# [solved] firejail replies with Error clone and does not work

## jagdpanther

Firejail is not working on my system.  For example:

```
$ firejail firefox

Reading profile /etc/firejail/firefox.profile

Reading profile /etc/firejail/disable-common.inc

Reading profile /etc/firejail/disable-devel.inc

Reading profile /etc/firejail/disable-programs.inc

Reading profile /etc/firejail/whitelist-common.inc

Error clone: main.c:2475 main: Invalid argument
```

After reading the Gentoo Firejail wiki,  https://wiki.gentoo.org/wiki/Firejail , I also tried firemon as root:

```
 # firemon

Error: netlink socket problem
```

I re-emerged firejail and still have the same issues.  Here are the use flags for my current install:

```
 Installed versions:  0.9.50    (09:37:28 AM 08/12/2018)(bind chroot file-transfer network seccomp userns -apparmor -contrib -network-restricted -x11)
```

I am running gentoo-sources-4.17.14 on intel i9 based system.

Any suggestions for getting firejail working?Last edited by jagdpanther on Mon Aug 13, 2018 1:12 am; edited 1 time in total

----------

## Hu

What are the last 100 lines when firejail is run under strace?

----------

## jagdpanther

Hu:

Hi.  There are 97 lines total so here is the entire output from  

strace firejail firefox > /tmp/firejail_strace.out 2>&1

```
execve("/usr/bin/firejail", ["firejail", "firefox"], 0x7ffc4af0c3c8 /* 37 vars */) = 0

access(0x7fdd055070a3, F_OK)            = -1 ENOENT (No such file or directory)

brk(NULL)                               = 0x55616c746000

fcntl(0, F_GETFD)                       = 0

fcntl(1, F_GETFD)                       = 0

fcntl(2, F_GETFD)                       = 0

access(0x7fdd055070a3, F_OK)            = -1 ENOENT (No such file or directory)

access(0x7fdd0550a130, R_OK)            = -1 ENOENT (No such file or directory)

openat(AT_FDCWD, 0x7fdd05507a28, O_RDONLY|O_CLOEXEC) = 3

fstat(3, 0x7ffc44dca0a0)                = 0

mmap(NULL, 296163, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7fdd056c4000

close(3)                                = 0

openat(AT_FDCWD, 0x7fdd0570fdc0, O_RDONLY|O_CLOEXEC) = 3

read(3, 0x7ffc44dca268, 832)            = 832

fstat(3, 0x7ffc44dca100)                = 0

mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fdd056c2000

mmap(NULL, 3951064, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7fdd05124000

mprotect(0x7fdd052df000, 2097152, PROT_NONE) = 0

mmap(0x7fdd054df000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1bb000) = 0x7fdd054df000

mmap(0x7fdd054e5000, 14808, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7fdd054e5000

close(3)                                = 0

arch_prctl(ARCH_SET_FS, 0x7fdd056c3540) = 0

mprotect(0x7fdd054df000, 16384, PROT_READ) = 0

mprotect(0x55616b9b1000, 4096, PROT_READ) = 0

mprotect(0x7fdd0570d000, 4096, PROT_READ) = 0

munmap(0x7fdd056c4000, 296163)          = 0

stat(0x55616b79fc73, 0x7ffc44dc97e0)    = 0

stat(0x55616b79fd6e, 0x7ffc44dc97e0)    = 0

stat(0x55616b79e3df, 0x7ffc44dc97e0)    = 0

stat(0x55616b79e385, 0x7ffc44dc97e0)    = 0

stat(0x55616b79f7ce, 0x7ffc44dc97e0)    = 0

stat(0x55616b7a365c, 0x7ffc44dc97e0)    = 0

stat(0x55616b79f7e1, 0x7ffc44dc97e0)    = 0

stat(0x55616b79e06e, 0x7ffc44dc97e0)    = 0

stat(0x55616b7a646f, 0x7ffc44dc97e0)    = 0

stat(0x55616b79fe20, 0x7ffc44dc9520)    = 0

stat(0x55616b79f5e0, 0x7ffc44dc94a0)    = 0

brk(NULL)                               = 0x55616c746000

brk(0x55616c767000)                     = 0x55616c767000

openat(AT_FDCWD, 0x55616b7a64d7, O_RDONLY) = 3

fstat(3, 0x7ffc44dc8d30)                = 0

read(3, 0x55616c746490, 1024)           = 6

close(3)                                = 0

open(0x55616b79f813, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3

fstat(3, 0x7ffc44dc9590)                = 0

brk(0x55616c78f000)                     = 0x55616c78f000

getdents(3, 0x55616c7668e0, 32768)      = 11496

getdents(3, /* 0 entries */, 32768)     = 0

brk(0x55616c787000)                     = 0x55616c787000

close(3)                                = 0

open(0x55616b7a365c, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = 3

fstat(3, 0x7ffc44dc9590)                = 0

getdents(3, 0x55616c7668e0, 32768)      = 48

getdents(3, /* 0 entries */, 32768)     = 0

close(3)                                = 0

brk(0x55616c767000)                     = 0x55616c767000

getuid()                                = 527

getgid()                                = 527

setresuid(-1, 527, -1)                  = 0

setresgid(-1, 527, -1)                  = 0

getuid()                                = 527

geteuid()                               = 527

getuid()                                = 527

geteuid()                               = 527

setresuid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

setresgid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

openat(AT_FDCWD, 0x55616b7a5f8c, O_RDONLY) = -1 EACCES (Permission denied)

setresuid(-1, 527, -1)                  = 0

setresgid(-1, 527, -1)                  = 0

setresuid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

setresgid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

stat(0x55616c746910, 0x7ffc44dc95c0)    = 0

openat(AT_FDCWD, 0x55616c746910, O_RDONLY) = 3

fstat(3, 0x7ffc44dc9370)                = 0

read(3, 0x55616c746490, 1024)           = 5

close(3)                                = 0

stat(0x55616c746910, 0x7ffc44dc95c0)    = 0

openat(AT_FDCWD, 0x55616c746910, O_RDONLY) = 3

fstat(3, 0x7ffc44dc9370)                = 0

read(3, 0x55616c746490, 1024)           = 9

close(3)                                = 0

setresuid(-1, 527, -1)                  = 0

setresgid(-1, 527, -1)                  = 0

setresuid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

setresgid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

geteuid()                               = 527

write(2, 0x55616b7a4310, 30Error: cannot rise privileges

)            = 30

setresuid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

setresgid(-1, 0, -1)                    = -1 EPERM (Operation not permitted)

getpid()                                = 32144

unlink(0x55616c746930)                  = -1 ENOENT (No such file or directory)

unlink(0x55616c746930)                  = -1 ENOENT (No such file or directory)

unlink(0x55616c746930)                  = -1 ENOENT (No such file or directory)

unlink(0x55616c746930)                  = -1 ENOENT (No such file or directory)

unlink(0x55616c746910)                  = -1 ENOENT (No such file or directory)

exit_group(1)                           = ?

+++ exited with 1 +++
```

----------

## Hu

According to that output, it never even tried to use clone, nor did it produce the error message.  Is /usr/bin/firejail setuid/setgid?  If so, you cannot use a regular strace to monitor it, since an unprivileged tracer prevents the setuid flag from working.

----------

## jagdpanther

Yes firejail is setuid:

```
ls -l /usr/bin/firejail

-rws--x--x 1 root root 289040 Aug 12 09:37 /usr/bin/firejail
```

Running as root the output is almost the same.  Just an additional "Warning: " line.

```
 # firejail firefox

Reading profile /etc/firejail/firefox.profile

Reading profile /etc/firejail/disable-common.inc

Reading profile /etc/firejail/disable-devel.inc

Reading profile /etc/firejail/disable-programs.inc

Reading profile /etc/firejail/whitelist-common.inc

Warning: noroot option is not available

Error clone: main.c:2475 main: Invalid argument
```

Here is the end of strace  when "strace firejail firefox" is run as root.  I skipped many of the "getuid()   =0" lines.

```
...

getuid()                                = 0

stat("/root/.config/dconf", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

getuid()                                = 0

...

getuid()                                = 0

read(5, "", 4096)                       = 0

close(5)                                = 0

getuid()                                = 0

...

getuid()                                = 0

getuid()                                = 0

write(2, "Warning: ", 9Warning: )                = 9

write(2, "noroot option is not available\n", 31noroot option is not available

) = 31

getuid()                                = 0

getuid() 

...

getuid()                                = 0

getuid()                                = 0

getuid()                                = 0

read(4, "", 4096)                       = 0

close(4)                                = 0

close(3)                                = 0

getuid()                                = 0

pipe([3, 4])                            = 0

pipe([5, 6])                            = 0

setresuid(-1, 0, -1)                    = 0

setresgid(-1, 0, -1)                    = 0

setresuid(-1, 0, -1)                    = 0

setresgid(-1, 0, -1)                    = 0

getuid()                                = 0

setresuid(-1, 0, -1)                    = 0

setresgid(-1, 0, -1)                    = 0

clone(child_stack=0x559030df9470, flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|SIGCHLD) = -1 EINVAL (Invalid argument)

write(2, "Error clone: main.c:2475 main: I"..., 48Error clone: main.c:2475 main: Invalid argument

) = 48

setresuid(-1, 0, -1)                    = 0

setresgid(-1, 0, -1)                    = 0

getpid()                                = 9402

unlink("/run/firejail/bandwidth/9402-bandwidth") = -1 ENOENT (No such file or directory)

unlink("/run/firejail/network/9402-netmap") = -1 ENOENT (No such file or directory)

unlink("/run/firejail/name/9402")       = -1 ENOENT (No such file or directory)

unlink("/run/firejail/profile/9402")    = 0

unlink("/run/firejail/x11/9402")        = -1 ENOENT (No such file or directory)

exit_group(1)                           = ?

+++ exited with 1 +++
```

----------

## khayyam

 *jagdpanther wrote:*   

> 
> 
> ```
> clone(child_stack=0x559030df9470, flags=CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC|CLONE_NEWPID|SIGCHLD) = -1 EINVAL (Invalid argument)
> 
> ...

 

jagdpanther ... that looks to me like you're missing some NAMESPACE (CONFIG_UTS_NS, CONFIG_IPC_NS, CONFIG_PID_NS) support in the kernel:

```
# egrep '_NS' /usr/src/linux/.config
```

best ... khay

----------

## jagdpanther

Hu and khayyam,  thankyou.

 *Quote:*   

> jagdpanther ... that looks to me like you're missing some NAMESPACE (CONFIG_UTS_NS, CONFIG_IPC_NS, CONFIG_PID_NS) support in the kernel

 

Old kernel, 4.17.14-gentoo-01:

```
 /usr/src/linux # egrep '_NS' .config

# CONFIG_UTS_NS is not set

CONFIG_IPC_NS=y

CONFIG_USER_NS=y

CONFIG_PID_NS=y

CONFIG_NET_NS=y

CONFIG_NF_CONNTRACK_NETBIOS_NS=m
```

My new kernel configuration, 4.17.14-gentoo-02,  has "CONFIG_UTS_NS=y"   and the clone error is gone.

----------

