End-of-options not honored when running under existing sandbox.

[rusty-snake]

Description

The end-of-options operator is not honored when running under existing sandbox.

Steps to Reproduce

Run firejail --quiet -- anything_here_should_not_change_firejails_behaviour under conditions that are detected as "existing sandbox".

$ firejail --quiet --noprofile env -u FIREJAIL_QUIET firejail --quiet -- echo "Hello firejail"
Hello firejail
$ firejail --quiet --noprofile env -u FIREJAIL_QUIET firejail --quiet -- --debug echo "Hello firejail"
Building quoted command line: 'echo' 'Hello firejail' 
Starting application
LD_PRELOAD=(null)
Detected Landlock ABI version 3
execvp argument 0: echo
execvp argument 1: Hello firejail
Searching $PATH for echo
trying #/usr/local/bin/echo#
trying #/usr/local/sbin/echo#
trying #/usr/bin/echo#
Hello firejail

Expected behavior

1. --debug is not interpreted by firejail.
2. Using -- causes program to be started in a shell.

Actual behavior

1. --debug is interpreted by firejail.
2. Using -- does not cause program to be started in a shell.

Behavior without a profile

N/A

Additional context

N/A

Environment

• Fedora 39
• Firejail 0.9.73
• n/a

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

n/a

Output of LC_ALL=C firejail --debug /path/to/program

n/a