Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

keepassxc: cannot access Yubikeys #4928

Open
7 tasks done
seonwoolee opened this issue Feb 11, 2022 · 20 comments
Open
7 tasks done

keepassxc: cannot access Yubikeys #4928

seonwoolee opened this issue Feb 11, 2022 · 20 comments

Comments

@seonwoolee
Copy link

seonwoolee commented Feb 11, 2022

Description

I use KeePassXC to open my KeePass database that is protected with a password, key file, and a challenge-response from my Yubikey. After the version 0.9.68 update, KeePassXC can no longer access my Yubikey when run under firejail. I have verified that it works fine when run without firejail.

I saw #4883 and the corresponding PR #4915 to add back nou2f. I have tried putting both ignore nou2f and ignore private-dev in my ~/.config/firejail/keepassxc.local, but it still doesn't work. I also tried commenting out private-dev in /etc/firejail/keepassxc.profile, but that didn't work either. I'm not sure where the problem actually is, as that's the only line in keepassxc.profile that has changed recently. I assume the problem lies in some other file that keepass.profile includes, but I'm not sure which.

Steps to Reproduce

Run firejail keepassxc, select my database, and then attempt to select my Yubikey as my hardware key. In the terminal it outputs the error YubiKey: Failed to initialize USB interface. (full log at the end)

I also tried this without a globals.local or a keepassxc.local, and it didn't work. I also tried this without a globals.local and just ignore nou2f in keepassxc.local, and it still didn't work.

Expected behavior

KeePassXC can access my Yubikey for Challenge-Response authentication

Actual behavior

KeePassXC cannot find my Yubikey

Behavior without a profile

Terminal output is uneventful and KeePassXC successfully finds my Yubikey.

$ LC_ALL=C firejail --noprofile keepassxc
Parent pid 220855, child pid 220856
Warning: cannot find /var/run/utmp
Child process initialized in 15.33 ms

Additional context

This only started occurring after the 0.9.68 update.

Environment

  • Arch Linux
firejail version 0.9.68

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

$ LC_ALL=C firejail keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /home/seonwoo/.config/firejail/keepassxc.local
Reading profile /home/seonwoo/.config/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 216124, child pid 216127
Warning: cannot find /var/run/utmp
3 programs installed in 45.41 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 5.75 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping ld.so.preload for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.12 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/seonwoo/.ssh/authorized_keys
Warning: not remounting /home/seonwoo/.ssh/config
Warning: not remounting /run/user/1000/gvfs
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Blacklist violations are logged to syslog
Warning: logind not detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 237.57 ms

(keepassxc:13): dbind-WARNING **: 05:11:35.626: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
Qt: Session management error: Could not open network socket
YubiKey: Failed to initialize USB interface.

(keepassxc:13): GLib-WARNING **: 05:11:39.049: getpwuid_r(): failed due to unknown user id (1000)

(keepassxc:13): dconf-WARNING **: 05:11:42.592: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown

Output of LC_ALL=C firejail --debug /path/to/program

Autoselecting /bin/bash as shell
Building quoted command line: 'keepassxc' 
Command name #keepassxc#
Found keepassxc.profile profile in /etc/firejail directory
Reading profile /etc/firejail/keepassxc.profile
Found keepassxc.local profile in /home/seonwoo/.config/firejail directory
Reading profile /home/seonwoo/.config/firejail/keepassxc.local
Found disable-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-common.inc
Found disable-devel.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-devel.inc
Found disable-exec.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-exec.inc
Found disable-interpreters.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-interpreters.inc
Found disable-programs.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-programs.inc
Found disable-shell.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-shell.inc
Found disable-xdg.inc profile in /etc/firejail directory
Reading profile /etc/firejail/disable-xdg.inc
Found whitelist-run-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-run-common.inc
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Found whitelist-var-common.inc profile in /etc/firejail directory
Reading profile /etc/firejail/whitelist-var-common.inc
[profile] combined protocol list: "unix"
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
DISPLAY=:0.0 parsed as 0
xdg-dbus-proxy arg: unix:path=/run/user/1000/bus
xdg-dbus-proxy arg: /run/firejail/dbus/1000/256024-user
xdg-dbus-proxy arg: --filter
xdg-dbus-proxy arg: --own=org.keepassxc.KeePassXC.*
xdg-dbus-proxy arg: --talk=com.canonical.Unity
xdg-dbus-proxy arg: --talk=org.freedesktop.ScreenSaver
xdg-dbus-proxy arg: --talk=org.gnome.ScreenSaver
xdg-dbus-proxy arg: --talk=org.gnome.SessionManager
xdg-dbus-proxy arg: --talk=org.xfce.ScreenSaver
xdg-dbus-proxy arg: unix:path=/run/dbus/system_bus_socket
xdg-dbus-proxy arg: /run/firejail/dbus/1000/256024-system
xdg-dbus-proxy arg: --filter
xdg-dbus-proxy arg: --talk=org.freedesktop.login1
starting xdg-dbus-proxy
sbox exec: /usr/bin/xdg-dbus-proxy --fd=4 --args=5 
Dropping all capabilities
Drop privileges: pid 256025, uid 1000, gid 100, force_nogroups 1
No supplementary groups
xdg-dbus-proxy initialized
Parent pid 256024, child pid 256027
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
sbox run: /run/firejail/lib/fnet ifup lo 
Set caps filter 3000
Network namespace enabled, only loopback interface available
Build protocol filter: unix
sbox run: /run/firejail/lib/fseccomp protocol build unix /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 3, uid 1000, gid 100, force_nogroups 1
No supplementary groups
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
1120 541 0:25 /etc /etc ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1120 fsname=/etc dir=/etc fstype=zfs
Mounting noexec /etc
1121 1120 0:25 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1121 fsname=/etc dir=/etc fstype=zfs
Mounting read-only /var
1129 1122 0:55 / /var/lib/nfs/rpc_pipefs rw,relatime master:94 - rpc_pipefs sunrpc rw
mountid=1129 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /var/cache
1130 1123 0:43 / /var/cache ro,noatime master:50 - zfs zroot/enc/ephem/no-repl/var/cache rw,xattr,posixacl
mountid=1130 fsname=/ dir=/var/cache fstype=zfs
Mounting read-only /var/tmp
1131 1125 0:44 / /var/tmp ro,noatime master:54 - zfs zroot/enc/ephem/no-repl/var/tmp rw,xattr,posixacl
mountid=1131 fsname=/ dir=/var/tmp fstype=zfs
Mounting read-only /var/log
1132 1126 0:45 / /var/log ro,noatime master:56 - zfs zroot/enc/ephem/no-repl/var/log rw,xattr,posixacl
mountid=1132 fsname=/ dir=/var/log fstype=zfs
Mounting read-only /var/lib/systemd/coredump
1134 1127 0:42 / /var/lib/systemd/coredump ro,noatime master:58 - zfs zroot/enc/ephem/no-repl/coredump rw,xattr,posixacl
mountid=1134 fsname=/ dir=/var/lib/systemd/coredump fstype=zfs
Mounting read-only /var/lib/docker
1135 1128 0:46 / /var/lib/docker ro,noatime master:62 - zfs zroot/enc/ephem/no-repl/docker rw,xattr,posixacl
mountid=1135 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting read-only /var/lib/nfs/rpc_pipefs
1136 1129 0:55 / /var/lib/nfs/rpc_pipefs ro,relatime master:94 - rpc_pipefs sunrpc rw
mountid=1136 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var
1149 1148 0:55 / /var/lib/nfs/rpc_pipefs ro,relatime master:94 - rpc_pipefs sunrpc rw
mountid=1149 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting noexec /var/cache
1150 1139 0:43 / /var/cache ro,nosuid,nodev,noexec,noatime master:50 - zfs zroot/enc/ephem/no-repl/var/cache rw,xattr,posixacl
mountid=1150 fsname=/ dir=/var/cache fstype=zfs
Mounting noexec /var/tmp
1151 1141 0:44 / /var/tmp ro,nosuid,nodev,noexec,noatime master:54 - zfs zroot/enc/ephem/no-repl/var/tmp rw,xattr,posixacl
mountid=1151 fsname=/ dir=/var/tmp fstype=zfs
Mounting noexec /var/log
1152 1143 0:45 / /var/log ro,nosuid,nodev,noexec,noatime master:56 - zfs zroot/enc/ephem/no-repl/var/log rw,xattr,posixacl
mountid=1152 fsname=/ dir=/var/log fstype=zfs
Mounting noexec /var/lib/systemd/coredump
1153 1145 0:42 / /var/lib/systemd/coredump ro,nosuid,nodev,noexec,noatime master:58 - zfs zroot/enc/ephem/no-repl/coredump rw,xattr,posixacl
mountid=1153 fsname=/ dir=/var/lib/systemd/coredump fstype=zfs
Mounting noexec /var/lib/docker
1154 1147 0:46 / /var/lib/docker ro,nosuid,nodev,noexec,noatime master:62 - zfs zroot/enc/ephem/no-repl/docker rw,xattr,posixacl
mountid=1154 fsname=/ dir=/var/lib/docker fstype=zfs
Mounting noexec /var/lib/nfs/rpc_pipefs
1155 1149 0:55 / /var/lib/nfs/rpc_pipefs ro,nosuid,nodev,noexec,relatime master:94 - rpc_pipefs sunrpc rw
mountid=1155 fsname=/ dir=/var/lib/nfs/rpc_pipefs fstype=rpc_pipefs
Mounting read-only /usr
1158 1156 0:47 / /usr/local/texlive rw,noatime master:66 - zfs zroot/enc/ephem/local-repl/texlive rw,xattr,posixacl
mountid=1158 fsname=/ dir=/usr/local/texlive fstype=zfs
Mounting read-only /usr/local/texlive
1160 1158 0:47 / /usr/local/texlive ro,noatime master:66 - zfs zroot/enc/ephem/local-repl/texlive rw,xattr,posixacl
mountid=1160 fsname=/ dir=/usr/local/texlive fstype=zfs
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Warning: cannot find /var/run/utmp
Generating a new machine-id
installing a new /etc/machine-id
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/seonwoo/.config/firejail
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Copying files in the new bin directory
Checking /usr/local/bin/keepassxc
Checking /usr/bin/keepassxc
sbox run: /run/firejail/lib/fcopy /usr/bin/keepassxc /run/firejail/mnt/bin 
Checking /usr/local/bin/keepassxc-cli
Checking /usr/bin/keepassxc-cli
sbox run: /run/firejail/lib/fcopy /usr/bin/keepassxc-cli /run/firejail/mnt/bin 
Checking /usr/local/bin/keepassxc-proxy
Checking /usr/bin/keepassxc-proxy
sbox run: /run/firejail/lib/fcopy /usr/bin/keepassxc-proxy /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
3 programs installed in 41.01 ms
Generate private-tmp whitelist commands
Creating empty /run/firejail/mnt/dbus directory
Creating empty /run/firejail/mnt/dbus/user file
blacklist /run/user/1000/bus
Creating empty /run/firejail/mnt/dbus/system file
blacklist /run/dbus/system_bus_socket
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kallsyms
Disable /usr/lib/modules/5.16.8-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Copying files in the new /etc directory:
Warning: file /etc/alternatives not found.
Warning: skipping alternatives for private /etc
Copying /etc/fonts to private /etc
Creating empty /run/firejail/mnt/etc/fonts directory
sbox run: /run/firejail/lib/fcopy --follow-link /etc/fonts /run/firejail/mnt/etc/fonts 
Copying /etc/ld.so.cache to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/ld.so.cache /run/firejail/mnt/etc 
Copying /etc/ld.so.preload to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/ld.so.preload /run/firejail/mnt/etc 
Copying /etc/machine-id to private /etc
sbox run: /run/firejail/lib/fcopy --follow-link /etc/machine-id /run/firejail/mnt/etc 
Mount-bind /run/firejail/mnt/etc on top of /etc
Private /etc installed in 5.66 ms
Copying files in the new /usr/etc directory:
Warning: file /usr/etc/alternatives not found.
Warning: skipping alternatives for private /usr/etc
Warning: file /usr/etc/fonts not found.
Warning: skipping fonts for private /usr/etc
Warning: file /usr/etc/ld.so.cache not found.
Warning: skipping ld.so.cache for private /usr/etc
Warning: file /usr/etc/ld.so.preload not found.
Warning: skipping ld.so.preload for private /usr/etc
Warning: file /usr/etc/machine-id not found.
Warning: skipping machine-id for private /usr/etc
Mount-bind /run/firejail/mnt/usretc on top of /usr/etc
Private /usr/etc installed in 0.14 ms
Debug 558: whitelist /usr/share/keepassxc
Debug 579: expanded: /usr/share/keepassxc
Debug 590: new_name: /usr/share/keepassxc
Debug 604: dir: /usr/share
Adding whitelist top level directory /usr/share
Debug 558: whitelist /run/NetworkManager/resolv.conf
Debug 579: expanded: /run/NetworkManager/resolv.conf
Debug 590: new_name: /run/NetworkManager/resolv.conf
Debug 604: dir: /run
Adding whitelist top level directory /run
Removed path: whitelist /run/NetworkManager/resolv.conf
	new_name: /run/NetworkManager/resolv.conf
	realpath: (null)
	No such file or directory
Debug 558: whitelist /run/cups/cups.sock
Debug 579: expanded: /run/cups/cups.sock
Debug 590: new_name: /run/cups/cups.sock
Debug 604: dir: /run
Debug 558: whitelist /run/dbus/system_bus_socket
Debug 579: expanded: /run/dbus/system_bus_socket
Debug 590: new_name: /run/dbus/system_bus_socket
Debug 604: dir: /run
Debug 558: whitelist /run/media
Debug 579: expanded: /run/media
Debug 590: new_name: /run/media
Debug 604: dir: /run
Removed path: whitelist /run/media
	new_name: /run/media
	realpath: (null)
	No such file or directory
Debug 558: whitelist /run/resolvconf/resolv.conf
Debug 579: expanded: /run/resolvconf/resolv.conf
Debug 590: new_name: /run/resolvconf/resolv.conf
Debug 604: dir: /run
Removed path: whitelist /run/resolvconf/resolv.conf
	new_name: /run/resolvconf/resolv.conf
	realpath: (null)
	No such file or directory
Debug 558: whitelist /run/shm
Debug 579: expanded: /run/shm
Debug 590: new_name: /run/shm
Debug 604: dir: /run
Removed path: whitelist /run/shm
	new_name: /run/shm
	realpath: (null)
	No such file or directory
Debug 558: whitelist /run/systemd/journal/dev-log
Debug 579: expanded: /run/systemd/journal/dev-log
Debug 590: new_name: /run/systemd/journal/dev-log
Debug 604: dir: /run
Debug 558: whitelist /run/systemd/journal/socket
Debug 579: expanded: /run/systemd/journal/socket
Debug 590: new_name: /run/systemd/journal/socket
Debug 604: dir: /run
Debug 558: whitelist /run/systemd/resolve/resolv.conf
Debug 579: expanded: /run/systemd/resolve/resolv.conf
Debug 590: new_name: /run/systemd/resolve/resolv.conf
Debug 604: dir: /run
Removed path: whitelist /run/systemd/resolve/resolv.conf
	new_name: /run/systemd/resolve/resolv.conf
	realpath: (null)
	No such file or directory
Debug 558: whitelist /run/systemd/resolve/stub-resolv.conf
Debug 579: expanded: /run/systemd/resolve/stub-resolv.conf
Debug 590: new_name: /run/systemd/resolve/stub-resolv.conf
Debug 604: dir: /run
Removed path: whitelist /run/systemd/resolve/stub-resolv.conf
	new_name: /run/systemd/resolve/stub-resolv.conf
	realpath: (null)
	No such file or directory
Debug 558: whitelist /run/udev/data
Debug 579: expanded: /run/udev/data
Debug 590: new_name: /run/udev/data
Debug 604: dir: /run
Debug 558: whitelist /usr/share/alsa
Debug 579: expanded: /usr/share/alsa
Debug 590: new_name: /usr/share/alsa
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/applications
Debug 579: expanded: /usr/share/applications
Debug 590: new_name: /usr/share/applications
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/ca-certificates
Debug 579: expanded: /usr/share/ca-certificates
Debug 590: new_name: /usr/share/ca-certificates
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/crypto-policies
Debug 579: expanded: /usr/share/crypto-policies
Debug 590: new_name: /usr/share/crypto-policies
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/crypto-policies
	new_name: /usr/share/crypto-policies
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/cursors
Debug 579: expanded: /usr/share/cursors
Debug 590: new_name: /usr/share/cursors
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/cursors
	new_name: /usr/share/cursors
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/dconf
Debug 579: expanded: /usr/share/dconf
Debug 590: new_name: /usr/share/dconf
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/dconf
	new_name: /usr/share/dconf
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/distro-info
Debug 579: expanded: /usr/share/distro-info
Debug 590: new_name: /usr/share/distro-info
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/distro-info
	new_name: /usr/share/distro-info
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/drirc.d
Debug 579: expanded: /usr/share/drirc.d
Debug 590: new_name: /usr/share/drirc.d
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/egl
Debug 579: expanded: /usr/share/egl
Debug 590: new_name: /usr/share/egl
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/enchant
Debug 579: expanded: /usr/share/enchant
Debug 590: new_name: /usr/share/enchant
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/enchant-2
Debug 579: expanded: /usr/share/enchant-2
Debug 590: new_name: /usr/share/enchant-2
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/enchant-2
	new_name: /usr/share/enchant-2
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/file
Debug 579: expanded: /usr/share/file
Debug 590: new_name: /usr/share/file
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/fontconfig
Debug 579: expanded: /usr/share/fontconfig
Debug 590: new_name: /usr/share/fontconfig
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/fonts
Debug 579: expanded: /usr/share/fonts
Debug 590: new_name: /usr/share/fonts
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/fonts-config
Debug 579: expanded: /usr/share/fonts-config
Debug 590: new_name: /usr/share/fonts-config
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/fonts-config
	new_name: /usr/share/fonts-config
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/gir-1.0
Debug 579: expanded: /usr/share/gir-1.0
Debug 590: new_name: /usr/share/gir-1.0
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/gjs-1.0
Debug 579: expanded: /usr/share/gjs-1.0
Debug 590: new_name: /usr/share/gjs-1.0
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/gjs-1.0
	new_name: /usr/share/gjs-1.0
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/glib-2.0
Debug 579: expanded: /usr/share/glib-2.0
Debug 590: new_name: /usr/share/glib-2.0
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/glvnd
Debug 579: expanded: /usr/share/glvnd
Debug 590: new_name: /usr/share/glvnd
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/gtk-2.0
Debug 579: expanded: /usr/share/gtk-2.0
Debug 590: new_name: /usr/share/gtk-2.0
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/gtk-3.0
Debug 579: expanded: /usr/share/gtk-3.0
Debug 590: new_name: /usr/share/gtk-3.0
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/gtk-engines
Debug 579: expanded: /usr/share/gtk-engines
Debug 590: new_name: /usr/share/gtk-engines
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/gtk-engines
	new_name: /usr/share/gtk-engines
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/gtksourceview-3.0
Debug 579: expanded: /usr/share/gtksourceview-3.0
Debug 590: new_name: /usr/share/gtksourceview-3.0
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/gtksourceview-3.0
	new_name: /usr/share/gtksourceview-3.0
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/gtksourceview-4
Debug 579: expanded: /usr/share/gtksourceview-4
Debug 590: new_name: /usr/share/gtksourceview-4
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/hunspell
Debug 579: expanded: /usr/share/hunspell
Debug 590: new_name: /usr/share/hunspell
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/hwdata
Debug 579: expanded: /usr/share/hwdata
Debug 590: new_name: /usr/share/hwdata
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/icons
Debug 579: expanded: /usr/share/icons
Debug 590: new_name: /usr/share/icons
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/icu
Debug 579: expanded: /usr/share/icu
Debug 590: new_name: /usr/share/icu
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/knotifications5
Debug 579: expanded: /usr/share/knotifications5
Debug 590: new_name: /usr/share/knotifications5
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/knotifications5
	new_name: /usr/share/knotifications5
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/kservices5
Debug 579: expanded: /usr/share/kservices5
Debug 590: new_name: /usr/share/kservices5
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/Kvantum
Debug 579: expanded: /usr/share/Kvantum
Debug 590: new_name: /usr/share/Kvantum
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/Kvantum
	new_name: /usr/share/Kvantum
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/kxmlgui5
Debug 579: expanded: /usr/share/kxmlgui5
Debug 590: new_name: /usr/share/kxmlgui5
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/kxmlgui5
	new_name: /usr/share/kxmlgui5
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/libdrm
Debug 579: expanded: /usr/share/libdrm
Debug 590: new_name: /usr/share/libdrm
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/libthai
Debug 579: expanded: /usr/share/libthai
Debug 590: new_name: /usr/share/libthai
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/locale
Debug 579: expanded: /usr/share/locale
Debug 590: new_name: /usr/share/locale
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/mime
Debug 579: expanded: /usr/share/mime
Debug 590: new_name: /usr/share/mime
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/misc
Debug 579: expanded: /usr/share/misc
Debug 590: new_name: /usr/share/misc
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/Modules
Debug 579: expanded: /usr/share/Modules
Debug 590: new_name: /usr/share/Modules
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/Modules
	new_name: /usr/share/Modules
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/myspell
Debug 579: expanded: /usr/share/myspell
Debug 590: new_name: /usr/share/myspell
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/p11-kit
Debug 579: expanded: /usr/share/p11-kit
Debug 590: new_name: /usr/share/p11-kit
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/perl
Debug 579: expanded: /usr/share/perl
Debug 590: new_name: /usr/share/perl
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/perl
	new_name: /usr/share/perl
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/perl5
Debug 579: expanded: /usr/share/perl5
Debug 590: new_name: /usr/share/perl5
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/pipewire
Debug 579: expanded: /usr/share/pipewire
Debug 590: new_name: /usr/share/pipewire
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/pixmaps
Debug 579: expanded: /usr/share/pixmaps
Debug 590: new_name: /usr/share/pixmaps
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/pki
Debug 579: expanded: /usr/share/pki
Debug 590: new_name: /usr/share/pki
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/pki
	new_name: /usr/share/pki
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/plasma
Debug 579: expanded: /usr/share/plasma
Debug 590: new_name: /usr/share/plasma
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/plasma
	new_name: /usr/share/plasma
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/publicsuffix
Debug 579: expanded: /usr/share/publicsuffix
Debug 590: new_name: /usr/share/publicsuffix
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/publicsuffix
	new_name: /usr/share/publicsuffix
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/qt
Debug 579: expanded: /usr/share/qt
Debug 590: new_name: /usr/share/qt
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/qt4
Debug 579: expanded: /usr/share/qt4
Debug 590: new_name: /usr/share/qt4
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/qt4
	new_name: /usr/share/qt4
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/qt5
Debug 579: expanded: /usr/share/qt5
Debug 590: new_name: /usr/share/qt5
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/qt5
	new_name: /usr/share/qt5
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/qt5ct
Debug 579: expanded: /usr/share/qt5ct
Debug 590: new_name: /usr/share/qt5ct
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/qt5ct
	new_name: /usr/share/qt5ct
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/sounds
Debug 579: expanded: /usr/share/sounds
Debug 590: new_name: /usr/share/sounds
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/tcl8.6
Debug 579: expanded: /usr/share/tcl8.6
Debug 590: new_name: /usr/share/tcl8.6
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/tcl8.6
	new_name: /usr/share/tcl8.6
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/tcltk
Debug 579: expanded: /usr/share/tcltk
Debug 590: new_name: /usr/share/tcltk
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/tcltk
	new_name: /usr/share/tcltk
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/terminfo
Debug 579: expanded: /usr/share/terminfo
Debug 590: new_name: /usr/share/terminfo
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/texlive
Debug 579: expanded: /usr/share/texlive
Debug 590: new_name: /usr/share/texlive
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/texlive
	new_name: /usr/share/texlive
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/texmf
Debug 579: expanded: /usr/share/texmf
Debug 590: new_name: /usr/share/texmf
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/texmf
	new_name: /usr/share/texmf
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/themes
Debug 579: expanded: /usr/share/themes
Debug 590: new_name: /usr/share/themes
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/thumbnail.so
Debug 579: expanded: /usr/share/thumbnail.so
Debug 590: new_name: /usr/share/thumbnail.so
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/thumbnail.so
	new_name: /usr/share/thumbnail.so
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/uim
Debug 579: expanded: /usr/share/uim
Debug 590: new_name: /usr/share/uim
Debug 604: dir: /usr/share
Removed path: whitelist /usr/share/uim
	new_name: /usr/share/uim
	realpath: (null)
	No such file or directory
Debug 558: whitelist /usr/share/vulkan
Debug 579: expanded: /usr/share/vulkan
Debug 590: new_name: /usr/share/vulkan
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/X11
Debug 579: expanded: /usr/share/X11
Debug 590: new_name: /usr/share/X11
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/xml
Debug 579: expanded: /usr/share/xml
Debug 590: new_name: /usr/share/xml
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/zenity
Debug 579: expanded: /usr/share/zenity
Debug 590: new_name: /usr/share/zenity
Debug 604: dir: /usr/share
Debug 558: whitelist /usr/share/zoneinfo
Debug 579: expanded: /usr/share/zoneinfo
Debug 590: new_name: /usr/share/zoneinfo
Debug 604: dir: /usr/share
Debug 558: whitelist /var/lib/aspell
Debug 579: expanded: /var/lib/aspell
Debug 590: new_name: /var/lib/aspell
Debug 604: dir: /var
Adding whitelist top level directory /var
Removed path: whitelist /var/lib/aspell
	new_name: /var/lib/aspell
	realpath: (null)
	No such file or directory
Debug 558: whitelist /var/lib/ca-certificates
Debug 579: expanded: /var/lib/ca-certificates
Debug 590: new_name: /var/lib/ca-certificates
Debug 604: dir: /var
Removed path: whitelist /var/lib/ca-certificates
	new_name: /var/lib/ca-certificates
	realpath: (null)
	No such file or directory
Debug 558: whitelist /var/lib/dbus
Debug 579: expanded: /var/lib/dbus
Debug 590: new_name: /var/lib/dbus
Debug 604: dir: /var
Debug 558: whitelist /var/lib/menu-xdg
Debug 579: expanded: /var/lib/menu-xdg
Debug 590: new_name: /var/lib/menu-xdg
Debug 604: dir: /var
Removed path: whitelist /var/lib/menu-xdg
	new_name: /var/lib/menu-xdg
	realpath: (null)
	No such file or directory
Debug 558: whitelist /var/lib/uim
Debug 579: expanded: /var/lib/uim
Debug 590: new_name: /var/lib/uim
Debug 604: dir: /var
Removed path: whitelist /var/lib/uim
	new_name: /var/lib/uim
	realpath: (null)
	No such file or directory
Debug 558: whitelist /var/cache/fontconfig
Debug 579: expanded: /var/cache/fontconfig
Debug 590: new_name: /var/cache/fontconfig
Debug 604: dir: /var
Debug 558: whitelist /var/tmp
Debug 579: expanded: /var/tmp
Debug 590: new_name: /var/tmp
Debug 604: dir: /var
Debug 558: whitelist /var/run
Debug 579: expanded: /var/run
Debug 590: new_name: /var/run
Debug 604: dir: /var
Debug 558: whitelist /var/lock
Debug 579: expanded: /var/lock
Debug 590: new_name: /var/lock
Debug 604: dir: /var
Debug 558: whitelist /tmp/.X11-unix
Debug 579: expanded: /tmp/.X11-unix
Debug 590: new_name: /tmp/.X11-unix
Debug 604: dir: /tmp
Adding whitelist top level directory /tmp
Debug 558: whitelist /tmp/sndio
Debug 579: expanded: /tmp/sndio
Debug 590: new_name: /tmp/sndio
Debug 604: dir: /tmp
Removed path: whitelist /tmp/sndio
	new_name: /tmp/sndio
	realpath: (null)
	No such file or directory
Mounting tmpfs on /usr/share, check owner: no
1213 1156 0:89 / /usr/share rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=755,inode64
mountid=1213 fsname=/ dir=/usr/share fstype=tmpfs
Mounting tmpfs on /run, check owner: no
1214 1067 0:90 / /run rw,nosuid,nodev,relatime - tmpfs tmpfs rw,mode=755,inode64
mountid=1214 fsname=/ dir=/run fstype=tmpfs
Whitelisting /run/user/1000
1236 1232 0:23 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1236 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Mounting tmpfs on /var, check owner: no
1237 1137 0:130 / /var rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755,inode64
mountid=1237 fsname=/ dir=/var fstype=tmpfs
Mounting tmpfs on /tmp, check owner: no
1238 1084 0:133 / /tmp rw,nosuid,nodev,noatime - tmpfs tmpfs rw,inode64
mountid=1238 fsname=/ dir=/tmp fstype=tmpfs
Debug 739: file: /usr/share/keepassxc; dirfd: 5; topdir: /usr/share; rel: keepassxc
Whitelisting /usr/share/keepassxc
1239 1213 0:25 /usr/share/keepassxc /usr/share/keepassxc ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1239 fsname=/usr/share/keepassxc dir=/usr/share/keepassxc fstype=zfs
Debug 739: file: /run/cups/cups.sock; dirfd: 6; topdir: /run; rel: cups/cups.sock
Whitelisting /run/cups/cups.sock
1240 1214 0:23 /cups/cups.sock /run/cups/cups.sock rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1240 fsname=/cups/cups.sock dir=/run/cups/cups.sock fstype=tmpfs
Debug 739: file: /run/dbus/system_bus_socket; dirfd: 6; topdir: /run; rel: dbus/system_bus_socket
Whitelisting /run/dbus/system_bus_socket
1241 1214 0:23 /firejail/firejail.ro.file /run/dbus/system_bus_socket rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1241 fsname=/firejail/firejail.ro.file dir=/run/dbus/system_bus_socket fstype=tmpfs
Debug 739: file: /run/systemd/journal/dev-log; dirfd: 6; topdir: /run; rel: systemd/journal/dev-log
Whitelisting /run/systemd/journal/dev-log
1242 1214 0:23 /systemd/journal/dev-log /run/systemd/journal/dev-log rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1242 fsname=/systemd/journal/dev-log dir=/run/systemd/journal/dev-log fstype=tmpfs
Debug 739: file: /run/systemd/journal/socket; dirfd: 6; topdir: /run; rel: systemd/journal/socket
Whitelisting /run/systemd/journal/socket
1243 1214 0:23 /systemd/journal/socket /run/systemd/journal/socket rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1243 fsname=/systemd/journal/socket dir=/run/systemd/journal/socket fstype=tmpfs
Debug 739: file: /run/udev/data; dirfd: 6; topdir: /run; rel: udev/data
Whitelisting /run/udev/data
1244 1214 0:23 /udev/data /run/udev/data rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1244 fsname=/udev/data dir=/run/udev/data fstype=tmpfs
Debug 739: file: /usr/share/alsa; dirfd: 5; topdir: /usr/share; rel: alsa
Whitelisting /usr/share/alsa
1245 1213 0:25 /usr/share/alsa /usr/share/alsa ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1245 fsname=/usr/share/alsa dir=/usr/share/alsa fstype=zfs
Debug 739: file: /usr/share/applications; dirfd: 5; topdir: /usr/share; rel: applications
Whitelisting /usr/share/applications
1246 1213 0:25 /usr/share/applications /usr/share/applications ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1246 fsname=/usr/share/applications dir=/usr/share/applications fstype=zfs
Debug 739: file: /usr/share/ca-certificates; dirfd: 5; topdir: /usr/share; rel: ca-certificates
Whitelisting /usr/share/ca-certificates
1247 1213 0:25 /usr/share/ca-certificates /usr/share/ca-certificates ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1247 fsname=/usr/share/ca-certificates dir=/usr/share/ca-certificates fstype=zfs
Debug 739: file: /usr/share/drirc.d; dirfd: 5; topdir: /usr/share; rel: drirc.d
Whitelisting /usr/share/drirc.d
1248 1213 0:25 /usr/share/drirc.d /usr/share/drirc.d ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1248 fsname=/usr/share/drirc.d dir=/usr/share/drirc.d fstype=zfs
Debug 739: file: /usr/share/egl; dirfd: 5; topdir: /usr/share; rel: egl
Whitelisting /usr/share/egl
1249 1213 0:25 /usr/share/egl /usr/share/egl ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1249 fsname=/usr/share/egl dir=/usr/share/egl fstype=zfs
Debug 739: file: /usr/share/enchant; dirfd: 5; topdir: /usr/share; rel: enchant
Whitelisting /usr/share/enchant
1250 1213 0:25 /usr/share/enchant /usr/share/enchant ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1250 fsname=/usr/share/enchant dir=/usr/share/enchant fstype=zfs
Debug 739: file: /usr/share/file; dirfd: 5; topdir: /usr/share; rel: file
Whitelisting /usr/share/file
1251 1213 0:25 /usr/share/file /usr/share/file ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1251 fsname=/usr/share/file dir=/usr/share/file fstype=zfs
Debug 739: file: /usr/share/fontconfig; dirfd: 5; topdir: /usr/share; rel: fontconfig
Whitelisting /usr/share/fontconfig
1252 1213 0:25 /usr/share/fontconfig /usr/share/fontconfig ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1252 fsname=/usr/share/fontconfig dir=/usr/share/fontconfig fstype=zfs
Debug 739: file: /usr/share/fonts; dirfd: 5; topdir: /usr/share; rel: fonts
Whitelisting /usr/share/fonts
1253 1213 0:25 /usr/share/fonts /usr/share/fonts ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1253 fsname=/usr/share/fonts dir=/usr/share/fonts fstype=zfs
Debug 739: file: /usr/share/gir-1.0; dirfd: 5; topdir: /usr/share; rel: gir-1.0
Whitelisting /usr/share/gir-1.0
1254 1213 0:25 /usr/share/gir-1.0 /usr/share/gir-1.0 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1254 fsname=/usr/share/gir-1.0 dir=/usr/share/gir-1.0 fstype=zfs
Debug 739: file: /usr/share/glib-2.0; dirfd: 5; topdir: /usr/share; rel: glib-2.0
Whitelisting /usr/share/glib-2.0
1255 1213 0:25 /usr/share/glib-2.0 /usr/share/glib-2.0 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1255 fsname=/usr/share/glib-2.0 dir=/usr/share/glib-2.0 fstype=zfs
Debug 739: file: /usr/share/glvnd; dirfd: 5; topdir: /usr/share; rel: glvnd
Whitelisting /usr/share/glvnd
1256 1213 0:25 /usr/share/glvnd /usr/share/glvnd ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1256 fsname=/usr/share/glvnd dir=/usr/share/glvnd fstype=zfs
Debug 739: file: /usr/share/gtk-2.0; dirfd: 5; topdir: /usr/share; rel: gtk-2.0
Whitelisting /usr/share/gtk-2.0
1257 1213 0:25 /usr/share/gtk-2.0 /usr/share/gtk-2.0 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1257 fsname=/usr/share/gtk-2.0 dir=/usr/share/gtk-2.0 fstype=zfs
Debug 739: file: /usr/share/gtk-3.0; dirfd: 5; topdir: /usr/share; rel: gtk-3.0
Whitelisting /usr/share/gtk-3.0
1258 1213 0:25 /usr/share/gtk-3.0 /usr/share/gtk-3.0 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1258 fsname=/usr/share/gtk-3.0 dir=/usr/share/gtk-3.0 fstype=zfs
Debug 739: file: /usr/share/gtksourceview-4; dirfd: 5; topdir: /usr/share; rel: gtksourceview-4
Whitelisting /usr/share/gtksourceview-4
1259 1213 0:25 /usr/share/gtksourceview-4 /usr/share/gtksourceview-4 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1259 fsname=/usr/share/gtksourceview-4 dir=/usr/share/gtksourceview-4 fstype=zfs
Debug 739: file: /usr/share/hunspell; dirfd: 5; topdir: /usr/share; rel: hunspell
Whitelisting /usr/share/hunspell
1260 1213 0:25 /usr/share/hunspell /usr/share/hunspell ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1260 fsname=/usr/share/hunspell dir=/usr/share/hunspell fstype=zfs
Debug 739: file: /usr/share/hwdata; dirfd: 5; topdir: /usr/share; rel: hwdata
Whitelisting /usr/share/hwdata
1261 1213 0:25 /usr/share/hwdata /usr/share/hwdata ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1261 fsname=/usr/share/hwdata dir=/usr/share/hwdata fstype=zfs
Debug 739: file: /usr/share/icons; dirfd: 5; topdir: /usr/share; rel: icons
Whitelisting /usr/share/icons
1262 1213 0:25 /usr/share/icons /usr/share/icons ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1262 fsname=/usr/share/icons dir=/usr/share/icons fstype=zfs
Debug 739: file: /usr/share/icu; dirfd: 5; topdir: /usr/share; rel: icu
Whitelisting /usr/share/icu
1263 1213 0:25 /usr/share/icu /usr/share/icu ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1263 fsname=/usr/share/icu dir=/usr/share/icu fstype=zfs
Debug 739: file: /usr/share/kservices5; dirfd: 5; topdir: /usr/share; rel: kservices5
Whitelisting /usr/share/kservices5
1264 1213 0:25 /usr/share/kservices5 /usr/share/kservices5 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1264 fsname=/usr/share/kservices5 dir=/usr/share/kservices5 fstype=zfs
Debug 739: file: /usr/share/libdrm; dirfd: 5; topdir: /usr/share; rel: libdrm
Whitelisting /usr/share/libdrm
1265 1213 0:25 /usr/share/libdrm /usr/share/libdrm ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1265 fsname=/usr/share/libdrm dir=/usr/share/libdrm fstype=zfs
Debug 739: file: /usr/share/libthai; dirfd: 5; topdir: /usr/share; rel: libthai
Whitelisting /usr/share/libthai
1266 1213 0:25 /usr/share/libthai /usr/share/libthai ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1266 fsname=/usr/share/libthai dir=/usr/share/libthai fstype=zfs
Debug 739: file: /usr/share/locale; dirfd: 5; topdir: /usr/share; rel: locale
Whitelisting /usr/share/locale
1267 1213 0:25 /usr/share/locale /usr/share/locale ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1267 fsname=/usr/share/locale dir=/usr/share/locale fstype=zfs
Debug 739: file: /usr/share/mime; dirfd: 5; topdir: /usr/share; rel: mime
Whitelisting /usr/share/mime
1269 1213 0:25 /usr/share/mime /usr/share/mime ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1269 fsname=/usr/share/mime dir=/usr/share/mime fstype=zfs
Debug 739: file: /usr/share/misc; dirfd: 5; topdir: /usr/share; rel: misc
Whitelisting /usr/share/misc
1270 1213 0:25 /usr/share/misc /usr/share/misc ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1270 fsname=/usr/share/misc dir=/usr/share/misc fstype=zfs
Debug 739: file: /usr/share/myspell; dirfd: 5; topdir: /usr/share; rel: myspell
Whitelisting /usr/share/myspell
1271 1213 0:25 /usr/share/myspell /usr/share/myspell ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1271 fsname=/usr/share/myspell dir=/usr/share/myspell fstype=zfs
Debug 739: file: /usr/share/p11-kit; dirfd: 5; topdir: /usr/share; rel: p11-kit
Whitelisting /usr/share/p11-kit
1272 1213 0:25 /usr/share/p11-kit /usr/share/p11-kit ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1272 fsname=/usr/share/p11-kit dir=/usr/share/p11-kit fstype=zfs
Debug 739: file: /usr/share/perl5; dirfd: 5; topdir: /usr/share; rel: perl5
Whitelisting /usr/share/perl5
1273 1213 0:25 /usr/share/perl5 /usr/share/perl5 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1273 fsname=/usr/share/perl5 dir=/usr/share/perl5 fstype=zfs
Debug 739: file: /usr/share/pipewire; dirfd: 5; topdir: /usr/share; rel: pipewire
Whitelisting /usr/share/pipewire
1274 1213 0:25 /usr/share/pipewire /usr/share/pipewire ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1274 fsname=/usr/share/pipewire dir=/usr/share/pipewire fstype=zfs
Debug 739: file: /usr/share/pixmaps; dirfd: 5; topdir: /usr/share; rel: pixmaps
Whitelisting /usr/share/pixmaps
1275 1213 0:25 /usr/share/pixmaps /usr/share/pixmaps ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1275 fsname=/usr/share/pixmaps dir=/usr/share/pixmaps fstype=zfs
Debug 739: file: /usr/share/qt; dirfd: 5; topdir: /usr/share; rel: qt
Whitelisting /usr/share/qt
1276 1213 0:25 /usr/share/qt /usr/share/qt ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1276 fsname=/usr/share/qt dir=/usr/share/qt fstype=zfs
Debug 739: file: /usr/share/sounds; dirfd: 5; topdir: /usr/share; rel: sounds
Whitelisting /usr/share/sounds
1277 1213 0:25 /usr/share/sounds /usr/share/sounds ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1277 fsname=/usr/share/sounds dir=/usr/share/sounds fstype=zfs
Debug 739: file: /usr/share/terminfo; dirfd: 5; topdir: /usr/share; rel: terminfo
Whitelisting /usr/share/terminfo
1278 1213 0:25 /usr/share/terminfo /usr/share/terminfo ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1278 fsname=/usr/share/terminfo dir=/usr/share/terminfo fstype=zfs
Debug 739: file: /usr/share/themes; dirfd: 5; topdir: /usr/share; rel: themes
Whitelisting /usr/share/themes
1279 1213 0:25 /usr/share/themes /usr/share/themes ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1279 fsname=/usr/share/themes dir=/usr/share/themes fstype=zfs
Debug 739: file: /usr/share/vulkan; dirfd: 5; topdir: /usr/share; rel: vulkan
Whitelisting /usr/share/vulkan
1280 1213 0:25 /usr/share/vulkan /usr/share/vulkan ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1280 fsname=/usr/share/vulkan dir=/usr/share/vulkan fstype=zfs
Debug 739: file: /usr/share/X11; dirfd: 5; topdir: /usr/share; rel: X11
Whitelisting /usr/share/X11
1281 1213 0:25 /usr/share/X11 /usr/share/X11 ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1281 fsname=/usr/share/X11 dir=/usr/share/X11 fstype=zfs
Debug 739: file: /usr/share/xml; dirfd: 5; topdir: /usr/share; rel: xml
Whitelisting /usr/share/xml
1282 1213 0:25 /usr/share/xml /usr/share/xml ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1282 fsname=/usr/share/xml dir=/usr/share/xml fstype=zfs
Debug 739: file: /usr/share/zenity; dirfd: 5; topdir: /usr/share; rel: zenity
Whitelisting /usr/share/zenity
1283 1213 0:25 /usr/share/zenity /usr/share/zenity ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1283 fsname=/usr/share/zenity dir=/usr/share/zenity fstype=zfs
Debug 739: file: /usr/share/zoneinfo; dirfd: 5; topdir: /usr/share; rel: zoneinfo
Whitelisting /usr/share/zoneinfo
1284 1213 0:25 /usr/share/zoneinfo /usr/share/zoneinfo ro,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1284 fsname=/usr/share/zoneinfo dir=/usr/share/zoneinfo fstype=zfs
Debug 739: file: /var/lib/dbus; dirfd: 8; topdir: /var; rel: lib/dbus
Whitelisting /var/lib/dbus
1286 1237 0:25 /var/lib/dbus /var/lib/dbus ro,nosuid,nodev,noexec,relatime master:1 - zfs zroot/enc/perm/root rw,xattr,posixacl
mountid=1286 fsname=/var/lib/dbus dir=/var/lib/dbus fstype=zfs
Debug 739: file: /var/cache/fontconfig; dirfd: 8; topdir: /var; rel: cache/fontconfig
Whitelisting /var/cache/fontconfig
1287 1237 0:43 /fontconfig /var/cache/fontconfig ro,nosuid,nodev,noexec,noatime master:50 - zfs zroot/enc/ephem/no-repl/var/cache rw,xattr,posixacl
mountid=1287 fsname=/fontconfig dir=/var/cache/fontconfig fstype=zfs
Debug 739: file: /var/tmp; dirfd: 8; topdir: /var; rel: tmp
Whitelisting /var/tmp
1289 1237 0:82 / /var/tmp rw,nosuid,nodev,noexec - tmpfs tmpfs rw,inode64
mountid=1289 fsname=/ dir=/var/tmp fstype=tmpfs
Created symbolic link /var/run -> /run
Created symbolic link /var/lock -> /run/lock
Debug 739: file: /tmp/.X11-unix; dirfd: 9; topdir: /tmp; rel: .X11-unix
Whitelisting /tmp/.X11-unix
1290 1238 0:52 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noatime master:74 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1290 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /home/seonwoo/.local/share/Trash
Disable /home/seonwoo/.python_history
Disable /home/seonwoo/.bash_history
Disable /home/seonwoo/.local/share/klipper
Disable /home/seonwoo/.python_history
Disable /home/seonwoo/.lesshst
Disable /home/seonwoo/.viminfo
Disable /home/seonwoo/.config/autostart
Disable /home/seonwoo/.config/lxsession/LXDE/autostart
Disable /home/seonwoo/.config/openbox
Mounting read-only /home/seonwoo/.Xauthority
1301 1167 0:27 /.Xauthority /home/seonwoo/.Xauthority ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1301 fsname=/.Xauthority dir=/home/seonwoo/.Xauthority fstype=zfs
Mounting read-only /home/seonwoo/.kde4/share/config/kdeglobals
1302 1167 0:27 /.kde4/share/config/kdeglobals /home/seonwoo/.kde4/share/config/kdeglobals ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1302 fsname=/.kde4/share/config/kdeglobals dir=/home/seonwoo/.kde4/share/config/kdeglobals fstype=zfs
Mounting read-only /home/seonwoo/.kde4/share/kde4/services
1303 1167 0:27 /.kde4/share/kde4/services /home/seonwoo/.kde4/share/kde4/services ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1303 fsname=/.kde4/share/kde4/services dir=/home/seonwoo/.kde4/share/kde4/services fstype=zfs
Disable /home/seonwoo/.local/share/gnome-shell
Disable /home/seonwoo/.local/share/gvfs-metadata
Mounting read-only /home/seonwoo/.config/dconf
1306 1167 0:27 /.config/dconf /home/seonwoo/.config/dconf ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1306 fsname=/.config/dconf dir=/home/seonwoo/.config/dconf fstype=zfs
Disable /home/seonwoo/.config/systemd
Disable /home/seonwoo/.local/share/systemd
Disable /run/user/1000/systemd
Disable /home/seonwoo/.VirtualBox
Disable /home/seonwoo/.VeraCrypt
Disable /usr/share/applications/veracrypt.desktop
Disable /usr/share/pixmaps/veracrypt.xpm
Mounting read-only /home/seonwoo/.bash_logout
1315 1167 0:27 /.bash_logout /home/seonwoo/.bash_logout ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1315 fsname=/.bash_logout dir=/home/seonwoo/.bash_logout fstype=zfs
Mounting read-only /home/seonwoo/.bash_profile
1316 1167 0:27 /.bash_profile /home/seonwoo/.bash_profile ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1316 fsname=/.bash_profile dir=/home/seonwoo/.bash_profile fstype=zfs
Mounting read-only /home/seonwoo/.bashrc
1317 1167 0:27 /.bashrc /home/seonwoo/.bashrc ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1317 fsname=/.bashrc dir=/home/seonwoo/.bashrc fstype=zfs
Mounting read-only /home/seonwoo/.profile
1318 1167 0:27 /.profile /home/seonwoo/.profile ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1318 fsname=/.profile dir=/home/seonwoo/.profile fstype=zfs
Disable /home/seonwoo/.ssh/authorized_keys
Mounting read-only /home/seonwoo/.ssh/config
1320 1167 0:27 /.ssh/config /home/seonwoo/.ssh/config ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1320 fsname=/.ssh/config dir=/home/seonwoo/.ssh/config fstype=zfs
Mounting read-only /home/seonwoo/.emacs
1321 1167 0:27 /.emacs /home/seonwoo/.emacs ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1321 fsname=/.emacs dir=/home/seonwoo/.emacs fstype=zfs
Mounting read-only /home/seonwoo/.emacs.d
1322 1167 0:27 /.emacs.d /home/seonwoo/.emacs.d ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1322 fsname=/.emacs.d dir=/home/seonwoo/.emacs.d fstype=zfs
Mounting read-only /home/seonwoo/.local/lib
1323 1167 0:27 /.local/lib /home/seonwoo/.local/lib ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1323 fsname=/.local/lib dir=/home/seonwoo/.local/lib fstype=zfs
Mounting read-only /home/seonwoo/.vim
1324 1167 0:27 /.vim /home/seonwoo/.vim ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1324 fsname=/.vim dir=/home/seonwoo/.vim fstype=zfs
Mounting read-only /home/seonwoo/.viminfo
1325 1297 0:23 /firejail/firejail.ro.file /home/seonwoo/.viminfo ro,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1325 fsname=/firejail/firejail.ro.file dir=/home/seonwoo/.viminfo fstype=tmpfs
Mounting read-only /home/seonwoo/.vimrc
1326 1167 0:27 /.vimrc /home/seonwoo/.vimrc ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1326 fsname=/.vimrc dir=/home/seonwoo/.vimrc fstype=zfs
Mounting read-only /home/seonwoo/.local/bin
1327 1167 0:27 /.local/bin /home/seonwoo/.local/bin ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1327 fsname=/.local/bin dir=/home/seonwoo/.local/bin fstype=zfs
Mounting read-only /home/seonwoo/bin
1328 1167 0:27 /bin /home/seonwoo/bin ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1328 fsname=/bin dir=/home/seonwoo/bin fstype=zfs
Mounting read-only /home/seonwoo/.config/menus
1329 1167 0:27 /.config/menus /home/seonwoo/.config/menus ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1329 fsname=/.config/menus dir=/home/seonwoo/.config/menus fstype=zfs
Mounting read-only /home/seonwoo/.local/share/applications
1330 1167 0:27 /.local/share/applications /home/seonwoo/.local/share/applications ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1330 fsname=/.local/share/applications dir=/home/seonwoo/.local/share/applications fstype=zfs
Mounting read-only /home/seonwoo/.config/mimeapps.list
1331 1167 0:27 /.config/mimeapps.list /home/seonwoo/.config/mimeapps.list ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1331 fsname=/.config/mimeapps.list dir=/home/seonwoo/.config/mimeapps.list fstype=zfs
Mounting read-only /home/seonwoo/.config/user-dirs.dirs
1332 1167 0:27 /.config/user-dirs.dirs /home/seonwoo/.config/user-dirs.dirs ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1332 fsname=/.config/user-dirs.dirs dir=/home/seonwoo/.config/user-dirs.dirs fstype=zfs
Mounting read-only /home/seonwoo/.config/user-dirs.locale
1333 1167 0:27 /.config/user-dirs.locale /home/seonwoo/.config/user-dirs.locale ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1333 fsname=/.config/user-dirs.locale dir=/home/seonwoo/.config/user-dirs.locale fstype=zfs
Mounting read-only /home/seonwoo/.local/share/mime
1334 1167 0:27 /.local/share/mime /home/seonwoo/.local/share/mime ro,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1334 fsname=/.local/share/mime dir=/home/seonwoo/.local/share/mime fstype=zfs
Not blacklist /home/seonwoo/*.kdb
Not blacklist /home/seonwoo/Database-cached.kdbx
Disable /home/seonwoo/.gnupg
Disable /home/seonwoo/.local/share/keyrings
Disable /home/seonwoo/.local/share/pki
Disable /home/seonwoo/.pki
Disable /home/seonwoo/.ssh
Warning: /sbin directory link was not blacklisted
Disable /usr/local/sbin
Warning: /usr/sbin directory link was not blacklisted
Warning (blacklisting): cannot open /usr/local/sbin/at: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/busybox: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/chage: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/chfn: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/chsh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/crontab: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/evtest: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/expiry: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/fusermount: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gksu: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gksudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gpasswd: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/kdesudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ksu: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mount: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mount.ecryptfs_private: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ncat: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nmap: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/newgidmap: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/newgrp: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/newuidmap: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ntfs-3g: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/pkexec: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/procmail: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/sg: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/strace: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/su: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/sudo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tcpdump: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/umount: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/unix_chkpwd: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xev: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xinput: Permission denied
Disable /usr/lib/ssh
Warning (blacklisting): cannot open /usr/local/sbin/passwd: Permission denied
Disable /usr/lib/dbus-1.0/dbus-daemon-launch-helper
Disable /usr/lib/chromium/chrome-sandbox
Warning (blacklisting): cannot open /usr/local/sbin/suexec: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/slock: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/physlock: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/schroot: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/wshowkeys: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/pmount: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/pumount: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/bmon: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/fping: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/fping6: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/hostname: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mtr: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mtr-packet: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/netstat: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nm-online: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nmcli: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nmtui: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nmtui-connect: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nmtui-edit: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nmtui-hostname: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/networkctl: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ss: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/traceroute: Permission denied
Disable /usr/lib/virtualbox
Disable /usr/lib/virtualbox (requested /usr/lib64/virtualbox)
Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gnome-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/lilyterm: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/lxterminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mate-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/pantheon-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/roxterm: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/roxterm-config: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/terminix: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tilix: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/urxvtc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/urxvtcd: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/xfce4-terminal.wrapper: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/bwrap: Permission denied
Disable /proc/config.gz
Warning (blacklisting): cannot open /usr/local/sbin/dig: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dlint: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dns2tcp: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dnssec-*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dnswalk: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/drill: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/host: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/iodine: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/kdig: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/khost: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/knsupdate: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ldns-*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ldnsd: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/nslookup: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/resolvectl: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/unbound-host: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ftp: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ssh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/telnet: Permission denied
Disable /run/user/1000/pipewire-0.lock
Disable /home/seonwoo/.local/opt/tor-browser
Warning (blacklisting): cannot open /usr/local/sbin/clang*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/lldb*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/llvm*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/as: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/cc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/c++*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/c8*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/c9*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/cpp*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/g++*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gcc*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gdb: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ld: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/*-gcc*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/*-g++*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/*-gcc*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/*-g++*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gccgo: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/go: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gofmt: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/java: Permission denied
Disable /usr/lib/jvm/java-17-openjdk/bin/java (requested /usr/lib/jvm/default/bin/java)
Warning (blacklisting): cannot open /usr/local/sbin/javac: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/openssl: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/openssl-1.0: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/rust-gdb: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/rust-lldb: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/rustc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tcc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/x86_64-tcc: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/valgrind*: Permission denied
Disable /usr/src
Disable /usr/local/src
Disable /usr/include
Disable /usr/local/include
Mounting noexec /home/seonwoo
1418 1365 0:23 /firejail/firejail.ro.dir /home/seonwoo/.config/firejail rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1418 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.config/firejail fstype=tmpfs
Mounting noexec /home/seonwoo/.local/share/Trash
1419 1366 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/Trash rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1419 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/Trash fstype=tmpfs
Mounting noexec /home/seonwoo/.python_history
1420 1368 0:23 /firejail/firejail.ro.file /home/seonwoo/.python_history rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1420 fsname=/firejail/firejail.ro.file dir=/home/seonwoo/.python_history fstype=tmpfs
Mounting noexec /home/seonwoo/.bash_history
1421 1369 0:23 /firejail/firejail.ro.file /home/seonwoo/.bash_history rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1421 fsname=/firejail/firejail.ro.file dir=/home/seonwoo/.bash_history fstype=tmpfs
Mounting noexec /home/seonwoo/.local/share/klipper
1422 1370 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/klipper rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1422 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/klipper fstype=tmpfs
Mounting noexec /home/seonwoo/.lesshst
1423 1371 0:23 /firejail/firejail.ro.file /home/seonwoo/.lesshst rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1423 fsname=/firejail/firejail.ro.file dir=/home/seonwoo/.lesshst fstype=tmpfs
Mounting noexec /home/seonwoo/.viminfo
1424 1373 0:23 /firejail/firejail.ro.file /home/seonwoo/.viminfo ro,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1424 fsname=/firejail/firejail.ro.file dir=/home/seonwoo/.viminfo fstype=tmpfs
Mounting noexec /home/seonwoo/.config/autostart
1425 1374 0:23 /firejail/firejail.ro.dir /home/seonwoo/.config/autostart rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1425 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.config/autostart fstype=tmpfs
Mounting noexec /home/seonwoo/.config/lxsession/LXDE/autostart
1426 1375 0:23 /firejail/firejail.ro.file /home/seonwoo/.config/lxsession/LXDE/autostart rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1426 fsname=/firejail/firejail.ro.file dir=/home/seonwoo/.config/lxsession/LXDE/autostart fstype=tmpfs
Mounting noexec /home/seonwoo/.config/openbox
1427 1376 0:23 /firejail/firejail.ro.dir /home/seonwoo/.config/openbox rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1427 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.config/openbox fstype=tmpfs
Mounting noexec /home/seonwoo/.Xauthority
1428 1377 0:27 /.Xauthority /home/seonwoo/.Xauthority ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1428 fsname=/.Xauthority dir=/home/seonwoo/.Xauthority fstype=zfs
Mounting noexec /home/seonwoo/.kde4/share/config/kdeglobals
1429 1378 0:27 /.kde4/share/config/kdeglobals /home/seonwoo/.kde4/share/config/kdeglobals ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1429 fsname=/.kde4/share/config/kdeglobals dir=/home/seonwoo/.kde4/share/config/kdeglobals fstype=zfs
Mounting noexec /home/seonwoo/.kde4/share/kde4/services
1430 1379 0:27 /.kde4/share/kde4/services /home/seonwoo/.kde4/share/kde4/services ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1430 fsname=/.kde4/share/kde4/services dir=/home/seonwoo/.kde4/share/kde4/services fstype=zfs
Mounting noexec /home/seonwoo/.local/share/gnome-shell
1431 1380 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/gnome-shell rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1431 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/gnome-shell fstype=tmpfs
Mounting noexec /home/seonwoo/.local/share/gvfs-metadata
1432 1381 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/gvfs-metadata rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1432 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/gvfs-metadata fstype=tmpfs
Mounting noexec /home/seonwoo/.config/dconf
1433 1382 0:27 /.config/dconf /home/seonwoo/.config/dconf ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1433 fsname=/.config/dconf dir=/home/seonwoo/.config/dconf fstype=zfs
Mounting noexec /home/seonwoo/.config/systemd
1434 1383 0:23 /firejail/firejail.ro.dir /home/seonwoo/.config/systemd rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1434 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.config/systemd fstype=tmpfs
Mounting noexec /home/seonwoo/.local/share/systemd
1435 1384 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/systemd rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1435 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/systemd fstype=tmpfs
Mounting noexec /home/seonwoo/.VirtualBox
1436 1385 0:23 /firejail/firejail.ro.dir /home/seonwoo/.VirtualBox rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1436 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.VirtualBox fstype=tmpfs
Mounting noexec /home/seonwoo/.VeraCrypt
1437 1386 0:23 /firejail/firejail.ro.dir /home/seonwoo/.VeraCrypt rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1437 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.VeraCrypt fstype=tmpfs
Mounting noexec /home/seonwoo/.bash_logout
1438 1387 0:27 /.bash_logout /home/seonwoo/.bash_logout ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1438 fsname=/.bash_logout dir=/home/seonwoo/.bash_logout fstype=zfs
Mounting noexec /home/seonwoo/.bash_profile
1439 1388 0:27 /.bash_profile /home/seonwoo/.bash_profile ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1439 fsname=/.bash_profile dir=/home/seonwoo/.bash_profile fstype=zfs
Mounting noexec /home/seonwoo/.bashrc
1440 1389 0:27 /.bashrc /home/seonwoo/.bashrc ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1440 fsname=/.bashrc dir=/home/seonwoo/.bashrc fstype=zfs
Mounting noexec /home/seonwoo/.profile
1441 1390 0:27 /.profile /home/seonwoo/.profile ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1441 fsname=/.profile dir=/home/seonwoo/.profile fstype=zfs
Warning: not remounting /home/seonwoo/.ssh/authorized_keys
Warning: not remounting /home/seonwoo/.ssh/config
Mounting noexec /home/seonwoo/.emacs
1442 1393 0:27 /.emacs /home/seonwoo/.emacs ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1442 fsname=/.emacs dir=/home/seonwoo/.emacs fstype=zfs
Mounting noexec /home/seonwoo/.emacs.d
1443 1394 0:27 /.emacs.d /home/seonwoo/.emacs.d ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1443 fsname=/.emacs.d dir=/home/seonwoo/.emacs.d fstype=zfs
Mounting noexec /home/seonwoo/.local/lib
1444 1395 0:27 /.local/lib /home/seonwoo/.local/lib ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1444 fsname=/.local/lib dir=/home/seonwoo/.local/lib fstype=zfs
Mounting noexec /home/seonwoo/.vim
1445 1396 0:27 /.vim /home/seonwoo/.vim ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1445 fsname=/.vim dir=/home/seonwoo/.vim fstype=zfs
Mounting noexec /home/seonwoo/.vimrc
1446 1397 0:27 /.vimrc /home/seonwoo/.vimrc ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1446 fsname=/.vimrc dir=/home/seonwoo/.vimrc fstype=zfs
Mounting noexec /home/seonwoo/.local/bin
1447 1398 0:27 /.local/bin /home/seonwoo/.local/bin ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1447 fsname=/.local/bin dir=/home/seonwoo/.local/bin fstype=zfs
Mounting noexec /home/seonwoo/bin
1448 1399 0:27 /bin /home/seonwoo/bin ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1448 fsname=/bin dir=/home/seonwoo/bin fstype=zfs
Mounting noexec /home/seonwoo/.config/menus
1449 1400 0:27 /.config/menus /home/seonwoo/.config/menus ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1449 fsname=/.config/menus dir=/home/seonwoo/.config/menus fstype=zfs
Mounting noexec /home/seonwoo/.local/share/applications
1450 1401 0:27 /.local/share/applications /home/seonwoo/.local/share/applications ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1450 fsname=/.local/share/applications dir=/home/seonwoo/.local/share/applications fstype=zfs
Mounting noexec /home/seonwoo/.config/mimeapps.list
1451 1402 0:27 /.config/mimeapps.list /home/seonwoo/.config/mimeapps.list ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1451 fsname=/.config/mimeapps.list dir=/home/seonwoo/.config/mimeapps.list fstype=zfs
Mounting noexec /home/seonwoo/.config/user-dirs.dirs
1452 1403 0:27 /.config/user-dirs.dirs /home/seonwoo/.config/user-dirs.dirs ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1452 fsname=/.config/user-dirs.dirs dir=/home/seonwoo/.config/user-dirs.dirs fstype=zfs
Mounting noexec /home/seonwoo/.config/user-dirs.locale
1453 1404 0:27 /.config/user-dirs.locale /home/seonwoo/.config/user-dirs.locale ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1453 fsname=/.config/user-dirs.locale dir=/home/seonwoo/.config/user-dirs.locale fstype=zfs
Mounting noexec /home/seonwoo/.local/share/mime
1454 1405 0:27 /.local/share/mime /home/seonwoo/.local/share/mime ro,nosuid,nodev,noexec,relatime master:3 - zfs zroot/enc/perm/root/home/seonwoo rw,xattr,posixacl
mountid=1454 fsname=/.local/share/mime dir=/home/seonwoo/.local/share/mime fstype=zfs
Mounting noexec /home/seonwoo/.gnupg
1455 1406 0:23 /firejail/firejail.ro.dir /home/seonwoo/.gnupg rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1455 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.gnupg fstype=tmpfs
Mounting noexec /home/seonwoo/.local/share/keyrings
1456 1407 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/keyrings rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1456 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/keyrings fstype=tmpfs
Mounting noexec /home/seonwoo/.local/share/pki
1457 1408 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/share/pki rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1457 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/share/pki fstype=tmpfs
Mounting noexec /home/seonwoo/.pki
1458 1409 0:23 /firejail/firejail.ro.dir /home/seonwoo/.pki rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1458 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.pki fstype=tmpfs
Mounting noexec /home/seonwoo/.ssh
1459 1410 0:23 /firejail/firejail.ro.dir /home/seonwoo/.ssh rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1459 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.ssh fstype=tmpfs
Mounting noexec /home/seonwoo/.local/opt/tor-browser
1460 1411 0:23 /firejail/firejail.ro.dir /home/seonwoo/.local/opt/tor-browser rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1460 fsname=/firejail/firejail.ro.dir dir=/home/seonwoo/.local/opt/tor-browser fstype=tmpfs
Mounting noexec /run/user/1000
1467 1461 0:23 /firejail/firejail.ro.file /run/user/1000/pipewire-0.lock rw,nosuid,nodev,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1467 fsname=/firejail/firejail.ro.file dir=/run/user/1000/pipewire-0.lock fstype=tmpfs
Warning: not remounting /run/user/1000/gvfs
Mounting noexec /run/user/1000/bus
1468 1463 0:23 /firejail/firejail.ro.file /run/user/1000/bus rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1468 fsname=/firejail/firejail.ro.file dir=/run/user/1000/bus fstype=tmpfs
Mounting noexec /run/user/1000/gnupg
1469 1464 0:23 /firejail/firejail.ro.dir /run/user/1000/gnupg rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1469 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/gnupg fstype=tmpfs
Mounting noexec /run/user/1000/systemd
1470 1466 0:23 /firejail/firejail.ro.dir /run/user/1000/systemd rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1470 fsname=/firejail/firejail.ro.dir dir=/run/user/1000/systemd fstype=tmpfs
Mounting noexec /run/user/1000/pipewire-0.lock
1471 1467 0:23 /firejail/firejail.ro.file /run/user/1000/pipewire-0.lock rw,nosuid,nodev,noexec,relatime master:15 - tmpfs run rw,mode=755,inode64
mountid=1471 fsname=/firejail/firejail.ro.file dir=/run/user/1000/pipewire-0.lock fstype=tmpfs
Mounting noexec /dev/shm
1472 1025 0:24 / /dev/shm rw,nosuid,nodev,noexec master:7 - tmpfs tmpfs rw,inode64
mountid=1472 fsname=/ dir=/dev/shm fstype=tmpfs
Mounting noexec /tmp
1474 1473 0:52 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noatime master:74 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1474 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Mounting noexec /tmp/.X11-unix
1475 1474 0:52 /.X11-unix /tmp/.X11-unix rw,nosuid,nodev,noexec,noatime master:74 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1475 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Warning (blacklisting): cannot open /usr/local/sbin/gjs: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/gjs-console: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/lua*: Permission denied
Warning (blacklisting): cannot open /usr/include/lua*: Permission denied
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua.so.5.3.6)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua5.2.so)
Disable /usr/lib/libluajit-5.1.so.2.1.0
Disable /usr/lib/liblua5.2.so.5.2.4
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua5.2.so.5.2)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua5.3.so)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua.so.5.2)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua5.4.so)
Disable /usr/lib/liblua.so.5.4.4
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib/libluajit-5.1.so)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua5.3.so.5.3)
Disable /usr/lib/liblua5.3.so.5.3.6
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua.so)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib/liblua.so.5.4)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib/libluajit-5.1.so.2)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib/liblua.so.5.3)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib/liblua.so.5.2.4)
Disable /usr/lib/lua
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua.so.5.3.6)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so.2.1.0)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so.5.2.4)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua5.2.so.5.2)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua.so.5.2)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua5.4.so)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so.5.4.4)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so.5.3)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua5.3.so.5.3.6)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so)
Disable /usr/lib/liblua.so.5.4.4 (requested /usr/lib64/liblua.so.5.4)
Disable /usr/lib/libluajit-5.1.so.2.1.0 (requested /usr/lib64/libluajit-5.1.so.2)
Disable /usr/lib/liblua5.3.so.5.3.6 (requested /usr/lib64/liblua.so.5.3)
Disable /usr/lib/liblua5.2.so.5.2.4 (requested /usr/lib64/liblua.so.5.2.4)
Disable /usr/lib/lua (requested /usr/lib64/lua)
Disable /usr/lib/libmozjs-52.so.old
Disable /usr/lib/libmozjs-78.so
Disable /usr/lib/libmozjs-52.so.old (requested /usr/lib/libmozjs-52.so.0)
Disable /usr/lib/libmozjs-52.so.old (requested /usr/lib64/libmozjs-52.so.old)
Disable /usr/lib/libmozjs-78.so (requested /usr/lib64/libmozjs-78.so)
Disable /usr/lib/libmozjs-52.so.old (requested /usr/lib64/libmozjs-52.so.0)
Warning (blacklisting): cannot open /usr/local/sbin/node: Permission denied
Warning (blacklisting): cannot open /usr/include/node: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/core_perl: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/cpan*: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/perl: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/site_perl: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/vendor_perl: Permission denied
Disable /usr/lib/perl5
Disable /usr/lib/perl5 (requested /usr/lib64/perl5)
Disable /usr/share/perl5
Warning (blacklisting): cannot open /usr/local/sbin/rxvt: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/php*: Permission denied
Disable /usr/lib/php7
Warning (blacklisting): cannot open /usr/local/sbin/ruby: Permission denied
Disable /usr/lib/ruby
Disable /usr/lib/ruby (requested /usr/lib64/ruby)
Warning (blacklisting): cannot open /usr/local/sbin/python2*: Permission denied
Warning (blacklisting): cannot open /usr/include/python2*: Permission denied
Disable /usr/lib/python2.7
Warning (blacklisting): cannot open /usr/local/sbin/python3*: Permission denied
Warning (blacklisting): cannot open /usr/include/python3*: Permission denied
Disable /usr/lib/python3.10
Disable /usr/lib/python3.9
Disable /usr/lib/python3.10 (requested /usr/lib64/python3.10)
Disable /usr/lib/python3.9 (requested /usr/lib64/python3.9)
Disable /home/seonwoo/.VirtualBox
Disable /home/seonwoo/.android
Disable /home/seonwoo/.audacity-data
Disable /home/seonwoo/.cache/chromium
Disable /home/seonwoo/.cache/geeqie
Not blacklist /home/seonwoo/.cache/keepassxc
Disable /home/seonwoo/.cache/mozilla
Disable /home/seonwoo/.cache/vlc
Not blacklist /home/seonwoo/.config/BraveSoftware
Not blacklist /home/seonwoo/.config/KeePassXCrc
Disable /home/seonwoo/.config/Slack
Disable /home/seonwoo/.config/Thunar
Disable /home/seonwoo/.config/asunder
Not blacklist /home/seonwoo/.config/chromium
Disable /home/seonwoo/.config/gnome-session
Not blacklist /home/seonwoo/.config/google-chrome
Not blacklist /home/seonwoo/.config/keepassxc
Not blacklist /home/seonwoo/.config/vivaldi
Disable /home/seonwoo/.config/vlc
Disable /home/seonwoo/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
Disable /home/seonwoo/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-mixer.xml
Disable /home/seonwoo/.cups
Disable /home/seonwoo/.elinks
Disable /home/seonwoo/.emacs
Disable /home/seonwoo/.emacs.d
Disable /home/seonwoo/.gimp-2.8
Disable /home/seonwoo/.gitconfig
Not blacklist /home/seonwoo/.keepassxc
Disable /home/seonwoo/.killingfloor
Disable /home/seonwoo/.klei
Disable /home/seonwoo/.local/share/qpdfview
Not blacklist /home/seonwoo/.local/share/torbrowser
Disable /home/seonwoo/.local/share/totem
Disable /home/seonwoo/.local/share/vlc
Disable /home/seonwoo/.local/share/vpltd
Disable /home/seonwoo/.local/share/vulkan
Disable /home/seonwoo/.local/state/pipewire
Disable /home/seonwoo/.mbwarband
Not blacklist /home/seonwoo/.mozilla
Disable /home/seonwoo/.npm
Disable /home/seonwoo/.nv
Disable /home/seonwoo/.paradoxinteractive
Disable /home/seonwoo/.vim
Disable /home/seonwoo/.vimrc
Disable /home/seonwoo/.wget-hsts
Warning (blacklisting): cannot open /usr/local/sbin/bash: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/csh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/dash: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/fish: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/ksh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/mksh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/oksh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/sh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tclsh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/tcsh: Permission denied
Warning (blacklisting): cannot open /usr/local/sbin/zsh: Permission denied
Not blacklist ${DOCUMENTS}
Mounting read-only /tmp/.X11-unix
1633 1475 0:52 /.X11-unix /tmp/.X11-unix ro,nosuid,nodev,noexec,noatime master:74 - tmpfs tmpfs rw,size=6291456k,inode64
mountid=1633 fsname=/.X11-unix dir=/tmp/.X11-unix fstype=tmpfs
Disable /sys/fs
Disable /sys/module
disable pulseaudio
blacklist /home/seonwoo/.config/pulse
blacklist /run/user/1000/pulse/native
blacklist /run/user/1000/pulse
disable pipewire
blacklist /run/user/1000/pipewire-0.lock
blacklist /run/user/1000/pipewire-0
blacklist /run/user/1000/pipewire-0.lock
blacklist /run/user/1000/pipewire-0
blacklist /dev/snd
blacklist /dev/dri
blacklist /dev/nvidia0
blacklist /dev/nvidiactl
blacklist /dev/nvidia-modeset
blacklist /dev/nvidia-uvm
blacklist /dev/input
rebuilding /etc directory
Creating empty /run/firejail/mnt/dns-etc/machine-id file
Creating empty /run/firejail/mnt/dns-etc/ld.so.preload file
Creating empty /run/firejail/mnt/dns-etc/ld.so.cache file
Creating empty /run/firejail/mnt/dns-etc/fonts directory
Mount-bind /run/firejail/mnt/dns-etc on top of /etc
Current directory: /home/seonwoo
DISPLAY=:0.0 parsed as 0
Install protocol filter: unix
configuring 16 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol 
Dropping all capabilities
Drop privileges: pid 11, uid 1000, gid 100, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 04 00 c000003e   jeq ARCH_64 0006 (false 0002)
 0002: 20 00 00 00000000   ld  data.syscall-number
 0003: 15 01 00 00000167   jeq unknown 0005 (false 0004)
 0004: 06 00 00 7fff0000   ret ALLOW
 0005: 05 00 00 00000006   jmp 000c
 0006: 20 00 00 00000004   ld  data.architecture
 0007: 15 01 00 c000003e   jeq ARCH_64 0009 (false 0008)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 20 00 00 00000000   ld  data.syscall-number
 000a: 15 01 00 00000029   jeq socket 000c (false 000b)
 000b: 06 00 00 7fff0000   ret ALLOW
 000c: 20 00 00 00000010   ld  data.args[0]
 000d: 15 00 01 00000001   jeq 1 000e (false 000f)
 000e: 06 00 00 7fff0000   ret ALLOW
 000f: 06 00 00 0005005f   ret ERRNO(95)
configuring 15 seccomp entries in /run/firejail/mnt/seccomp/seccomp.block_secondary
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.block_secondary 
Dropping all capabilities
Drop privileges: pid 12, uid 1000, gid 100, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 00050001   ret ERRNO(1)
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 06 00000087   jeq personality 0008 (false 000e)
 0008: 20 00 00 00000010   ld  data.args[0]
 0009: 15 01 00 00000000   jeq 0 000b (false 000a)
 000a: 15 00 02 ffffffff   jeq ffffffff 000b (false 000d)
 000b: 20 00 00 00000014   ld  data.args[4]
 000c: 15 01 00 00000000   jeq 0 000e (false 000d)
 000d: 06 00 00 00050001   ret ERRNO(1)
 000e: 06 00 00 7fff0000   ret ALLOW
Secondary arch blocking seccomp filter configured
Build default+drop seccomp filter
sbox run: /run/firejail/lib/fseccomp default drop /run/firejail/mnt/seccomp/seccomp /run/firejail/mnt/seccomp/seccomp.postexec !name_to_handle_at 
Dropping all capabilities
Drop privileges: pid 13, uid 1000, gid 100, force_nogroups 1
No supplementary groups
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
sbox run: /run/firejail/lib/fsec-optimize /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 14, uid 1000, gid 100, force_nogroups 1
No supplementary groups
configuring 73 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp 
Dropping all capabilities
Drop privileges: pid 15, uid 1000, gid 100, force_nogroups 1
No supplementary groups
 line  OP JT JF    K
=================================
 0000: 20 00 00 00000004   ld  data.architecture
 0001: 15 01 00 c000003e   jeq ARCH_64 0003 (false 0002)
 0002: 06 00 00 7fff0000   ret ALLOW
 0003: 20 00 00 00000000   ld  data.syscall-number
 0004: 35 01 00 40000000   jge X32_ABI 0006 (false 0005)
 0005: 35 01 00 00000000   jge read 0007 (false 0006)
 0006: 06 00 00 00050001   ret ERRNO(1)
 0007: 15 00 01 0000012f   jeq name_to_handle_at 0008 (false 0009)
 0008: 06 00 00 7fff0000   ret ALLOW
 0009: 15 3e 00 0000009f   jeq adjtimex 0048 (false 000a)
 000a: 15 3d 00 00000131   jeq clock_adjtime 0048 (false 000b)
 000b: 15 3c 00 000000e3   jeq clock_settime 0048 (false 000c)
 000c: 15 3b 00 000000a4   jeq settimeofday 0048 (false 000d)
 000d: 15 3a 00 0000009a   jeq modify_ldt 0048 (false 000e)
 000e: 15 39 00 000000d4   jeq lookup_dcookie 0048 (false 000f)
 000f: 15 38 00 0000012a   jeq perf_event_open 0048 (false 0010)
 0010: 15 37 00 00000137   jeq process_vm_writev 0048 (false 0011)
 0011: 15 36 00 000000b0   jeq delete_module 0048 (false 0012)
 0012: 15 35 00 00000139   jeq finit_module 0048 (false 0013)
 0013: 15 34 00 000000af   jeq init_module 0048 (false 0014)
 0014: 15 33 00 000000a1   jeq chroot 0048 (false 0015)
 0015: 15 32 00 000000a5   jeq mount 0048 (false 0016)
 0016: 15 31 00 0000009b   jeq pivot_root 0048 (false 0017)
 0017: 15 30 00 000000a6   jeq umount2 0048 (false 0018)
 0018: 15 2f 00 0000009c   jeq _sysctl 0048 (false 0019)
 0019: 15 2e 00 000000b7   jeq afs_syscall 0048 (false 001a)
 001a: 15 2d 00 000000ae   jeq create_module 0048 (false 001b)
 001b: 15 2c 00 000000b1   jeq get_kernel_syms 0048 (false 001c)
 001c: 15 2b 00 000000b5   jeq getpmsg 0048 (false 001d)
 001d: 15 2a 00 000000b6   jeq putpmsg 0048 (false 001e)
 001e: 15 29 00 000000b2   jeq query_module 0048 (false 001f)
 001f: 15 28 00 000000b9   jeq security 0048 (false 0020)
 0020: 15 27 00 0000008b   jeq sysfs 0048 (false 0021)
 0021: 15 26 00 000000b8   jeq tuxcall 0048 (false 0022)
 0022: 15 25 00 00000086   jeq uselib 0048 (false 0023)
 0023: 15 24 00 00000088   jeq ustat 0048 (false 0024)
 0024: 15 23 00 000000ec   jeq vserver 0048 (false 0025)
 0025: 15 22 00 000000ad   jeq ioperm 0048 (false 0026)
 0026: 15 21 00 000000ac   jeq iopl 0048 (false 0027)
 0027: 15 20 00 000000f6   jeq kexec_load 0048 (false 0028)
 0028: 15 1f 00 00000140   jeq kexec_file_load 0048 (false 0029)
 0029: 15 1e 00 000000a9   jeq reboot 0048 (false 002a)
 002a: 15 1d 00 000000a7   jeq swapon 0048 (false 002b)
 002b: 15 1c 00 000000a8   jeq swapoff 0048 (false 002c)
 002c: 15 1b 00 00000130   jeq open_by_handle_at 0048 (false 002d)
 002d: 15 1a 00 0000012f   jeq name_to_handle_at 0048 (false 002e)
 002e: 15 19 00 000000fb   jeq ioprio_set 0048 (false 002f)
 002f: 15 18 00 00000067   jeq syslog 0048 (false 0030)
 0030: 15 17 00 0000012c   jeq fanotify_init 0048 (false 0031)
 0031: 15 16 00 000000f8   jeq add_key 0048 (false 0032)
 0032: 15 15 00 000000f9   jeq request_key 0048 (false 0033)
 0033: 15 14 00 000000ed   jeq mbind 0048 (false 0034)
 0034: 15 13 00 00000100   jeq migrate_pages 0048 (false 0035)
 0035: 15 12 00 00000117   jeq move_pages 0048 (false 0036)
 0036: 15 11 00 000000fa   jeq keyctl 0048 (false 0037)
 0037: 15 10 00 000000ce   jeq io_setup 0048 (false 0038)
 0038: 15 0f 00 000000cf   jeq io_destroy 0048 (false 0039)
 0039: 15 0e 00 000000d0   jeq io_getevents 0048 (false 003a)
 003a: 15 0d 00 000000d1   jeq io_submit 0048 (false 003b)
 003b: 15 0c 00 000000d2   jeq io_cancel 0048 (false 003c)
 003c: 15 0b 00 000000d8   jeq remap_file_pages 0048 (false 003d)
 003d: 15 0a 00 00000143   jeq userfaultfd 0048 (false 003e)
 003e: 15 09 00 000000a3   jeq acct 0048 (false 003f)
 003f: 15 08 00 00000141   jeq bpf 0048 (false 0040)
 0040: 15 07 00 000000b4   jeq nfsservctl 0048 (false 0041)
 0041: 15 06 00 000000ab   jeq setdomainname 0048 (false 0042)
 0042: 15 05 00 000000aa   jeq sethostname 0048 (false 0043)
 0043: 15 04 00 00000099   jeq vhangup 0048 (false 0044)
 0044: 15 03 00 00000065   jeq ptrace 0048 (false 0045)
 0045: 15 02 00 00000087   jeq personality 0048 (false 0046)
 0046: 15 01 00 00000136   jeq process_vm_readv 0048 (false 0047)
 0047: 06 00 00 7fff0000   ret ALLOW
 0048: 06 00 00 00050001   ret ERRNO(1)
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
1759 1218 0:79 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=1759 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             300 ..
-rw-r--r-- 1000     100              584 seccomp
-rw-r--r-- 1000     100              120 seccomp.block_secondary
-rw-r--r-- 1000     100              127 seccomp.list
-rw-r--r-- 1000     100                0 seccomp.postexec
-rw-r--r-- 1000     100                0 seccomp.postexec32
-rw-r--r-- 1000     100              128 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.block_secondary
/run/firejail/mnt/seccomp/seccomp
Create the new ld.so.preload file
Blacklist violations are logged to syslog
Mount the new ld.so.preload file
Dropping all capabilities
nogroups command not ignored
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, force_nogroups 0
Warning: logind not detected, nogroups command ignored
Warning: cleaning all supplementary groups
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: keepassxc
Child process initialized in 235.61 ms
Searching $PATH for keepassxc
trying #/home/seonwoo/bin/keepassxc#
trying #/usr/local/sbin/keepassxc#
trying #/usr/local/bin/keepassxc#
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.block_secondary seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 16


(keepassxc:16): dbind-WARNING **: 05:22:16.201: AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
Qt: Session management error: Could not open network socket
YubiKey: Failed to initialize USB interface.

@rusty-snake
Copy link
Collaborator

corresponding PR #4915 to add back nou2f

This is about keepassx (no c) not keepassxc.

@rusty-snake
Copy link
Collaborator

No idea but can use test

  • ignore noinput
  • ignore include whitelist-run-common.inc
  • protocol netlink

@seonwoolee
Copy link
Author

seonwoolee commented Feb 11, 2022

corresponding PR #4915 to add back nou2f

This is about keepassx (no c) not keepassxc.

Oops. My bad.

No idea but can use test
* ignore noinput
* ignore include whitelist-run-common.inc
* protocol netlink

Well that's interesting. There's no YubiKey: Failed to initialize USB interface error in the terminal output, but it still fails to find my Yubikey.

@rusty-snake
Copy link
Collaborator

Well that's interesting. There's no YubiKey: Failed to initialize USB interface error in the terminal output, but it still fails to find my Yubikey.

With all of them? Or just one?

@seonwoolee
Copy link
Author

That was for all of them.

I just tested all possible combinations of the three options (so 3x just one of them and 3x two of them). All combinations fail. The protocol netlink is responsible for making the Yubikey: Failed to initialize USB interface message go away, but it still can't find my Yubikey

@rusty-snake
Copy link
Collaborator

Then you will need to comment the profile and uncomment it line for line to find the problematic command.

@seonwoolee
Copy link
Author

So the minimal number of changes I needed to make this work was to eliminate private-dev and use protocol netlink,unix. So I have added ignore private-dev and protocol netlink,unix to my keepassxc.local

Should I open a pull request to modify the current comment about private-dev, which is

# Note: private-dev prevents the program from seeing new devices (such as
# hardware keys) on /dev after it has already started; add "ignore nou2f" to
# keepassxc.local if this is an issue (see #4883).

@rusty-snake
Copy link
Collaborator

Are you really sure private-dev break the detection of you yubikeys other then descripted?

@seonwoolee
Copy link
Author

seonwoolee commented Feb 13, 2022

Yeah that was puzzling to me based on the current description of how private-dev is supposed to work, but I tested it multiple times and ignore private-dev is absolutely necessary for Yubikey detection and usage to work. It didn't matter if I had the Yubikey already plugged in before starting KeePassXC under firejail or if I plugged it after

@kmk3
Copy link
Collaborator

kmk3 commented Feb 13, 2022

@seonwoolee commented on Feb 13:

Yeah that was puzzling to me based on the current description of how
private-dev is supposed to work, but I tested it multiple times and ignore private-dev is absolutely necessary for Yubikey detection and usage to work.
It didn't matter if I had the Yubikey already plugged in before starting
KeePassXC under firejail or if I plugged it after

What does the yubikey show up as in /dev?

That is, what is the output of ls -l /dev/<yubikey>?

If it shows up as /dev/hidrawN with N > 9, this could be caused by #2723.

@seonwoolee
Copy link
Author

seonwoolee commented Feb 13, 2022

By doing a ls /dev with and without the Yubikey plugged in, I determined the Yubikey adds /dev/hidraw1 and /dev/hidraw2. I then commented out ignore private-dev in my keepassxc.local and ran firejail --ignore=private-bin --profile=keepassxc ls -alh /dev, and /dev/hidraw1 and /dev/hidraw2 are definitely listed. So I don't understand why the heck KeePassXC can't find my Yubikey

@kmk3
Copy link
Collaborator

kmk3 commented Feb 13, 2022

@seonwoolee commented on Feb 13:

Some follow up:

By doing a ls /dev with and without the Yubikey plugged in, I determined
the Yubikey adds /dev/hidraw1 and /dev/hidraw2.

What are their permissions and the user:group owners outside/inside the
sandbox?

I then commented out ignore private-dev in my keepassxc.local and ran
firejail --ignore=private-bin --profile=keepassxc ls -alh /dev, and
/dev/hidraw1 and /dev/hidraw2 are definitely listed. So I don't
understand why the heck KeePassXC can't find my Yubikey

@seonwoolee
Copy link
Author

Outside the sandbox

crw-rw----+ 1 root root 240, 1 Feb 12 22:21 /dev/hidraw1
crw-rw----+ 1 root root 240, 2 Feb 12 22:12 /dev/hidraw2

Inside the sandbox, run as normal user

crw-rw----+  1 65534 65534 240, 1 Feb 13 03:21 hidraw1
crw-rw----+  1 65534 65534 240, 2 Feb 13 03:12 hidraw2

I tried sudo firejail --ignore=private-bin --profile=keepassxc ls -alh /dev and I get

crw-rw----+  1    0 0 240, 1 Feb 13 03:21 hidraw1
crw-rw----+  1    0 0 240, 2 Feb 13 03:12 hidraw2

Just for fun I tried sudo firejail keepassxc but I get

qt.qpa.xcb: could not connect to display :0.0
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.

@seonwoolee
Copy link
Author

@kmk3 any thoughts?

@kmk3
Copy link
Collaborator

kmk3 commented Feb 18, 2022

@seonwoolee commented on Feb 13:

Outside the sandbox

crw-rw----+ 1 root root 240, 1 Feb 12 22:21 /dev/hidraw1
crw-rw----+ 1 root root 240, 2 Feb 12 22:12 /dev/hidraw2

Inside the sandbox, run as normal user

crw-rw----+  1 65534 65534 240, 1 Feb 13 03:21 hidraw1
crw-rw----+  1 65534 65534 240, 2 Feb 13 03:12 hidraw2

65534:65534 is probably because of noroot (root -> nobody) + private-etc
(numeric output).

To clarify the ACLs now, based on a similar previous attempt from this comment:

What is the output of running the code below?

getfacl /dev/hidraw1 /dev/hidraw2
udevadm info /dev/hidraw1 | grep SUBSYSTEM
echo
udevadm info /dev/hidraw2 | grep SUBSYSTEM
udevadm test "$(udevadm info --query=path --name=/dev/hidraw1)" 2>&1 |
  grep -e GROUP -e MODE

udevadm test "$(udevadm info --query=path --name=/dev/hidraw2)" 2>&1 |
  grep -e GROUP -e MODE

checkudevgroups() {
    gids="$(udevadm test "$(udevadm info --query=path --name="$1")" 2>&1 |
    grep GROUP | rev | cut -f 1 -d ' ' | rev | tr '\n' ' ')"
    printf 'udev gids for %s: %s\n' "$1" "$gids"
    printf 'udev groups for %s: ' "$1"
    printf '%s\n' "$gids" | while read -r gid
    do
        getent group "$gid" | cut -f 1 -d :
    done | tr '\n' ' '
    echo
    test -z "$gids" && return 1
}

checkudevgroups /dev/hidraw1
checkudevgroups /dev/hidraw2

I tried sudo firejail --ignore=private-bin --profile=keepassxc ls -alh /dev
and I get

crw-rw----+  1    0 0 240, 1 Feb 13 03:21 hidraw1
crw-rw----+  1    0 0 240, 2 Feb 13 03:12 hidraw2

0:0 is probably because noroot does not apply when running as root. Also,
private-bin should only affect /bin, /usr/bin, etc.

Just for fun I tried sudo firejail keepassxc but I get

qt.qpa.xcb: could not connect to display :0.0
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.

@seonwoolee
Copy link
Author

seonwoolee commented Feb 19, 2022

@kmk3

What is the output of running the code below?

I had to change the hid IDs because they changed across the reboot, but here's what I get

getfacl: Removing leading '/' from absolute path names
# file: dev/hidraw6
# owner: root
# group: root
user::rw-
user:seonwoo:rw-
group::---
mask::rw-
other::---

# file: dev/hidraw7
# owner: root
# group: root
user::rw-
user:seonwoo:rw-
group::---
mask::rw-
other::---

E: SUBSYSTEM=hidraw

E: SUBSYSTEM=hidraw
udev gids for /dev/hidraw6: 
udev groups for /dev/hidraw6: 
udev gids for /dev/hidraw7: 
udev groups for /dev/hidraw7: 

You checkudevgroups function doesn't work as intended. There is no line with "GROUP" in the output of udevadm test "$(udevadm info --query=path --name="$1")".

Here's the output of that command, as root

This program is for debugging only, it does not run any program
specified by a RUN key. It may show incorrect results, because
some values may be different, or not available at a simulation run.

Trying to open "/etc/systemd/hwdb/hwdb.bin"...
Trying to open "/etc/udev/hwdb.bin"...
=== trie on-disk ===
tool version:          250
file size:        11786480 bytes
header size             80 bytes
strings            2410280 bytes
nodes              9376120 bytes
Load module index
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
Loaded timestamp for '/etc/systemd/network'.
Loaded timestamp for '/usr/lib/systemd/network'.
Parsed configuration file /usr/lib/systemd/network/99-default.link
Created link configuration context.
Loaded timestamp for '/etc/udev/rules.d'.
Loaded timestamp for '/usr/lib/udev/rules.d'.
Reading rules file: /usr/lib/udev/rules.d/01-md-raid-creating.rules
Reading rules file: /usr/lib/udev/rules.d/10-dm.rules
Reading rules file: /usr/lib/udev/rules.d/11-dm-lvm.rules
Reading rules file: /usr/lib/udev/rules.d/13-dm-disk.rules
Reading rules file: /usr/lib/udev/rules.d/40-gphoto.rules
Reading rules file: /usr/lib/udev/rules.d/40-usb_modeswitch.rules
Reading rules file: /usr/lib/udev/rules.d/50-udev-default.rules
Reading rules file: /usr/lib/udev/rules.d/51-android.rules
Reading rules file: /usr/lib/udev/rules.d/60-autosuspend.rules
Reading rules file: /usr/lib/udev/rules.d/60-block.rules
Reading rules file: /usr/lib/udev/rules.d/60-cdrom_id.rules
Reading rules file: /usr/lib/udev/rules.d/60-drm.rules
Reading rules file: /usr/lib/udev/rules.d/60-evdev.rules
Reading rules file: /usr/lib/udev/rules.d/60-fido-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-input-id.rules
Reading rules file: /usr/lib/udev/rules.d/60-nvidia-470xx.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-alsa.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-input.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage-tape.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-storage.rules
Reading rules file: /usr/lib/udev/rules.d/60-persistent-v4l.rules
Reading rules file: /usr/lib/udev/rules.d/60-rfkill.rules
Reading rules file: /etc/udev/rules.d/60-schedulers.rules
Reading rules file: /usr/lib/udev/rules.d/60-sensor.rules
Reading rules file: /usr/lib/udev/rules.d/60-serial.rules
Reading rules file: /usr/lib/udev/rules.d/60-vboxdrv.rules
Reading rules file: /usr/lib/udev/rules.d/60-zvol.rules
Reading rules file: /usr/lib/udev/rules.d/63-md-raid-arrays.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs-dm.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs-zoned.rules
Reading rules file: /usr/lib/udev/rules.d/64-btrfs.rules
Reading rules file: /usr/lib/udev/rules.d/64-md-raid-assembly.rules
Reading rules file: /usr/lib/udev/rules.d/65-libwacom.rules
Reading rules file: /usr/lib/udev/rules.d/65-sane.rules
Reading rules file: /usr/lib/udev/rules.d/66-saned.rules
Reading rules file: /usr/lib/udev/rules.d/69-cd-sensors.rules
Reading rules file: /usr/lib/udev/rules.d/69-dm-lvm.rules
Reading rules file: /usr/lib/udev/rules.d/69-libmtp.rules
Reading rules file: /usr/lib/udev/rules.d/69-md-clustered-confirm-device.rules
Reading rules file: /usr/lib/udev/rules.d/69-vdev.rules
Reading rules file: /usr/lib/udev/rules.d/69-yubikey.rules
Reading rules file: /usr/lib/udev/rules.d/70-camera.rules
Reading rules file: /usr/lib/udev/rules.d/70-infrared.rules
Reading rules file: /usr/lib/udev/rules.d/70-joystick.rules
Reading rules file: /usr/lib/udev/rules.d/70-memory.rules
Reading rules file: /usr/lib/udev/rules.d/70-mouse.rules
Reading rules file: /usr/lib/udev/rules.d/70-power-switch.rules
Reading rules file: /usr/lib/udev/rules.d/70-steam-input.rules
Reading rules file: /usr/lib/udev/rules.d/70-steam-vr.rules
Reading rules file: /usr/lib/udev/rules.d/70-touchpad.rules
Reading rules file: /usr/lib/udev/rules.d/70-uaccess.rules
Reading rules file: /usr/lib/udev/rules.d/71-seat.rules
Reading rules file: /usr/lib/udev/rules.d/71-xpra-virtual-pointer.rules
Reading rules file: /usr/lib/udev/rules.d/73-seat-late.rules
Reading rules file: /usr/lib/udev/rules.d/75-net-description.rules
Reading rules file: /usr/lib/udev/rules.d/75-probe_mtd.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-broadmobi-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-cinterion-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-dell-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-dlink-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-ericsson-mbm.rules
Configuration file /usr/lib/udev/rules.d/77-mm-fibocom-port-types.rules is marked executable. Please remove executable permission bits. Proceeding anyway.
Reading rules file: /usr/lib/udev/rules.d/77-mm-fibocom-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-foxconn-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-gosuncn-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-haier-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-huawei-net-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-longcheer-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-mtk-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-nokia-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-quectel-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-sierra.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-simtech-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-telit-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-tplink-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-ublox-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-x22x-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/77-mm-zte-port-types.rules
Reading rules file: /usr/lib/udev/rules.d/78-sound-card.rules
Reading rules file: /usr/lib/udev/rules.d/80-drivers.rules
Reading rules file: /usr/lib/udev/rules.d/80-libinput-device-groups.rules
Reading rules file: /usr/lib/udev/rules.d/80-mm-candidate.rules
Reading rules file: /usr/lib/udev/rules.d/80-net-setup-link.rules
Reading rules file: /usr/lib/udev/rules.d/80-udisks2.rules
Reading rules file: /usr/lib/udev/rules.d/81-net-dhcp.rules
Reading rules file: /usr/lib/udev/rules.d/85-regulatory.rules
Reading rules file: /usr/lib/udev/rules.d/90-alsa-restore.rules
Reading rules file: /usr/lib/udev/rules.d/90-daxctl-device.rules
Reading rules file: /usr/lib/udev/rules.d/90-libinput-fuzz-override.rules
Reading rules file: /usr/lib/udev/rules.d/90-pipewire-alsa.rules
Reading rules file: /usr/lib/udev/rules.d/90-udisks2-zram.rules
Reading rules file: /usr/lib/udev/rules.d/90-vconsole.rules
Reading rules file: /usr/lib/udev/rules.d/90-zfs.rules
Reading rules file: /usr/lib/udev/rules.d/92_pcscd_ccid.rules
Reading rules file: /usr/lib/udev/rules.d/95-cd-devices.rules
Reading rules file: /usr/lib/udev/rules.d/95-dm-notify.rules
Reading rules file: /usr/lib/udev/rules.d/96-e2scrub.rules
Reading rules file: /usr/lib/udev/rules.d/97-hid2hci.rules
Reading rules file: /usr/lib/udev/rules.d/99-fuse.rules
Reading rules file: /usr/lib/udev/rules.d/99-fuse3.rules
Reading rules file: /usr/lib/udev/rules.d/99-systemd.rules
Reading rules file: /etc/udev/rules.d/99-zram.rules
hidraw6: /usr/lib/udev/rules.d/60-fido-id.rules:5 Importing properties from results of 'fido_id'
hidraw6: Starting 'fido_id'
Successfully forked off '(spawn)' as PID 3001480.
hidraw6: 'fido_id'(err) 'Failed to get current device from environment: Invalid argument'
hidraw6: Process 'fido_id' failed with exit code 1.
hidraw6: /usr/lib/udev/rules.d/60-fido-id.rules:5 Command "fido_id" returned 1 (error), ignoring
hidraw6: /usr/lib/udev/rules.d/71-seat.rules:74 Importing properties from results of builtin command 'path_id'
hidraw6: /usr/lib/udev/rules.d/73-seat-late.rules:16 RUN 'uaccess'
hidraw6: Preserve permissions of /dev/hidraw6, uid=0, gid=0, mode=0660
hidraw6: Handling device node '/dev/hidraw6', devnum=c240:6
hidraw6: sd-device: Created db file '/run/udev/data/c240:6' for '/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13.3/3-13.3:1.0/0003:1050:0407.0050/hidraw/hidraw6'
DEVPATH=/devices/pci0000:00/0000:00:14.0/usb3/3-13/3-13.3/3-13.3:1.0/0003:1050:0407.0050/hidraw/hidraw6
DEVNAME=/dev/hidraw6
MAJOR=240
MINOR=6
ACTION=add
SUBSYSTEM=hidraw
TAGS=:uaccess:seat:
ID_SECURITY_TOKEN=1
CURRENT_TAGS=:seat:uaccess:
ID_PATH=pci-0000:00:14.0-usb-0:13.3:1.0
ID_PATH_TAG=pci-0000_00_14_0-usb-0_13_3_1_0
ID_FOR_SEAT=hidraw-pci-0000_00_14_0-usb-0_13_3_1_0
USEC_INITIALIZED=278903252053
run: 'uaccess'
Unload module index
Unloaded link configuration context.

@DatAres37
Copy link

I can confirm it works with ignore nou2f, ignore private-dev, protocol netlink,unix, but it doesn't work if you pull the key while KeepassXC is open and plug it back in unfortunately.

@andreystepanov
Copy link

I can confirm it works with ignore nou2f, ignore private-dev, protocol netlink,unix, but it doesn't work if you pull the key while KeepassXC is open and plug it back in unfortunately.

I'm having the same issue

@haplo
Copy link
Contributor

haplo commented Jan 16, 2024

I was having the same issue (but with an Onlykey) and it worked with ignore private-dev plus protocol netlink.

@sashee
Copy link

sashee commented Mar 30, 2024

If I start keepassxc with this command then Yubikey works and it also detects when it is inserted/removed:

firejail --ignore="private-dev" --protocol=unix,netlink --ignore="net" keepassxc

@kmk3 kmk3 changed the title KeePassXC can no longer access Yubikeys keepassxc: can no longer access Yubikeys Aug 24, 2024
@kmk3 kmk3 changed the title keepassxc: can no longer access Yubikeys keepassxc: cannot access Yubikeys Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants