etc/fonts/conf.d/57-dejavu-serif.conf:0 6:mpv:access /etc/fonts/conf.d/58-dejavu-lgc-sans-mono.conf:0 6:mpv:access /etc/fonts/conf.d/58-dejavu-lgc-sans.conf:0 6:mpv:access /etc/fonts/conf.d/58-dejavu-lgc-serif.conf:0 6:mpv:access /etc/fonts/conf.d/60-latin.conf:0 6:mpv:access /etc/fonts/conf.d/65-fonts-lmodern.conf:0 6:mpv:access /etc/fonts/conf.d/65-fonts-persian.conf:0 6:mpv:access /etc/fonts/conf.d/65-nonlatin.conf:0 6:mpv:access /etc/fonts/conf.d/69-unifont.conf:0 6:mpv:access /etc/fonts/conf.d/70-no-bitmaps.conf:0 6:mpv:access /etc/fonts/conf.d/80-delicious.conf:0 6:mpv:access /etc/fonts/conf.d/90-fonts-linux-libertine.conf:0 6:mpv:access /etc/fonts/conf.d/90-synthetic.conf:0 6:mpv:access /etc/fonts/conf.d:0 6:mpv:open64 /dev/null:11 [ytdl_hook] youtube-dl failed, trying to play URL directly ... 6:mpv:fopen /etc/hosts:0x7fe888000f00 6:mpv:socket AF_INET SOCK_DGRAM IPPROTO_IP:7 6:mpv:connect 7 127.0.2.1 port 53:0 6:mpv:socket AF_INET SOCK_STREAM IPPROTO_TCP:7 6:mpv:connect 7 172.217.0.14 port 443:-1 6:mpv:fopen /etc/ssl/certs/ca-certificates.crt:0x7fe8880023b0 [ffmpeg] tls: The TLS connection was non-properly terminated. Failed to recognize file format. Exiting... (Errors when loading file) Parent is shutting down, bye... Best regards, Martin -- System Information: Debian Release: 9.1 APT prefers proposed-updates APT policy: (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.11.0-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firejail depends on: ii libapparmor1 2.11.0-3 ii libc6 2.24-11+deb9u1 Versions of packages firejail recommends: ii iptables 1.6.0+snapshot20161117-6 ii xauth 1:1.0.9-1+b2 ii xserver-xephyr 2:1.19.2-1+deb9u1 firejail suggests no packages. -- debconf-show failed
