fseccomp not found with private-bin+private-lib+seccomp

[reinerh]

While looking through errors of the test suite I noticed that test/profiles/profiles.sh was failing while testing the ffmpegthumbnailer profile.

+ ./test-profile.exp /etc/firejail/ffmpegthumbnailer.profile
spawn /bin/bash
stty -echo
user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ stty -echo
user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ execvp: No such file or directory
Error: failed to run /run/firejail/lib/fseccomp
Error: proc 7936 cannot sync with peer: unexpected EOF
Peer 7937 unexpectedly exited with status 1
user@host:/tmp/autopkgtest.oKW0CW/autopkgtest_tmp/test/profiles$ TESTING ERROR 0

For some reason it is not able to execute /run/firejail/lib/fseccomp (No such file or directory) for generating the seccomp filter.
I am able to reproduce it inside a container/qemu (but not on the host). Just running firejail --profile=/etc/firejail/ffmpegthumbnailer.profile $ANYCOMMAND is failing, as it can't complete the seccomp setup.

I then reduced the profile to the following lines:

private-bin ffmpegthumbnailer
private-lib libffmpegthumbnailer.so.*
seccomp !set_mempolicy

All three of them are needed to trigger the issue (seccomp alone is not sufficient, it needs an argument so that a new filter actually has to be generated).

Does anyone have an idea what could go wrong? Or why it fails inside a container/VM, but not on my main system?

CC @netblue30

Here is the output without quiet and with --debug (where it fails because of fsec-print):

Autoselecting /bin/bash as shell
Building quoted command line: 'find' '/run/firejail' 
Command name #find#
Enabling IPC namespace
Using the local network stack
Autoselecting /bin/bash as shell
Building quoted command line: 'find' '/run/firejail' 
Command name #find#
Enabling IPC namespace
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating an empty /etc/ld.so.preload file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
Mounting read-only /var
Mounting read-only /bin
Mounting read-only /sbin
Mounting read-only /lib
Mounting read-only /lib64
Mounting read-only /lib32
Mounting read-only /libx32
Mounting read-only /usr
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Copying files in the new bin directory
Checking /usr/local/bin/ffmpegthumbnailer
Checking /usr/bin/ffmpegthumbnailer
Checking /bin/ffmpegthumbnailer
Checking /usr/games/ffmpegthumbnailer
Checking /usr/local/games/ffmpegthumbnailer
Checking /usr/local/sbin/ffmpegthumbnailer
Checking /usr/sbin/ffmpegthumbnailer
Checking /sbin/ffmpegthumbnailer
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Reading profile /etc/firejail/ffmpegthumbnailer.profile
DISPLAY is not set
Parent pid 1801, child pid 1802
Warning: file ffmpegthumbnailer not found
0 programs installed in 0.57 ms
Starting private-lib processing: program find, shell /bin/bash
Installing standard C library
    copying /lib/x86_64-linux-gnu/libnss_dns.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_dns.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libapparmor.so.1.6.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libapparmor.so.1.6.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libmvec.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmvec.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_nis.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nis.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libthread_db.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libthread_db.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libcrypt.so.1.1.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcrypt.so.1.1.0 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libanl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libanl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_compat.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_compat.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libcrypt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcrypt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libdl.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libdl.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libresolv.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libresolv.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_hesiod.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_hesiod.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libutil.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libutil.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libpthread.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libpthread.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libc.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libc.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libapparmor.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libapparmor.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libmemusage.so to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmemusage.so /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/librt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/librt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_files.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_files.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnsl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnsl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libnss_nisplus.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nisplus.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libselinux.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libselinux.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    copying /lib/x86_64-linux-gnu/libm.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libm.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu (null) 
    fslib_copy_dir /usr/lib/locale
Installing sandboxed program libraries
    fslib_install_list  find
Installing shell libraries
    fslib_install_list  /bin/bash
    fslib_install_list  /bin/ls,/bin/cat,/bin/mv,/bin/rm
Processing private-lib files
    fslib_install_list  libffmpegthumbnailer.so.*
Installing system libraries
    fslib_install_list  /usr/bin/firejail,firejail
    fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail
    fslib_copy_dir /lib/x86_64-linux-gnu/firejail
    fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail
Mount-bind /run/firejail/mnt/lib on top of /lib /lib64 /usr/lib
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /boot
Disable /dev/port
Disable /run/user/0/gnupg
Disable /run/user/0/systemd
Disable /sys/fs
Disable /sys/module
/etc/pulse/client.conf not found
Create the new ld.so.preload file
Mount the new ld.so.preload file
Current directory: /tmp/autopkgtest.2Jyr1K/autopkgtest_tmp/test/profiles
configuring 54 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib/x86_64-linux-gnu/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 (null) 
The new log directory is /proc/1802/root/var/log
as root:
Standard C library installed in 44.15 ms
Program libraries installed in 0.52 ms
Installed 24 libraries and 2 directories
Post-exec seccomp protector enabled
DISPLAY is not set
execvp: No such file or directory
Error: failed to run /usr/lib/x86_64-linux-gnu/firejail/fsec-print
Error: proc 1801 cannot sync with peer: unexpected EOF
Peer 1802 unexpectedly exited with status 1

[matu3ba]

Warning: file ffmpegthumbnailer not found
0 programs installed in 0.57 ms

Looks like the binary is not installed on the VM.
What do you think @rusty-snake ?

[rusty-snake]

looks like the private-bin must have an invalid argument.

[reinerh]

ffmpegthumbnailer is not needed, as the test script is running the echo binary ("echo done").
It checks either for the output of "done", or for the error message that "echo" has not been found.

But the error I posted above is not one of the expected ones.

[rusty-snake]

I get

/usr/lib64/firejail/fsec-print: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory
Error: failed to run /usr/lib64/firejail/fsec-print
Error: proc 46275 cannot sync with peer: unexpected EOF

It works with --private-lib=libpcre2-8.so.0.

OS: Fedora 31