Skip to content

Debugging Firejail

Jump to bottom Edit New page
NetSysFire edited this page Aug 24, 2020 · 2 revisions

General troubleshooting

If you encounter an error, check the known issues section first. It is also recommended to search the issue tracker.

Always check firejail's output. If there is no output, run firejail with --ignore=quiet. There are several debug flags you can use to increase the verbosity of firejail, if needed, like --debug. See firejail --help for more details.

More verbosity always helps, especially when reporting bugs. Also increase the verbosity of the application you are trying to run, it may report that it can not access specific files or directories.

Segmentation faults

Check your system logs. There may be blocked syscalls which are logged by audit when this profile uses seccomp.

You can always try to use the lax default profile (--profile=default).

Advanced troubleshooting

Firejail can be a little more difficult to debug because it is a setuid binary.

GDB

The issue with trying to debug a setuid binary with gdb is that its non-trivial to get the running user correct. We can't run gdb as a normal user to debug a setuid binary because that would be a gaping security hole (non-root code would be able to modify the execution of root code). However, if we run gdb as root, then the program (firejail) being traced will not run as the unprivileged user, also not what we want.

This script will do what we want. It first forks a background process as the current user which will immediately send itself a STOP signal. Then gdb running as root will attach to that process, which will send it the CONT signal to continue execution. Then the backgrounded process will exec the program with the given arguments. This will allow the root gdb to trace the unprivileged firejail process from the absolute beginning. A version of this script is now in contrib/gdb-firejail.sh.

#!/bin/bash
FIREJAIL=$1

bash -c "kill -STOP \$\$; exec \"\$0\" \"\$@\"" "$@" &
sudo gdb -e "$FIREJAIL" -p "$!"

Strace

Strace has a similar problem to gdb, however, the developers were nice in that they allow a username to be specified for specifically for tracing setuid binaries.

sudo strace -u $USER <strace opts> firejail <firejail options>

Add a custom footer
Clone this wiki locally