Firejail 覆盖权限和 ALSA 没有声音(容器/监狱中的组错误)

Firejail 覆盖权限和 ALSA 没有声音(容器/监狱中的组错误)

我会尽量简洁明了。我想运行需要 ALSA 和 firejail 配置文件的程序,但由于某种可能与覆盖和/或组相关的原因,它可能没有访问声卡的权限或能力。

我安装了 firejail 0.9.64.2、alsa-utils 1.2.4_1、pulseaudio 14.0_3 和其他 alsa/pulse 仿真包,以及系统安装时可能附带的相关声卡。我安装了脉冲包以防万一(脉冲也使自己成为音频的成员)。目前的情况是,ALSA 在没有 firejail 的情况下也可以正常工作,并且在 firejail 内的某些条件下也可以正常工作,即在摆弄某些配置文件时没有覆盖和 nogroups 选项。但是,我需要许多配置文件的覆盖和文件系统挂载功能才能与声音正常工作。我已经将我的用户添加到补充组“音频”中,并通过 /etc/group 进行验证。我检查了文件夹 '/dev/snd' 的所有权,其中的文件均归 root:audio 所有,除了 root:root 拥有的符号链接 'path-by' 链接回 ../controlC0。我很犹豫是否要改变它的所有权,因为我认为这不是问题,而且会引起更多的头痛。然而,我确实使用带有覆盖选项的 mpv 等程序测试了配置文件,但我收到了类似的错误消息,即 alsa 找不到声卡。在我测试的某些配置文件中,覆盖或 nogroups 选项可能会破坏 alsa。我做了一些信息更丰富的测试,其中一些使用 firejail 的跟踪功能进行日志测试。

$ firejail id
uid=1000(user1) gid=100(users) groups=100(users),12(audio)

作品!它显示了我所需的声音组。 (不包括邮件或wireshark之​​类的东西)。

$ firejail --overlay-tmpfs id
uid=1000(user1) gid=100(users) groups=100(users)

使用覆盖时没有音频组?这很重要,因为许多 Firejail 配置文件都使用覆盖和组限制。就我而言,由于这个问题,我的程序会静音。这是我的猜测。

$ firejail aplay -l && aplay -L 作品!它显示了我所有的卡和PCM!它还生成了我在下面指定的跟踪日志。我假设 /dev/snd/controlC0:5 返回是设备列表成功的原因。

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:5
3:aplay:fopen /usr/share/alsa/alsa.conf:0x564afaf56540
3:aplay:access /usr/etc/alsa/conf.d:-1
3:aplay:access /etc/alsa/conf.d:-1
3:aplay:access /etc/asound.conf:0
3:aplay:fopen /etc/asound.conf:0x564afaf56540
3:aplay:access /home/user1/.asoundrc:-1
3:aplay:access /home/user1/.config/alsa/asoundrc:-1
3:aplay:open /dev/snd/controlC0:5
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

$ firejail --overlay-tmpfs aplay -l && aplay -L 失败!它只显示PCM,没有声卡。它制作了下面的日志。

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:-1
3:aplay:open /dev/aloadC0:-1
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

$ firejail alsabat-test.sh 它发出了一些声音。是的,常规视频和声音也可以在窗口管理器中使用。它还可以在没有图形窗口的单独 TTY 终端中发出声音。

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:alsabat-test.sh:exec /usr/bin/bash:0
3:alsabat-test.sh:open /dev/tty:5
3:alsabat-test.sh:open /bin/alsabat-test.sh:5
4:mkdir:exec /usr/bin/mkdir:0
4:mkdir:mkdir tmp:-1
3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0
3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x556402ad6510
5:alsabat:exec /usr/bin/alsabat:0
5:alsabat:fopen tmp/0.log:0x55b5c9529540
5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f54bc001c80
5:alsabat:access /usr/etc/alsa/conf.d:-1
5:alsabat:access /etc/alsa/conf.d:-1
5:alsabat:access /etc/asound.conf:0
5:alsabat:fopen /etc/asound.conf:0x7f54bc001c80
5:alsabat:access /home/user1/.asoundrc:-1
5:alsabat:access /home/user1/.config/alsa/asoundrc:-1
5:alsabat:access /usr/lib/alsa-lib:0
5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f54bc001c80
5:alsabat:access /home/user1/.pulse:-1
5:alsabat:mkdir /home/user1/.config/pulse:-1
5:alsabat:open64 /home/user1/.config/pulse:11
5:alsabat:fopen64 /etc/machine-id:(nil)
5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f54bc001c80
5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1
5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:0
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /tmp/pulse-2L9K88eMlGn7/native:-1
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /var/run/pulse/native:-1
5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f54bc001c80
5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f54bc01b3c0
5:alsabat:open /dev/snd/controlC0:7
5:alsabat:open /dev/snd/controlC0:7
5:alsabat:access /usr/share/alsa/cards/HDA-Intel.conf:0
5:alsabat:fopen /usr/share/alsa/cards/HDA-Intel.conf:0x7f54bc001c80
5:alsabat:fopen /usr/share/alsa/pcm/front.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround21.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround40.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround41.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround50.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround51.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround71.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/iec958.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/hdmi.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/modem.conf:0x7f54bc01b3c0
5:alsabat:open /dev/snd/controlC1:-1
5:alsabat:open /dev/aloadC1:-1
5:alsabat:open /dev/snd/controlC2:-1
5:alsabat:open /dev/aloadC2:-1
5:alsabat:open /dev/snd/controlC3:-1
5:alsabat:open /dev/aloadC3:-1

$ firejail --overlay-tmpfs alsabat-test.sh

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:alsabat-test.sh:exec /usr/bin/bash:0
3:alsabat-test.sh:open /dev/tty:5
3:alsabat-test.sh:open /bin/alsabat-test.sh:5
4:mkdir:exec /usr/bin/mkdir:0
4:mkdir:mkdir tmp:-1
3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0
3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x55a7e137d510
5:alsabat:exec /usr/bin/alsabat:0
5:alsabat:fopen tmp/0.log:0x561c3c323540
5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f09f0001c80
5:alsabat:access /usr/etc/alsa/conf.d:-1
5:alsabat:access /etc/alsa/conf.d:-1
5:alsabat:access /etc/asound.conf:0
5:alsabat:fopen /etc/asound.conf:0x7f09f0001c80
5:alsabat:access /home/user1/.asoundrc:-1
5:alsabat:access /home/user1/.config/alsa/asoundrc:-1
5:alsabat:access /usr/lib/alsa-lib:0
5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f09f0001c80
5:alsabat:access /home/user1/.pulse:-1
5:alsabat:mkdir /home/user1/.config/pulse:-1
5:alsabat:open64 /home/user1/.config/pulse:11
5:alsabat:fopen64 /etc/machine-id:(nil)
5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f09f0001c80
5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1
5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:-1
5:alsabat:mkdir /tmp/pulse-CcctT9RwKSB1:0
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /tmp/pulse-CcctT9RwKSB1/native:-1
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /var/run/pulse/native:-1
5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f09f0001c80
5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f09f001b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f09f001b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f09f001b3c0
5:alsabat:open /dev/snd/controlC0:-1
5:alsabat:open /dev/aloadC0:-1
5:alsabat:open /dev/snd/controlC1:-1
5:alsabat:open /dev/aloadC1:-1
5:alsabat:open /dev/snd/controlC2:-1
5:alsabat:open /dev/aloadC2:-1
5:alsabat:open /dev/snd/controlC3:-1
5:alsabat:open /dev/aloadC3:-1

失败!这些日志中的 controlC0:-1 意味着它失败了。没有听到任何声音!我在 aloadC3 处切断了所有日志,因为它只是继续返回 -1 错误超过 30 次,重复相同的迭代。

我尝试从音频组中删除我的用户,重新启动,并进行 aplay -l 和 firejail 覆盖测试。没有什么。它所做的只是完全删除了我对声卡 /dev/snd/ 的访问权限。我在 firejail wiki 上读到,更新的 Linux 内核上会出现一些覆盖问题,因此我什至尝试在所述版本之前的 LTS Linux 内核上启动,但遇到了相同的故障。我可以尝试降级firejail。我还可以降级其他相关的音频包,但我不想弄乱依赖项并导致不必要的问题。我可以尝试从默认的 runit 启动中删除 ALSA 并使用 bash 调用它。但 ALSA 在没有 firejail 的情况下工作得很好,所以这只是无望的猜测。在我从比我更熟悉这一点的人那里得到良好的诊断之前,我不会再进一步​​。目前没有用户或实体正在使用 /dev/snd/ 所以我仍然假设这是一个 firejail 权限问题或组问题。除非当前的firejail版本有bug。

编辑:

$ firejail --overlay-tmpfs id

OverlayFS configured in /run/firejail/mnt directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 181.47 ms
uid=1000(user1) gid=100(users) groups=100(users)

firejail --overlay-tmpfs --allusers id

OverlayFS configured in /run/firejail/mnt directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 180.15 ms
uid=1000(user1) gid=100(users) groups=100(users)

跟踪日志是相同的,只是运行了 id 二进制文件。

$ firejail --overlay-tmpfs --allusers aplay -l && aplay -L

aplay -l 无法显示声卡

aplay: device_list:274: no soundcards found...

aplay -L 成功列出了我的 PCM,就像其他测试一样。尽管使用了--allusers,跟踪日志看起来好像没有改变。

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:-1
3:aplay:open /dev/aloadC0:-1
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

覆盖只是无法获得对音频或声卡的组访问权限。

编辑2(更多测试):

$ firejail --debug id

Autoselecting /bin/bash as shell
Building quoted command line: 'id'
Command name #id#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
mountid=80 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
mountid=81 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
mountid=82 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
mountid=83 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
mountid=84 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/user1/.bash_history
Disable /home/user1/.lesshst
Disable /home/user1/.viminfo
Disable /home/user1/.xinitrc
Disable /etc/xdg/autostart
Mounting read-only /home/user1/.Xauthority
...
Disable /etc/rc.conf
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/kernel.d
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Mounting read-only /home/user1/.bash_logout
...
Disable /home/user1/.gnupg
Disable /home/user1/.netrc
Disable /home/user1/.pki
Disable /home/user1/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/local/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /usr/sbin/chage)
Disable /usr/bin/chage (requested /sbin/chage)
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /usr/sbin/chfn)
Disable /usr/bin/chfn (requested /sbin/chfn)
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /usr/sbin/chsh)
Disable /usr/bin/chsh (requested /sbin/chsh)
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /usr/sbin/expiry)
Disable /usr/bin/expiry (requested /sbin/expiry)
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /usr/sbin/fusermount)
Disable /usr/bin/fusermount (requested /sbin/fusermount)
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd)
Disable /usr/bin/gpasswd (requested /sbin/gpasswd)
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /usr/sbin/mount)
Disable /usr/bin/mount (requested /sbin/mount)
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap)
Disable /usr/bin/newgidmap (requested /sbin/newgidmap)
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /usr/sbin/newgrp)
Disable /usr/bin/newgrp (requested /sbin/newgrp)
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap)
Disable /usr/bin/newuidmap (requested /sbin/newuidmap)
Disable /usr/bin/sg (requested /bin/sg)
Disable /usr/bin/sg
Disable /usr/bin/sg (requested /usr/sbin/sg)
Disable /usr/bin/sg (requested /sbin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/su (requested /usr/sbin/su)
Disable /usr/bin/su (requested /sbin/su)
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /usr/sbin/sudo)
Disable /usr/bin/sudo (requested /sbin/sudo)
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /usr/sbin/umount)
Disable /usr/bin/umount (requested /sbin/umount)
Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd)
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /usr/sbin/xev)
Disable /usr/bin/xev (requested /sbin/xev)
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /usr/sbin/xinput)
Disable /usr/bin/xinput (requested /sbin/xinput)
Disable /proc/config.gz
Disable
Disable /home/user1/.config/mpv
...
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
...
Current directory: /home/user1
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
228 77 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=228 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- user1 users           1072 seccomp
-rw-r--r-- user1 users            808 seccomp.32
-rw-r--r-- user1 users            114 seccomp.list
-rw-r--r-- user1 users              0 seccomp.postexec
-rw-r--r-- user1 users              0 seccomp.postexec32
-rw-r--r-- user1 users            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 0
Supplementary groups: 12
Starting application
LD_PRELOAD=(null)
Running 'id'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'id'
uid=1000(user1) gid=100(users) groups=100(users),12(audio)

$ firejail --debug --overlay-tmpfs id

Autoselecting /bin/bash as shell
Building quoted command line: 'id'
Command name #id#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol
Linux kernel version 5.10
Mounting OverlayFS
DEBUG: chroot dirs are oroot /run/firejail/mnt/oroot  odiff /run/firejail/mnt/odiff  owork /run/firejail/mnt/owork
DEBUG: overlayhome var holds ##/run/firejail/mnt/oroot/home/user1##
Mounting /dev
Mounting /run
Mounting /tmp
Mounting /proc filesystem representing the PID namespace
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/user1/.bash_history
Disable /home/user1/.lesshst
Disable /home/user1/.viminfo
Disable /home/user1/.xinitrc
Disable /etc/xdg/autostart
Mounting read-only /home/user1/.Xauthority
...
fstype=overlay
Disable /etc/rc.conf
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/kernel.d
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Mounting read-only /home/user1/.bash_logout
...
Disable /home/user1/.gnupg
Disable /home/user1/.netrc
Disable /home/user1/.pki
Disable /home/user1/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/local/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /usr/sbin/chage)
Disable /usr/bin/chage (requested /sbin/chage)
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /usr/sbin/chfn)
Disable /usr/bin/chfn (requested /sbin/chfn)
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /usr/sbin/chsh)
Disable /usr/bin/chsh (requested /sbin/chsh)
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /usr/sbin/expiry)
Disable /usr/bin/expiry (requested /sbin/expiry)
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /usr/sbin/fusermount)
Disable /usr/bin/fusermount (requested /sbin/fusermount)
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd)
Disable /usr/bin/gpasswd (requested /sbin/gpasswd)
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /usr/sbin/mount)
Disable /usr/bin/mount (requested /sbin/mount)
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap)
Disable /usr/bin/newgidmap (requested /sbin/newgidmap)
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /usr/sbin/newgrp)
Disable /usr/bin/newgrp (requested /sbin/newgrp)
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap)
Disable /usr/bin/newuidmap (requested /sbin/newuidmap)
Disable /usr/bin/sg (requested /bin/sg)
Disable /usr/bin/sg
Disable /usr/bin/sg (requested /usr/sbin/sg)
Disable /usr/bin/sg (requested /sbin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/su (requested /usr/sbin/su)
Disable /usr/bin/su (requested /sbin/su)
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /usr/sbin/sudo)
Disable /usr/bin/sudo (requested /sbin/sudo)
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /usr/sbin/umount)
Disable /usr/bin/umount (requested /sbin/umount)
Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd)
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /usr/sbin/xev)
Disable /usr/bin/xev (requested /sbin/xev)
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /usr/sbin/xinput)
Disable /usr/bin/xinput (requested /sbin/xinput)
Disable /proc/config.gz
Disable /home/user1/.config/mpv
Disable /home/user1/.config/straw-viewer
Disable /home/user1/.config/torbrowser
Disable /home/user1/.config/youtube-dl
Disable /home/user1/.links
Disable /home/user1/.local/share/torbrowser
Disable /home/user1/.mozilla
Disable /home/user1/.cache/mozilla
Disable /home/user1/.cache/straw-viewer
Disable /home/user1/.cache/torbrowser
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
251 87 0:43 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=251 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user1/.config/pulse
252 101 0:43 /pulse /home/user1/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=252 fsname=/pulse dir=/home/user1/.config/pulse fstype=tmpfs
Current directory: /home/user1
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/fire line  OP JT JF    K
...
jail/mnt/seccomp/seccomp.protocol
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
254 87 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=254 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             300 ..
-rw-r--r-- user1 users           1072 seccomp
-rw-r--r-- user1 users            808 seccomp.32
-rw-r--r-- user1 users            114 seccomp.list
-rw-r--r-- user1 users              0 seccomp.postexec
-rw-r--r-- user1 users              0 seccomp.postexec32
-rw-r--r-- user1 users            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
Starting application
LD_PRELOAD=(null)
Running 'id'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'id'
uid=1000(user1) gid=100(users) groups=100(users)

我获得了一些重要的相关调试信息,删除了一些个人详细信息并在此处保留了字符空间限制。我只是 UNIX 的新手,所以我不确定如何使用此信息来修复覆盖和音频组访问。这应该是我最后的信息了。

答案1

firejail您可以通过更改有效组 ID 来选择组用途。

firejail创建一个用户命名空间,其中仅存在当前有效的用户和组(以及 root 和 nobody 等系统用户)。您需要将该audio组设为您的有效组 ID(而不是您的用户所在的多个组之一):

 $ newgrp audio
 $ id
 uid=1000(user1) gid=12(audio) groups=......
 $ firejail program-that-needs-the-audio-group


 

相关内容