-
Notifications
You must be signed in to change notification settings - Fork 569
Debugging Firejail
If you encounter an error, check the known issues section first. It is also recommended to search the issue tracker.
Always check firejail
's output. If there is no output, run firejail
with --ignore=quiet
. There are several debug flags you can use to increase the verbosity of firejail
, if needed, like --debug
. See firejail --help
for more details.
More verbosity always helps, especially when reporting bugs. Also increase the verbosity of the application you are trying to run, it may report that it can not access specific files or directories.
Check your system logs. There may be blocked syscalls which are logged by audit
when this profile uses seccomp
.
You can always try to use the lax default profile (--profile=default
).
Firejail can be a little more difficult to debug because it is a setuid binary.
The issue with trying to debug a setuid binary with gdb is that its non-trivial to get the running user correct. We can't run gdb as a normal user to debug a setuid binary because that would be a gaping security hole (non-root code would be able to modify the execution of root code). However, if we run gdb as root, then the program (firejail) being traced will not run as the unprivileged user, also not what we want.
This script will do what we want. It first forks a background process as the current user which will immediately send itself a STOP
signal. Then gdb running as root will attach to that process, which will send it the CONT
signal to continue execution. Then the backgrounded process will exec the program with the given arguments. This will allow the root gdb to trace the unprivileged firejail process from the absolute beginning. A version of this script is now in contrib/gdb-firejail.sh.
#!/bin/bash
FIREJAIL=$1
bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
sudo gdb -e "$FIREJAIL" -p "$!"
Strace has a similar problem to gdb, however, the developers were nice in that they allow a username to be specified for specifically for tracing setuid binaries.
sudo strace -u $USER <strace opts> firejail <firejail options>