Error: failed to run /run/firejail/lib/fcopy

[reinerh]

A user reported issues with starting transmission-cli with firejail, and I'm able to reproduce it.

$ firejail transmission-cli 
/run/firejail/lib/fcopy: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory
Error: failed to run /run/firejail/lib/fcopy
Error: proc 29091 cannot sync with peer: unexpected EOF
Peer 29092 unexpectedly exited with status 1

$ firejail --profile=transmission-cli /bin/bash
/run/firejail/lib/fcopy: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory
Error: failed to run /run/firejail/lib/fcopy
Error: proc 29376 cannot sync with peer: unexpected EOF
Peer 29377 unexpectedly exited with status 1

I also see the same error a couple of times with different profiles when running the test-profiles part of the test suite.

[reinerh]

Seems to be related to a combination of private-bin and private-etc.
When commenting out either of them, the process is starting.

[reinerh]

Commenting out private-lib in transmission-common.profile also helps.

[bbhtt]

Yea I observed the same on Sid. I suggest to comment out private-lib in transmission-common.profile since it works fine on Arch without any modification.

[reinerh]

That would workaround it for transmission only. But the same issue happens for other profiles as well.

[rusty-snake]

I've private-lib libpcre2-8.so.0 in less.local and whois.local. Actually we should always add it to private-lib via it's implementation.

[reinerh]

libpcre2-8.so.0 seems to come via the linking to libselinux.so.1.
maybe libpcre2-8.so. needs to be added to src/firejail/fs_lib2.c?

[bbhtt]

Ah, ok I wasn't aware of that.

…

On November 12, 2020 8:54:06 AM UTC, Reiner Herrmann ***@***.***> wrote: That would workaround it for transmission only. But the same issue happens for other profiles as well.

[reinerh]

@smitsohu This issue seems to be back.
I upgraded to 0.9.64.2 and now have this problem again:

$ firejail transmission-cli 
/run/firejail/lib/fcopy: error while loading shared libraries: libpcre2-8.so.0: cannot open shared object file: No such file or directory
Error: failed to run /run/firejail/lib/fcopy
Error: proc 6495 cannot sync with peer: unexpected EOF
Peer 6496 unexpectedly exited with status 1

Could it be related to the change in 1e3891e?
It looks like you replaced fslib_install_list(PATH_FCOPY); with fslib_install_list(PATH_FIREJAIL);, so the libs needed by fcopy are no longer copied.

[smitsohu]

Mmmh, in the moment I have problems reproducing the issue on Bullseye.

fslib_install_list(PATH_FIREJAIL) doesn't work as a replacement, because private-bin regularly removes firejail from the sandbox.

Instead I went with your other idea

maybe libpcre2-8.so. needs to be added to src/firejail/fs_lib2.c

firejail/src/firejail/fs_lib2.c

Line 42 in af23753

{ "libpcre2-8.so.", 0 },

[reinerh]

Here is a debug log:

Autoselecting /bin/bash as shell
Building quoted command line: 'transmission-cli' 
Command name #transmission-cli#
Found transmission-cli.profile profile in /etc/firejail directory
Found transmission-common.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-devel.inc profile in /etc/firejail directory
Found disable-exec.inc profile in /etc/firejail directory
Found disable-interpreters.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Found whitelist-common.inc profile in /etc/firejail directory
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Found whitelist-var-common.inc profile in /etc/firejail directory
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol 
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
73 48 254:0 /etc /etc ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=73 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
74 73 254:0 /etc /etc ro,nosuid,nodev,noexec,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=74 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
81 75 254:0 /var/cache/pbuilder/ccache /var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache rw,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=81 fsname=/var/cache/pbuilder/ccache dir=/var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache fstype=ext4
Mounting read-only /var/cache/pbuilder/build/8538/proc
82 76 0:32 / /var/cache/pbuilder/build/8538/proc ro,relatime - proc /proc rw
mountid=82 fsname=/ dir=/var/cache/pbuilder/build/8538/proc fstype=proc
Mounting read-only /var/cache/pbuilder/build/8538/sys
83 77 0:20 / /var/cache/pbuilder/build/8538/sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs rw
mountid=83 fsname=/ dir=/var/cache/pbuilder/build/8538/sys fstype=sysfs
Mounting read-only /var/cache/pbuilder/build/8538/dev/shm
84 78 0:33 / /var/cache/pbuilder/build/8538/dev/shm ro,relatime - tmpfs tmpfs rw
mountid=84 fsname=/ dir=/var/cache/pbuilder/build/8538/dev/shm fstype=tmpfs
Mounting read-only /var/cache/pbuilder/build/8538/dev/pts
85 79 0:34 / /var/cache/pbuilder/build/8538/dev/pts ro,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=600,ptmxmode=666
mountid=85 fsname=/ dir=/var/cache/pbuilder/build/8538/dev/pts fstype=devpts
Mounting read-only /var/cache/pbuilder/build/8538/dev/ptmx
86 80 0:34 /ptmx /var/cache/pbuilder/build/8538/dev/ptmx ro,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=600,ptmxmode=666
mountid=86 fsname=/ptmx dir=/var/cache/pbuilder/build/8538/dev/ptmx fstype=devpts
Mounting read-only /var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache
87 81 254:0 /var/cache/pbuilder/ccache /var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=87 fsname=/var/cache/pbuilder/ccache dir=/var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache fstype=ext4
Mounting noexec /var
100 99 254:0 /var/cache/pbuilder/ccache /var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=100 fsname=/var/cache/pbuilder/ccache dir=/var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache fstype=ext4
Mounting noexec /var/cache/pbuilder/build/8538/proc
101 90 0:32 / /var/cache/pbuilder/build/8538/proc ro,nosuid,nodev,noexec,relatime - proc /proc rw
mountid=101 fsname=/ dir=/var/cache/pbuilder/build/8538/proc fstype=proc
Mounting noexec /var/cache/pbuilder/build/8538/dev/shm
102 94 0:33 / /var/cache/pbuilder/build/8538/dev/shm ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw
mountid=102 fsname=/ dir=/var/cache/pbuilder/build/8538/dev/shm fstype=tmpfs
Mounting noexec /var/cache/pbuilder/build/8538/dev/pts
103 96 0:34 / /var/cache/pbuilder/build/8538/dev/pts ro,nosuid,nodev,noexec,relatime - devpts devpts rw,gid=5,mode=600,ptmxmode=666
mountid=103 fsname=/ dir=/var/cache/pbuilder/build/8538/dev/pts fstype=devpts
Mounting noexec /var/cache/pbuilder/build/8538/dev/ptmx
104 98 0:34 /ptmx /var/cache/pbuilder/build/8538/dev/ptmx ro,nosuid,nodev,noexec,relatime - devpts devpts rw,gid=5,mode=600,ptmxmode=666
mountid=104 fsname=/ptmx dir=/var/cache/pbuilder/build/8538/dev/ptmx fstype=devpts
Mounting noexec /var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache
105 100 254:0 /var/cache/pbuilder/ccache /var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache ro,nosuid,nodev,noexec,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=105 fsname=/var/cache/pbuilder/ccache dir=/var/cache/pbuilder/build/8538/var/cache/pbuilder/ccache fstype=ext4
Mounting read-only /usr
106 48 254:0 /usr /usr ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=106 fsname=/usr dir=/usr fstype=ext4
Mounting read-only /bin
107 48 254:0 /bin /bin ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=107 fsname=/bin dir=/bin fstype=ext4
Mounting read-only /sbin
108 48 254:0 /sbin /sbin ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=108 fsname=/sbin dir=/sbin fstype=ext4
Mounting read-only /lib
109 48 254:0 /lib /lib ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=109 fsname=/lib dir=/lib fstype=ext4
Mounting read-only /lib64
110 48 254:0 /lib64 /lib64 ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=110 fsname=/lib64 dir=/lib64 fstype=ext4
Mounting read-only /lib32
111 48 254:0 /lib32 /lib32 ro,relatime - ext4 /dev/mapper/sda3_crypt rw,discard,errors=remount-ro
mountid=111 fsname=/lib32 dir=/lib32 fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Generating a new machine-id
installing a new /etc/machine-id
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
Mounting tmpfs on /dev
mounting /run/firejail/mnt/dev/dri directory
Process /dev/shm directory
Copying files in the new bin directory
Checking /usr/local/bin/transmission-cli
Checking /usr/bin/transmission-cli
sbox run: /run/firejail/lib/fcopy /usr/bin/transmission-cli /run/firejail/mnt/bin 
Mount-bind /run/firejail/mnt/bin on top of /usr/local/bin
Mount-bind /run/firejail/mnt/bin on top of /usr/bin
Mount-bind /run/firejail/mnt/bin on top of /bin
Mount-bind /run/firejail/mnt/bin on top of /usr/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/games
Mount-bind /run/firejail/mnt/bin on top of /usr/local/sbin
Mount-bind /run/firejail/mnt/bin on top of /usr/sbin
Mount-bind /run/firejail/mnt/bin on top of /sbin
Starting private-lib processing: program transmission-cli, shell none
Installing standard C library
    copying /lib/x86_64-linux-gnu/libnss_nisplus.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nisplus.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libselinux.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libselinux.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_nis.so.2.0.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nis.so.2.0.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_dns.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_dns.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libc.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libc.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_hesiod.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_hesiod.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libmvec.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmvec.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libdl.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libdl.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/librt.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/librt.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libthread_db.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libthread_db.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libmemusage.so to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libmemusage.so /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_nis.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nis.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_compat.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_compat.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libutil.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libutil.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_files.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_files.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnss_nisplus.so.2.0.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnss_nisplus.so.2.0.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libnsl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libnsl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libanl.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libanl.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libm.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libm.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libpthread.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libpthread.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libresolv.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libresolv.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib64/ld-linux-x86-64.so.2 to private /run/firejail/mnt/lib
sbox run: /run/firejail/lib/fcopy --follow-link /lib64/ld-linux-x86-64.so.2 /run/firejail/mnt/lib 
    fslib_copy_dir /usr/lib/locale
Installing Firejail libraries
    fslib_install_list  /usr/bin/firejail
    fslib_install_list  /usr/lib/x86_64-linux-gnu/firejail
    fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail
    fslib_install_list  /run/firejail/lib/fcopy
Installing sandboxed program libraries
Searching $PATH for transmission-cli
trying #/home/reiner/Apps/bin/transmission-cli#
trying #/usr/local/bin/transmission-cli#
    fslib_install_list  /usr/local/bin/transmission-cli
    fslib_copy_libs /usr/local/bin/transmission-cli
Creating empty /run/firejail/mnt/libfiles file
    running fldd /usr/local/bin/transmission-cli
sbox run: /run/firejail/lib/fldd /usr/local/bin/transmission-cli /run/firejail/mnt/libfiles 
    copying /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libbrotlicommon.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libbrotlidec.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libsasl2.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libsasl2.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libkeyutils.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libkeyutils.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libcom_err.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libcom_err.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libkrb5support.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libk5crypto.so.3 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libkrb5.so.3 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libkrb5.so.3 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libssl.so.1.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libssl.so.1.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libpsl.so.5 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libpsl.so.5 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libgpg-error.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libgpg-error.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libgcrypt.so.20 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libssh2.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libssh2.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /lib/x86_64-linux-gnu/libz.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /lib/x86_64-linux-gnu/libz.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libgmp.so.10 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libgmp.so.10 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libhogweed.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libhogweed.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libnettle.so.8 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libnettle.so.8 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libtasn1.so.6 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libtasn1.so.6 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libffi.so.7 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libffi.so.7 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libp11-kit.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libgnutls.so.30 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libgnutls.so.30 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/librtmp.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/librtmp.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libunistring.so.2 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libunistring.so.2 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libidn2.so.0 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libidn2.so.0 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libnghttp2.so.14 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libcurl.so.4 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libcurl.so.4 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libevent-2.1.so.7 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libevent-2.1.so.7 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libminiupnpc.so.17 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libminiupnpc.so.17 /run/firejail/mnt/lib/x86_64-linux-gnu 
    copying /usr/lib/x86_64-linux-gnu/libnatpmp.so.1 to private /run/firejail/mnt/lib/x86_64-linux-gnu
sbox run: /run/firejail/lib/fcopy --follow-link /usr/lib/x86_64-linux-gnu/libnatpmp.so.1 /run/firejail/mnt/lib/x86_64-linux-gnu 
Processing private-bin files
    fslib_install_list  transmission-cli,/usr/bin/transmission-cli
    fslib_copy_libs /usr/bin/transmission-cli
Creating empty /run/firejail/mnt/libfiles file
    running fldd /usr/bin/transmission-cli
sbox run: /run/firejail/lib/fldd /usr/bin/transmission-cli /run/firejail/mnt/libfiles 
Installing system libraries
Mount-bind /run/firejail/mnt/lib on top of /lib /lib64 /usr/lib
Generate private-tmp whitelist commands
Creating empty /run/firejail/mnt/dbus directory
Creating empty /run/firejail/mnt/dbus/user file
blacklist /home/reiner/.dbus
Creating empty /run/firejail/mnt/dbus/system file
blacklist /run/dbus/system_bus_socket
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /boot
Disable /proc/kmsg
Copying files in the new /etc directory:
copying /etc/alternatives to private /etc
Creating empty /run/firejail/mnt/etc/alternatives directory
sbox run: /run/firejail/lib/fcopy /etc/alternatives /run/firejail/mnt/etc/alternatives 
Autoselecting /bin/bash as shell
Building quoted command line: 'transmission-cli' 
Command name #transmission-cli#
Found transmission-cli.profile profile in /etc/firejail directory
Found transmission-common.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-devel.inc profile in /etc/firejail directory
Found disable-exec.inc profile in /etc/firejail directory
Found disable-interpreters.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Found whitelist-common.inc profile in /etc/firejail directory
Found whitelist-usr-share-common.inc profile in /etc/firejail directory
Found whitelist-var-common.inc profile in /etc/firejail directory
Using the local network stack

While it is Installing standard C library, it does not copy libpcre2 for some reason.

[reinerh]

static LibList libc_list in fs_lib2.c seems to be unused for copying files.
It is only used for finding the name of the libc.

[smitsohu]

@reinerh If you find the time, could you try if adding back fslib_install_list(PATH_FCOPY) fixes this?

Maybe we could run fldd as root on our helper binaries? After all we have to trust them anyway.

[reinerh]

@smitsohu I tried it, but it didn't help:

Installing Firejail libraries
    fslib_install_list  /usr/bin/firejail
Installing fcopy libraries
    fslib_install_list  /run/firejail/lib/fcopy
    fslib_install_list  /usr/lib/x86_64-linux-gnu/firejail
    fslib_copy_dir /usr/lib/x86_64-linux-gnu/firejail
Installing sandboxed program libraries

[smitsohu]

And if you relax permissions on /usr/lib/x86_64-linux-gnu/firejail/fcopy to rwxr-xr-x ?

[reinerh]

@smitsohu With fslib_install_list(PATH_FCOPY) AND chmod 755 /usr/lib/*/firejail/fcopy it is working.

[smitsohu]

Just trying to understand what is going on: Is it possible you have libpcre2 in a place unexpected to firejail?

(what does /usr/lib/x86_64-linux-gnu/firejail/fldd /usr/lib/x86_64-linux-gnu/firejail/fcopy | grep libpcre2 say?)

[reinerh]

$ /usr/lib/x86_64-linux-gnu/firejail/fldd /usr/lib/x86_64-linux-gnu/firejail/fcopy | grep libpcre2
/usr/lib/x86_64-linux-gnu/libpcre2-8.so.0

lrwxrwxrwx 1 root root     20 Dec 13 17:23 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0 -> libpcre2-8.so.0.10.1
-rw-r--r-- 1 root root 617128 Dec 13 17:23 /usr/lib/x86_64-linux-gnu/libpcre2-8.so.0.10.1

[smitsohu]

Quite interesting. I have really no idea atm why fslib_install_stdc doesn't pick it up.

I'll try to put together a pull request to run this stuff as root. Then we have read permission on fcopy and it should work again.

[smitsohu]

@reinerh Do we have any time pressure here (= do you need this for one of your builds)? Just asking.

[reinerh]

@smitsohu I don't think there is much pressure. If you can't reproduce it, it's maybe not so widespread and only occurs on certain systems.

It would be nice if it could be fixed by 1st of March, as I could then still apply a patch to the version packaged in Debian, and it would make it into the next stable (though fixing it later is probably also still possible if the change is not intrusive and we can argue it's important enough to fix).

If you want me to test or debug anything, please tell me.

[smitsohu]

Ok. I'll try to have something by the weekend.