Audio
Firejail 覆蓋權限和 ALSA 沒有聲音(容器/監獄中的錯誤組)
我會盡量簡明扼要。我想執行需要 ALSA 和 firejail 配置文件的程序,但由於某種可能與覆蓋和/或組有關的原因,它可能沒有訪問音效卡的權限或能力。
我安裝了 firejail 0.9.64.2、alsa-utils 1.2.4_1、pulseaudio 14.0_3 和其他 alsa/pulse 仿真包,以及系統安裝可能附帶的相關音效卡。我安裝了脈衝包以防萬一(脈衝也使自己成為音頻的成員)。目前的情況是 ALSA 在沒有 firejail 的情況下也能正常工作,並且在 firejail 的某些條件下也能正常工作,即在擺弄某些配置文件時沒有覆蓋和 nogroups 選項。但是,我需要許多配置文件的覆蓋和文件系統掛載功能才能正常處理聲音。我已經將我的使用者添加到補充組“音頻”並通過 /etc/group 進行了驗證。我檢查了文件夾 ‘/dev/snd’ 的所有權,其中的文件都歸 root:audio 所有,除了 root:root 擁有的符號連結 ‘path-by’ 連結回 ../controlC0。我猶豫要不要更改它的所有權,因為我認為這不是問題,而且會引起更多的頭痛。然而,我確實使用帶有覆蓋選項的 mpv 等程序測試了配置文件,但我收到了關於 alsa 找不到音效卡的類似錯誤消息。Overlays 或 nogroups 選項可能會破壞我測試的某些配置文件中的 alsa。我做了一些資訊更豐富的測試,其中一些測試使用了 firejail 的跟踪功能。
$ firejail id uid=1000(user1) gid=100(users) groups=100(users),12(audio)作品!它顯示了我需要的聲音組。(不包括郵件或wireshark之類的東西)。
$ firejail --overlay-tmpfs id uid=1000(user1) gid=100(users) groups=100(users)使用覆蓋時沒有音頻組?這很重要,因為許多 firejail 配置文件使用覆蓋和組限制。就我而言,由於此問題,這會使我的程序靜音。這是我的猜測。
$ firejail aplay -l && aplay -L作品!它顯示了我所有的卡片和 pcms!它還製作了我在下面指定的跟踪日誌。我假設 /dev/snd/controlC0:5 return 是成功列出設備的原因。3:bash:exec /usr/bin/bash:0 3:bash:open /dev/tty:4 3:aplay:exec /usr/bin/aplay:0 3:aplay:open /dev/snd/controlC0:5 3:aplay:fopen /usr/share/alsa/alsa.conf:0x564afaf56540 3:aplay:access /usr/etc/alsa/conf.d:-1 3:aplay:access /etc/alsa/conf.d:-1 3:aplay:access /etc/asound.conf:0 3:aplay:fopen /etc/asound.conf:0x564afaf56540 3:aplay:access /home/user1/.asoundrc:-1 3:aplay:access /home/user1/.config/alsa/asoundrc:-1 3:aplay:open /dev/snd/controlC0:5 3:aplay:open /dev/snd/controlC1:-1 3:aplay:open /dev/aloadC1:-1 3:aplay:open /dev/snd/controlC2:-1 3:aplay:open /dev/aloadC2:-1 3:aplay:open /dev/snd/controlC3:-1 3:aplay:open /dev/aloadC3:-1
$ firejail --overlay-tmpfs aplay -l && aplay -L失敗!它只顯示 pcms,沒有音效卡。它製作了下面的日誌。3:bash:exec /usr/bin/bash:0 3:bash:open /dev/tty:4 3:aplay:exec /usr/bin/aplay:0 3:aplay:open /dev/snd/controlC0:-1 3:aplay:open /dev/aloadC0:-1 3:aplay:open /dev/snd/controlC1:-1 3:aplay:open /dev/aloadC1:-1 3:aplay:open /dev/snd/controlC2:-1 3:aplay:open /dev/aloadC2:-1 3:aplay:open /dev/snd/controlC3:-1 3:aplay:open /dev/aloadC3:-1
$ firejail alsabat-test.sh它發出了一些聲音。是的,正常的影片和聲音也可以在視窗管理器中使用。它還在沒有圖形視窗的單獨 TTY 終端中發出聲音。3:bash:exec /usr/bin/bash:0 3:bash:open /dev/tty:4 3:alsabat-test.sh:exec /usr/bin/bash:0 3:alsabat-test.sh:open /dev/tty:5 3:alsabat-test.sh:open /bin/alsabat-test.sh:5 4:mkdir:exec /usr/bin/mkdir:0 4:mkdir:mkdir tmp:-1 3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0 3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x556402ad6510 5:alsabat:exec /usr/bin/alsabat:0 5:alsabat:fopen tmp/0.log:0x55b5c9529540 5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f54bc001c80 5:alsabat:access /usr/etc/alsa/conf.d:-1 5:alsabat:access /etc/alsa/conf.d:-1 5:alsabat:access /etc/asound.conf:0 5:alsabat:fopen /etc/asound.conf:0x7f54bc001c80 5:alsabat:access /home/user1/.asoundrc:-1 5:alsabat:access /home/user1/.config/alsa/asoundrc:-1 5:alsabat:access /usr/lib/alsa-lib:0 5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f54bc001c80 5:alsabat:access /home/user1/.pulse:-1 5:alsabat:mkdir /home/user1/.config/pulse:-1 5:alsabat:open64 /home/user1/.config/pulse:11 5:alsabat:fopen64 /etc/machine-id:(nil) 5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f54bc001c80 5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1 5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:0 5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11 5:alsabat:connect 11 /tmp/pulse-2L9K88eMlGn7/native:-1 5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11 5:alsabat:connect 11 /var/run/pulse/native:-1 5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f54bc001c80 5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f54bc01b3c0 5:alsabat:open /dev/snd/controlC0:7 5:alsabat:open /dev/snd/controlC0:7 5:alsabat:access /usr/share/alsa/cards/HDA-Intel.conf:0 5:alsabat:fopen /usr/share/alsa/cards/HDA-Intel.conf:0x7f54bc001c80 5:alsabat:fopen /usr/share/alsa/pcm/front.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/surround21.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/surround40.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/surround41.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/surround50.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/surround51.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/surround71.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/iec958.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/hdmi.conf:0x7f54bc01b3c0 5:alsabat:fopen /usr/share/alsa/pcm/modem.conf:0x7f54bc01b3c0 5:alsabat:open /dev/snd/controlC1:-1 5:alsabat:open /dev/aloadC1:-1 5:alsabat:open /dev/snd/controlC2:-1 5:alsabat:open /dev/aloadC2:-1 5:alsabat:open /dev/snd/controlC3:-1 5:alsabat:open /dev/aloadC3:-1
$ firejail --overlay-tmpfs alsabat-test.sh3:bash:exec /usr/bin/bash:0 3:bash:open /dev/tty:4 3:alsabat-test.sh:exec /usr/bin/bash:0 3:alsabat-test.sh:open /dev/tty:5 3:alsabat-test.sh:open /bin/alsabat-test.sh:5 4:mkdir:exec /usr/bin/mkdir:0 4:mkdir:mkdir tmp:-1 3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0 3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x55a7e137d510 5:alsabat:exec /usr/bin/alsabat:0 5:alsabat:fopen tmp/0.log:0x561c3c323540 5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f09f0001c80 5:alsabat:access /usr/etc/alsa/conf.d:-1 5:alsabat:access /etc/alsa/conf.d:-1 5:alsabat:access /etc/asound.conf:0 5:alsabat:fopen /etc/asound.conf:0x7f09f0001c80 5:alsabat:access /home/user1/.asoundrc:-1 5:alsabat:access /home/user1/.config/alsa/asoundrc:-1 5:alsabat:access /usr/lib/alsa-lib:0 5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f09f0001c80 5:alsabat:access /home/user1/.pulse:-1 5:alsabat:mkdir /home/user1/.config/pulse:-1 5:alsabat:open64 /home/user1/.config/pulse:11 5:alsabat:fopen64 /etc/machine-id:(nil) 5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f09f0001c80 5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1 5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:-1 5:alsabat:mkdir /tmp/pulse-CcctT9RwKSB1:0 5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11 5:alsabat:connect 11 /tmp/pulse-CcctT9RwKSB1/native:-1 5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11 5:alsabat:connect 11 /var/run/pulse/native:-1 5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f09f0001c80 5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f09f001b3c0 5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f09f001b3c0 5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f09f001b3c0 5:alsabat:open /dev/snd/controlC0:-1 5:alsabat:open /dev/aloadC0:-1 5:alsabat:open /dev/snd/controlC1:-1 5:alsabat:open /dev/aloadC1:-1 5:alsabat:open /dev/snd/controlC2:-1 5:alsabat:open /dev/aloadC2:-1 5:alsabat:open /dev/snd/controlC3:-1 5:alsabat:open /dev/aloadC3:-1失敗!這些日誌中的 controlC0:-1 意味著它失敗了。沒有聽到任何聲音!我在 aloadC3 處切斷了所有日誌,因為它只是繼續返回 -1 錯誤超過 30 次,重複相同的迭代。
我嘗試從音頻組中刪除我的使用者,重新啟動,並做了 aplay -l 和 firejail 覆蓋測試。沒有什麼。它所做的只是完全刪除了我對音效卡 /dev/snd/ 的訪問權限。我在 firejail wiki 上閱讀了一些覆蓋問題發生在較新的 linux 核心上,所以我什至嘗試在指定版本之前在 LTS linux 核心上啟動,但同樣失敗。我可以嘗試降級firejail。我也可以降級其他相關的音頻包,但我不想弄亂依賴關係並導致不必要的問題。我可以嘗試從預設的 runit 引導中刪除 ALSA 並使用 bash 呼叫它。但是 ALSA 在沒有火獄的情況下工作得很好,所以它只是無望的猜測。在我從比我更熟悉的人那裡得到一個好的診斷之前,我不會再進一步了。目前沒有使用者或實體正在使用 /dev/snd/ 所以我 我仍然假設這是一個火獄特權問題或組問題。除非目前的 firejail 版本被竊聽。
編輯:
$ firejail --overlay-tmpfs idOverlayFS configured in /run/firejail/mnt directory Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 181.47 ms uid=1000(user1) gid=100(users) groups=100(users)
firejail --overlay-tmpfs --allusers idOverlayFS configured in /run/firejail/mnt directory Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized in 180.15 ms uid=1000(user1) gid=100(users) groups=100(users)跟踪日誌是相同的,只是執行了 id 二進製文件。
$ firejail --overlay-tmpfs --allusers aplay -l && aplay -Laplay -l 無法顯示音效卡
aplay: device_list:274: no soundcards found...aplay -L 像其他測試一樣成功列出了我的 pcms。儘管 –allusers,跟踪日誌看起來好像沒有改變。
3:bash:exec /usr/bin/bash:0 3:bash:open /dev/tty:4 3:aplay:exec /usr/bin/aplay:0 3:aplay:open /dev/snd/controlC0:-1 3:aplay:open /dev/aloadC0:-1 3:aplay:open /dev/snd/controlC1:-1 3:aplay:open /dev/aloadC1:-1 3:aplay:open /dev/snd/controlC2:-1 3:aplay:open /dev/aloadC2:-1 3:aplay:open /dev/snd/controlC3:-1 3:aplay:open /dev/aloadC3:-1覆蓋只是不能讓組訪問音頻或音效卡。
編輯 2(更多測試):
$ firejail --debug idAutoselecting /bin/bash as shell Building quoted command line: 'id' Command name #id# Attempting to find default.profile... Found default.profile profile in /etc/firejail directory Found disable-common.inc profile in /etc/firejail directory Found disable-passwdmgr.inc profile in /etc/firejail directory Found disable-programs.inc profile in /etc/firejail directory Using the local network stack Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc mountid=80 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc mountid=81 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var mountid=82 fsname=/var dir=/var fstype=ext4 Mounting noexec /var mountid=83 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr mountid=84 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Cannot find /run/user/1000 directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Disable /run/firejail/appimage blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /home/user1/.bash_history Disable /home/user1/.lesshst Disable /home/user1/.viminfo Disable /home/user1/.xinitrc Disable /etc/xdg/autostart Mounting read-only /home/user1/.Xauthority ... Disable /etc/rc.conf Disable /var/mail Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /var/mail (requested /var/spool/mail) Disable /etc/cron.daily Disable /etc/profile.d Disable /etc/rc.local Disable /etc/kernel.d Disable /etc/grub.d Disable /etc/apparmor Disable /etc/apparmor.d Mounting read-only /home/user1/.bash_logout ... Disable /home/user1/.gnupg Disable /home/user1/.netrc Disable /home/user1/.pki Disable /home/user1/.local/share/pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/local/sbin Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chage Disable /usr/bin/chage (requested /usr/sbin/chage) Disable /usr/bin/chage (requested /sbin/chage) Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /usr/sbin/chfn) Disable /usr/bin/chfn (requested /sbin/chfn) Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /usr/sbin/chsh) Disable /usr/bin/chsh (requested /sbin/chsh) Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /usr/sbin/expiry) Disable /usr/bin/expiry (requested /sbin/expiry) Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/fusermount Disable /usr/bin/fusermount (requested /usr/sbin/fusermount) Disable /usr/bin/fusermount (requested /sbin/fusermount) Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd) Disable /usr/bin/gpasswd (requested /sbin/gpasswd) Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/mount Disable /usr/bin/mount (requested /usr/sbin/mount) Disable /usr/bin/mount (requested /sbin/mount) Disable /usr/bin/newgidmap (requested /bin/newgidmap) Disable /usr/bin/newgidmap Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap) Disable /usr/bin/newgidmap (requested /sbin/newgidmap) Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /usr/sbin/newgrp) Disable /usr/bin/newgrp (requested /sbin/newgrp) Disable /usr/bin/newuidmap (requested /bin/newuidmap) Disable /usr/bin/newuidmap Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap) Disable /usr/bin/newuidmap (requested /sbin/newuidmap) Disable /usr/bin/sg (requested /bin/sg) Disable /usr/bin/sg Disable /usr/bin/sg (requested /usr/sbin/sg) Disable /usr/bin/sg (requested /sbin/sg) Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/su Disable /usr/bin/su (requested /usr/sbin/su) Disable /usr/bin/su (requested /sbin/su) Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /usr/sbin/sudo) Disable /usr/bin/sudo (requested /sbin/sudo) Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/umount Disable /usr/bin/umount (requested /usr/sbin/umount) Disable /usr/bin/umount (requested /sbin/umount) Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd) Disable /usr/bin/unix_chkpwd Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd) Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd) Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xev Disable /usr/bin/xev (requested /usr/sbin/xev) Disable /usr/bin/xev (requested /sbin/xev) Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /usr/sbin/xinput) Disable /usr/bin/xinput (requested /sbin/xinput) Disable /proc/config.gz Disable Disable /home/user1/.config/mpv ... Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse ... Current directory: /home/user1 Install protocol filter: unix,inet,inet6 configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dual 32/64 bit seccomp filter configured configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 228 77 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=228 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 240 .. -rw-r--r-- user1 users 1072 seccomp -rw-r--r-- user1 users 808 seccomp.32 -rw-r--r-- user1 users 114 seccomp.list -rw-r--r-- user1 users 0 seccomp.postexec -rw-r--r-- user1 users 0 seccomp.postexec32 -rw-r--r-- user1 users 160 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 100, nogroups 0 Supplementary groups: 12 Starting application LD_PRELOAD=(null) Running 'id' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'id' uid=1000(user1) gid=100(users) groups=100(users),12(audio)
$ firejail --debug --overlay-tmpfs idAutoselecting /bin/bash as shell Building quoted command line: 'id' Command name #id# Attempting to find default.profile... Found default.profile profile in /etc/firejail directory Found disable-common.inc profile in /etc/firejail directory Found disable-passwdmgr.inc profile in /etc/firejail directory Found disable-programs.inc profile in /etc/firejail directory Using the local network stack Using the local network stack Initializing child process PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Build protocol filter: unix,inet,inet6 sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol Linux kernel version 5.10 Mounting OverlayFS DEBUG: chroot dirs are oroot /run/firejail/mnt/oroot odiff /run/firejail/mnt/odiff owork /run/firejail/mnt/owork DEBUG: overlayhome var holds ##/run/firejail/mnt/oroot/home/user1## Mounting /dev Mounting /run Mounting /tmp Mounting /proc filesystem representing the PID namespace Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Cannot find /run/user/1000 directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 Disable /run/firejail/appimage blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /home/user1/.bash_history Disable /home/user1/.lesshst Disable /home/user1/.viminfo Disable /home/user1/.xinitrc Disable /etc/xdg/autostart Mounting read-only /home/user1/.Xauthority ... fstype=overlay Disable /etc/rc.conf Disable /var/mail Disable /var/opt Disable /run/acpid.socket (requested /var/run/acpid.socket) Disable /var/mail (requested /var/spool/mail) Disable /etc/cron.daily Disable /etc/profile.d Disable /etc/rc.local Disable /etc/kernel.d Disable /etc/grub.d Disable /etc/apparmor Disable /etc/apparmor.d Mounting read-only /home/user1/.bash_logout ... Disable /home/user1/.gnupg Disable /home/user1/.netrc Disable /home/user1/.pki Disable /home/user1/.local/share/pki Disable /etc/group- Disable /etc/gshadow Disable /etc/gshadow- Disable /etc/passwd- Disable /etc/shadow Disable /etc/shadow- Disable /etc/ssh Disable /usr/local/sbin Disable /usr/bin/chage (requested /bin/chage) Disable /usr/bin/chage Disable /usr/bin/chage (requested /usr/sbin/chage) Disable /usr/bin/chage (requested /sbin/chage) Disable /usr/bin/chfn (requested /bin/chfn) Disable /usr/bin/chfn Disable /usr/bin/chfn (requested /usr/sbin/chfn) Disable /usr/bin/chfn (requested /sbin/chfn) Disable /usr/bin/chsh (requested /bin/chsh) Disable /usr/bin/chsh Disable /usr/bin/chsh (requested /usr/sbin/chsh) Disable /usr/bin/chsh (requested /sbin/chsh) Disable /usr/bin/expiry (requested /bin/expiry) Disable /usr/bin/expiry Disable /usr/bin/expiry (requested /usr/sbin/expiry) Disable /usr/bin/expiry (requested /sbin/expiry) Disable /usr/bin/fusermount (requested /bin/fusermount) Disable /usr/bin/fusermount Disable /usr/bin/fusermount (requested /usr/sbin/fusermount) Disable /usr/bin/fusermount (requested /sbin/fusermount) Disable /usr/bin/gpasswd (requested /bin/gpasswd) Disable /usr/bin/gpasswd Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd) Disable /usr/bin/gpasswd (requested /sbin/gpasswd) Disable /usr/bin/mount (requested /bin/mount) Disable /usr/bin/mount Disable /usr/bin/mount (requested /usr/sbin/mount) Disable /usr/bin/mount (requested /sbin/mount) Disable /usr/bin/newgidmap (requested /bin/newgidmap) Disable /usr/bin/newgidmap Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap) Disable /usr/bin/newgidmap (requested /sbin/newgidmap) Disable /usr/bin/newgrp (requested /bin/newgrp) Disable /usr/bin/newgrp Disable /usr/bin/newgrp (requested /usr/sbin/newgrp) Disable /usr/bin/newgrp (requested /sbin/newgrp) Disable /usr/bin/newuidmap (requested /bin/newuidmap) Disable /usr/bin/newuidmap Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap) Disable /usr/bin/newuidmap (requested /sbin/newuidmap) Disable /usr/bin/sg (requested /bin/sg) Disable /usr/bin/sg Disable /usr/bin/sg (requested /usr/sbin/sg) Disable /usr/bin/sg (requested /sbin/sg) Disable /usr/bin/su (requested /bin/su) Disable /usr/bin/su Disable /usr/bin/su (requested /usr/sbin/su) Disable /usr/bin/su (requested /sbin/su) Disable /usr/bin/sudo (requested /bin/sudo) Disable /usr/bin/sudo Disable /usr/bin/sudo (requested /usr/sbin/sudo) Disable /usr/bin/sudo (requested /sbin/sudo) Disable /usr/bin/umount (requested /bin/umount) Disable /usr/bin/umount Disable /usr/bin/umount (requested /usr/sbin/umount) Disable /usr/bin/umount (requested /sbin/umount) Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd) Disable /usr/bin/unix_chkpwd Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd) Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd) Disable /usr/bin/xev (requested /bin/xev) Disable /usr/bin/xev Disable /usr/bin/xev (requested /usr/sbin/xev) Disable /usr/bin/xev (requested /sbin/xev) Disable /usr/bin/xinput (requested /bin/xinput) Disable /usr/bin/xinput Disable /usr/bin/xinput (requested /usr/sbin/xinput) Disable /usr/bin/xinput (requested /sbin/xinput) Disable /proc/config.gz Disable /home/user1/.config/mpv Disable /home/user1/.config/straw-viewer Disable /home/user1/.config/torbrowser Disable /home/user1/.config/youtube-dl Disable /home/user1/.links Disable /home/user1/.local/share/torbrowser Disable /home/user1/.mozilla Disable /home/user1/.cache/mozilla Disable /home/user1/.cache/straw-viewer Disable /home/user1/.cache/torbrowser Disable /sys/fs Disable /sys/module Mounting noexec /run/firejail/mnt/pulse 251 87 0:43 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=251 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs Mounting /run/firejail/mnt/pulse on /home/user1/.config/pulse 252 101 0:43 /pulse /home/user1/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64 mountid=252 fsname=/pulse dir=/home/user1/.config/pulse fstype=tmpfs Current directory: /home/user1 Install protocol filter: unix,inet,inet6 configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol sbox run: /usr/lib64/firejail/fsec-print /run/fire line OP JT JF K ... jail/mnt/seccomp/seccomp.protocol configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32 sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32 Dual 32/64 bit seccomp filter configured configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp seccomp filter configured Mounting read-only /run/firejail/mnt/seccomp 254 87 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=254 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 160 . drwxr-xr-x root root 300 .. -rw-r--r-- user1 users 1072 seccomp -rw-r--r-- user1 users 808 seccomp.32 -rw-r--r-- user1 users 114 seccomp.list -rw-r--r-- user1 users 0 seccomp.postexec -rw-r--r-- user1 users 0 seccomp.postexec32 -rw-r--r-- user1 users 160 seccomp.protocol Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 100, nogroups 1 No supplementary groups Starting application LD_PRELOAD=(null) Running 'id' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'id' uid=1000(user1) gid=100(users) groups=100(users)我得到了一些重要的相關調試資訊,清理了一些個人詳細資訊,並在此處保留了字元空間限制。我只是 UNIX 的新手,所以我不確定如何處理這些資訊來修復覆蓋和音頻組訪問。這應該是我最後的資訊了。
您可以
firejail通過更改有效組 ID 來選擇組使用。
firejail創建一個使用者命名空間,其中僅存在您目前的有效使用者和組(以及系統使用者,如 root 和nobody)。您需要將該audio組設為您的有效組 ID(而不是您的使用者所在的多個組之一):$ newgrp audio $ id uid=1000(user1) gid=12(audio) groups=...... $ firejail program-that-needs-the-audio-group