Firejail 재정의 권한 및 ALSA 소리 없음(컨테이너/감옥의 그룹 오류)

나는 간결하고 명확하게하려고 노력할 것입니다. ALSA 및 Firejail 프로필이 필요한 프로그램을 실행하고 싶지만 재정의 및/또는 그룹과 관련된 어떤 이유로 사운드 카드에 액세스할 수 있는 권한이나 기능이 없을 수 있습니다.

Firejail 0.9.64.2, alsa-utils 1.2.4_1, pulseaudio 14.0_3 및 기타 alsa/pulse 에뮬레이션 패키지는 물론 시스템 설치와 함께 제공될 수 있는 관련 사운드 카드도 설치했습니다. 만일을 대비해 pulse 패키지를 설치했습니다(pulse도 스스로 오디오의 구성원이 되었습니다). 현재 상태로 ALSA는 Firejail 없이도 잘 작동하며 Firejail 내의 특정 조건에서도 잘 작동합니다. 즉, 특정 구성 파일을 조작할 때 재정의 및 그룹 없음 옵션이 없습니다. 그러나 사운드와 함께 제대로 작동하려면 많은 구성 파일 재정의와 파일 시스템 마운트 기능이 필요합니다. 내 사용자를 보조 그룹 "audio"에 추가하고 /etc/group을 통해 인증했습니다. '/dev/snd' 폴더의 소유권을 확인했는데 그 안에 있는 파일은 모두 root:audio의 소유입니다. 단, ../controlC0으로 다시 연결되는 root:root 소유의 심볼릭 링크 'path-by'는 제외됩니다. 나는 그것이 문제가 되지 않고 더 많은 두통을 야기할 것이라고 생각하지 않기 때문에 소유권을 바꾸는 것을 주저하고 있습니다. 그러나 재정의 옵션이 포함된 mpv와 같은 프로그램을 사용하여 구성 파일을 테스트했지만 alsa가 사운드 카드를 찾을 수 없다는 유사한 오류 메시지를 받았습니다. 테스트한 일부 구성 파일에서 override 또는 nogroups 옵션으로 인해 alsa가 중단될 수 있었습니다. 좀 더 유익한 테스트를 수행했는데 그 중 일부는 Firejail의 로깅 추적 기능을 사용했습니다.

$ firejail id
uid=1000(user1) gid=100(users) groups=100(users),12(audio)

일하다! 나에게 필요한 사운드 그룹을 보여줍니다. (메일이나 Wireshark 같은 것은 포함되지 않습니다).

$ firejail --overlay-tmpfs id
uid=1000(user1) gid=100(users) groups=100(users)

오버레이를 사용할 때 오디오 그룹이 없나요? 많은 Firejail 프로필이 재정의 및 그룹 제한을 사용하기 때문에 이는 중요합니다. 제 경우에는 이 문제로 인해 프로그램이 조용해졌습니다. 이것은 내 추측이다.

$ firejail aplay -l && aplay -L 일하다! 내 카드와 PCM이 모두 표시됩니다! 또한 아래에 지정한 추적 로그도 생성됩니다. 나는 /dev/snd/controlC0:5 반환이 장치 목록이 성공한 이유라고 가정합니다.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:5
3:aplay:fopen /usr/share/alsa/alsa.conf:0x564afaf56540
3:aplay:access /usr/etc/alsa/conf.d:-1
3:aplay:access /etc/alsa/conf.d:-1
3:aplay:access /etc/asound.conf:0
3:aplay:fopen /etc/asound.conf:0x564afaf56540
3:aplay:access /home/user1/.asoundrc:-1
3:aplay:access /home/user1/.config/alsa/asoundrc:-1
3:aplay:open /dev/snd/controlC0:5
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

$ firejail --overlay-tmpfs aplay -l && aplay -L 실패하다! 사운드카드는 없고 PCM만 보입니다. 다음 로그가 생성되었습니다.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:-1
3:aplay:open /dev/aloadC0:-1
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

$ firejail alsabat-test.sh 소음이 좀 났어요. 예, 일반 비디오와 사운드도 창 관리자에서 사용할 수 있습니다. 그래픽 창 없이 별도의 TTY 터미널에서 소리를 낼 수도 있습니다.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:alsabat-test.sh:exec /usr/bin/bash:0
3:alsabat-test.sh:open /dev/tty:5
3:alsabat-test.sh:open /bin/alsabat-test.sh:5
4:mkdir:exec /usr/bin/mkdir:0
4:mkdir:mkdir tmp:-1
3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0
3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x556402ad6510
5:alsabat:exec /usr/bin/alsabat:0
5:alsabat:fopen tmp/0.log:0x55b5c9529540
5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f54bc001c80
5:alsabat:access /usr/etc/alsa/conf.d:-1
5:alsabat:access /etc/alsa/conf.d:-1
5:alsabat:access /etc/asound.conf:0
5:alsabat:fopen /etc/asound.conf:0x7f54bc001c80
5:alsabat:access /home/user1/.asoundrc:-1
5:alsabat:access /home/user1/.config/alsa/asoundrc:-1
5:alsabat:access /usr/lib/alsa-lib:0
5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f54bc001c80
5:alsabat:access /home/user1/.pulse:-1
5:alsabat:mkdir /home/user1/.config/pulse:-1
5:alsabat:open64 /home/user1/.config/pulse:11
5:alsabat:fopen64 /etc/machine-id:(nil)
5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f54bc001c80
5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1
5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:0
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /tmp/pulse-2L9K88eMlGn7/native:-1
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /var/run/pulse/native:-1
5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f54bc001c80
5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f54bc01b3c0
5:alsabat:open /dev/snd/controlC0:7
5:alsabat:open /dev/snd/controlC0:7
5:alsabat:access /usr/share/alsa/cards/HDA-Intel.conf:0
5:alsabat:fopen /usr/share/alsa/cards/HDA-Intel.conf:0x7f54bc001c80
5:alsabat:fopen /usr/share/alsa/pcm/front.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround21.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround40.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround41.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround50.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround51.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/surround71.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/iec958.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/hdmi.conf:0x7f54bc01b3c0
5:alsabat:fopen /usr/share/alsa/pcm/modem.conf:0x7f54bc01b3c0
5:alsabat:open /dev/snd/controlC1:-1
5:alsabat:open /dev/aloadC1:-1
5:alsabat:open /dev/snd/controlC2:-1
5:alsabat:open /dev/aloadC2:-1
5:alsabat:open /dev/snd/controlC3:-1
5:alsabat:open /dev/aloadC3:-1

$ firejail --overlay-tmpfs alsabat-test.sh

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:alsabat-test.sh:exec /usr/bin/bash:0
3:alsabat-test.sh:open /dev/tty:5
3:alsabat-test.sh:open /bin/alsabat-test.sh:5
4:mkdir:exec /usr/bin/mkdir:0
4:mkdir:mkdir tmp:-1
3:alsabat-test.sh:access /usr/share/terminfo/s/st-256color:0
3:alsabat-test.sh:fopen /usr/share/terminfo/s/st-256color:0x55a7e137d510
5:alsabat:exec /usr/bin/alsabat:0
5:alsabat:fopen tmp/0.log:0x561c3c323540
5:alsabat:fopen /usr/share/alsa/alsa.conf:0x7f09f0001c80
5:alsabat:access /usr/etc/alsa/conf.d:-1
5:alsabat:access /etc/alsa/conf.d:-1
5:alsabat:access /etc/asound.conf:0
5:alsabat:fopen /etc/asound.conf:0x7f09f0001c80
5:alsabat:access /home/user1/.asoundrc:-1
5:alsabat:access /home/user1/.config/alsa/asoundrc:-1
5:alsabat:access /usr/lib/alsa-lib:0
5:alsabat:fopen64 /home/user1/.config/pulse/client.conf:0x7f09f0001c80
5:alsabat:access /home/user1/.pulse:-1
5:alsabat:mkdir /home/user1/.config/pulse:-1
5:alsabat:open64 /home/user1/.config/pulse:11
5:alsabat:fopen64 /etc/machine-id:(nil)
5:alsabat:fopen64 /var/lib/dbus/machine-id:0x7f09f0001c80
5:alsabat:mkdir /tmp/pulse-PKdhtXMmr18n:-1
5:alsabat:mkdir /tmp/pulse-2L9K88eMlGn7:-1
5:alsabat:mkdir /tmp/pulse-CcctT9RwKSB1:0
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /tmp/pulse-CcctT9RwKSB1/native:-1
5:alsabat:socket AF_LOCAL SOCK_STREAM 0:11
5:alsabat:connect 11 /var/run/pulse/native:-1
5:alsabat:fopen /usr/share/alsa/cards/aliases.conf:0x7f09f0001c80
5:alsabat:fopen /usr/share/alsa/pcm/default.conf:0x7f09f001b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dmix.conf:0x7f09f001b3c0
5:alsabat:fopen /usr/share/alsa/pcm/dsnoop.conf:0x7f09f001b3c0
5:alsabat:open /dev/snd/controlC0:-1
5:alsabat:open /dev/aloadC0:-1
5:alsabat:open /dev/snd/controlC1:-1
5:alsabat:open /dev/aloadC1:-1
5:alsabat:open /dev/snd/controlC2:-1
5:alsabat:open /dev/aloadC2:-1
5:alsabat:open /dev/snd/controlC3:-1
5:alsabat:open /dev/aloadC3:-1

실패하다! 이 로그의 controlC0:-1은 실패했음을 의미합니다. 아무 소리도 들리지 않았습니다! 동일한 반복을 반복하면서 30회 이상 계속 -1 오류를 반환했기 때문에 aloadC3에서 모든 로그를 잘라냈습니다.

오디오 그룹에서 사용자를 제거하고 재부팅하고 aplay -l 및 firejail 적용 범위 테스트를 수행해 보았습니다. 아무것도 없습니다. 사운드 카드의 /dev/snd/에 대한 액세스 권한을 완전히 제거한 것뿐입니다. Firejail wiki에서 최신 Linux 커널에 일부 적용 범위 문제가 있다는 내용을 읽었으므로 해당 버전 이전에 LTS Linux 커널에서 부팅을 시도했지만 동일한 결함이 발생했습니다. Firejail을 다운그레이드해 볼 수 있습니다. 다른 관련 오디오 패키지를 다운그레이드할 수도 있지만 종속성을 엉망으로 만들고 불필요한 문제를 일으키고 싶지 않습니다. 기본 runit 시작에서 ALSA를 제거하고 bash를 사용하여 호출해 볼 수 있습니다. 그러나 ALSA는 Firejail 없이도 잘 작동하므로 이는 절망적인 추측일 뿐입니다. 저보다 더 잘 아시는 분의 좋은 진단을 받기 전까지는 더 이상 진행하지 않겠습니다. 현재 /dev/snd/를 사용하는 사용자나 엔터티가 없으므로 여전히 이것이 Firejail 권한 문제이거나 그룹 문제라고 가정합니다. 현재 Firejail 버전에 버그가 없다면 말이죠.

편집하다:

$ firejail --overlay-tmpfs id

OverlayFS configured in /run/firejail/mnt directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 181.47 ms
uid=1000(user1) gid=100(users) groups=100(users)

firejail --overlay-tmpfs --allusers id

OverlayFS configured in /run/firejail/mnt directory
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized in 180.15 ms
uid=1000(user1) gid=100(users) groups=100(users)

추적 로그는 동일하며 ID 바이너리만 실행됩니다.

$ firejail --overlay-tmpfs --allusers aplay -l && aplay -L

aplay -l 사운드 카드를 표시할 수 없습니다

aplay: device_list:274: no soundcards found...

aplay -L은 다른 테스트와 마찬가지로 내 PCM을 성공적으로 나열합니다. --allusers를 사용해도 추적 로그는 변경되지 않은 것처럼 보입니다.

3:bash:exec /usr/bin/bash:0
3:bash:open /dev/tty:4
3:aplay:exec /usr/bin/aplay:0
3:aplay:open /dev/snd/controlC0:-1
3:aplay:open /dev/aloadC0:-1
3:aplay:open /dev/snd/controlC1:-1
3:aplay:open /dev/aloadC1:-1
3:aplay:open /dev/snd/controlC2:-1
3:aplay:open /dev/aloadC2:-1
3:aplay:open /dev/snd/controlC3:-1
3:aplay:open /dev/aloadC3:-1

재정의는 오디오 또는 사운드 카드에 대한 그룹 액세스를 얻을 수 없습니다.

편집 2(추가 테스트):

$ firejail --debug id

Autoselecting /bin/bash as shell
Building quoted command line: 'id'
Command name #id#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
mountid=80 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
mountid=81 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
mountid=82 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
mountid=83 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
mountid=84 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/user1/.bash_history
Disable /home/user1/.lesshst
Disable /home/user1/.viminfo
Disable /home/user1/.xinitrc
Disable /etc/xdg/autostart
Mounting read-only /home/user1/.Xauthority
...
Disable /etc/rc.conf
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/kernel.d
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Mounting read-only /home/user1/.bash_logout
...
Disable /home/user1/.gnupg
Disable /home/user1/.netrc
Disable /home/user1/.pki
Disable /home/user1/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/local/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /usr/sbin/chage)
Disable /usr/bin/chage (requested /sbin/chage)
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /usr/sbin/chfn)
Disable /usr/bin/chfn (requested /sbin/chfn)
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /usr/sbin/chsh)
Disable /usr/bin/chsh (requested /sbin/chsh)
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /usr/sbin/expiry)
Disable /usr/bin/expiry (requested /sbin/expiry)
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /usr/sbin/fusermount)
Disable /usr/bin/fusermount (requested /sbin/fusermount)
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd)
Disable /usr/bin/gpasswd (requested /sbin/gpasswd)
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /usr/sbin/mount)
Disable /usr/bin/mount (requested /sbin/mount)
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap)
Disable /usr/bin/newgidmap (requested /sbin/newgidmap)
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /usr/sbin/newgrp)
Disable /usr/bin/newgrp (requested /sbin/newgrp)
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap)
Disable /usr/bin/newuidmap (requested /sbin/newuidmap)
Disable /usr/bin/sg (requested /bin/sg)
Disable /usr/bin/sg
Disable /usr/bin/sg (requested /usr/sbin/sg)
Disable /usr/bin/sg (requested /sbin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/su (requested /usr/sbin/su)
Disable /usr/bin/su (requested /sbin/su)
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /usr/sbin/sudo)
Disable /usr/bin/sudo (requested /sbin/sudo)
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /usr/sbin/umount)
Disable /usr/bin/umount (requested /sbin/umount)
Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd)
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /usr/sbin/xev)
Disable /usr/bin/xev (requested /sbin/xev)
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /usr/sbin/xinput)
Disable /usr/bin/xinput (requested /sbin/xinput)
Disable /proc/config.gz
Disable
Disable /home/user1/.config/mpv
...
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
...
Current directory: /home/user1
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.protocol
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
228 77 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=228 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             240 ..
-rw-r--r-- user1 users           1072 seccomp
-rw-r--r-- user1 users            808 seccomp.32
-rw-r--r-- user1 users            114 seccomp.list
-rw-r--r-- user1 users              0 seccomp.postexec
-rw-r--r-- user1 users              0 seccomp.postexec32
-rw-r--r-- user1 users            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 0
Supplementary groups: 12
Starting application
LD_PRELOAD=(null)
Running 'id'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'id'
uid=1000(user1) gid=100(users) groups=100(users),12(audio)

$ firejail --debug --overlay-tmpfs id

Autoselecting /bin/bash as shell
Building quoted command line: 'id'
Command name #id#
Attempting to find default.profile...
Found default.profile profile in /etc/firejail directory
Found disable-common.inc profile in /etc/firejail directory
Found disable-passwdmgr.inc profile in /etc/firejail directory
Found disable-programs.inc profile in /etc/firejail directory
Using the local network stack
Using the local network stack
Initializing child process
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Build protocol filter: unix,inet,inet6
sbox run: /run/firejail/lib/fseccomp protocol build unix,inet,inet6 /run/firejail/mnt/seccomp/seccomp.protocol
Linux kernel version 5.10
Mounting OverlayFS
DEBUG: chroot dirs are oroot /run/firejail/mnt/oroot  odiff /run/firejail/mnt/odiff  owork /run/firejail/mnt/owork
DEBUG: overlayhome var holds ##/run/firejail/mnt/oroot/home/user1##
Mounting /dev
Mounting /run
Mounting /tmp
Mounting /proc filesystem representing the PID namespace
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Cannot find /run/user/1000 directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
Disable /run/firejail/appimage
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/user1/.bash_history
Disable /home/user1/.lesshst
Disable /home/user1/.viminfo
Disable /home/user1/.xinitrc
Disable /etc/xdg/autostart
Mounting read-only /home/user1/.Xauthority
...
fstype=overlay
Disable /etc/rc.conf
Disable /var/mail
Disable /var/opt
Disable /run/acpid.socket (requested /var/run/acpid.socket)
Disable /var/mail (requested /var/spool/mail)
Disable /etc/cron.daily
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/kernel.d
Disable /etc/grub.d
Disable /etc/apparmor
Disable /etc/apparmor.d
Mounting read-only /home/user1/.bash_logout
...
Disable /home/user1/.gnupg
Disable /home/user1/.netrc
Disable /home/user1/.pki
Disable /home/user1/.local/share/pki
Disable /etc/group-
Disable /etc/gshadow
Disable /etc/gshadow-
Disable /etc/passwd-
Disable /etc/shadow
Disable /etc/shadow-
Disable /etc/ssh
Disable /usr/local/sbin
Disable /usr/bin/chage (requested /bin/chage)
Disable /usr/bin/chage
Disable /usr/bin/chage (requested /usr/sbin/chage)
Disable /usr/bin/chage (requested /sbin/chage)
Disable /usr/bin/chfn (requested /bin/chfn)
Disable /usr/bin/chfn
Disable /usr/bin/chfn (requested /usr/sbin/chfn)
Disable /usr/bin/chfn (requested /sbin/chfn)
Disable /usr/bin/chsh (requested /bin/chsh)
Disable /usr/bin/chsh
Disable /usr/bin/chsh (requested /usr/sbin/chsh)
Disable /usr/bin/chsh (requested /sbin/chsh)
Disable /usr/bin/expiry (requested /bin/expiry)
Disable /usr/bin/expiry
Disable /usr/bin/expiry (requested /usr/sbin/expiry)
Disable /usr/bin/expiry (requested /sbin/expiry)
Disable /usr/bin/fusermount (requested /bin/fusermount)
Disable /usr/bin/fusermount
Disable /usr/bin/fusermount (requested /usr/sbin/fusermount)
Disable /usr/bin/fusermount (requested /sbin/fusermount)
Disable /usr/bin/gpasswd (requested /bin/gpasswd)
Disable /usr/bin/gpasswd
Disable /usr/bin/gpasswd (requested /usr/sbin/gpasswd)
Disable /usr/bin/gpasswd (requested /sbin/gpasswd)
Disable /usr/bin/mount (requested /bin/mount)
Disable /usr/bin/mount
Disable /usr/bin/mount (requested /usr/sbin/mount)
Disable /usr/bin/mount (requested /sbin/mount)
Disable /usr/bin/newgidmap (requested /bin/newgidmap)
Disable /usr/bin/newgidmap
Disable /usr/bin/newgidmap (requested /usr/sbin/newgidmap)
Disable /usr/bin/newgidmap (requested /sbin/newgidmap)
Disable /usr/bin/newgrp (requested /bin/newgrp)
Disable /usr/bin/newgrp
Disable /usr/bin/newgrp (requested /usr/sbin/newgrp)
Disable /usr/bin/newgrp (requested /sbin/newgrp)
Disable /usr/bin/newuidmap (requested /bin/newuidmap)
Disable /usr/bin/newuidmap
Disable /usr/bin/newuidmap (requested /usr/sbin/newuidmap)
Disable /usr/bin/newuidmap (requested /sbin/newuidmap)
Disable /usr/bin/sg (requested /bin/sg)
Disable /usr/bin/sg
Disable /usr/bin/sg (requested /usr/sbin/sg)
Disable /usr/bin/sg (requested /sbin/sg)
Disable /usr/bin/su (requested /bin/su)
Disable /usr/bin/su
Disable /usr/bin/su (requested /usr/sbin/su)
Disable /usr/bin/su (requested /sbin/su)
Disable /usr/bin/sudo (requested /bin/sudo)
Disable /usr/bin/sudo
Disable /usr/bin/sudo (requested /usr/sbin/sudo)
Disable /usr/bin/sudo (requested /sbin/sudo)
Disable /usr/bin/umount (requested /bin/umount)
Disable /usr/bin/umount
Disable /usr/bin/umount (requested /usr/sbin/umount)
Disable /usr/bin/umount (requested /sbin/umount)
Disable /usr/bin/unix_chkpwd (requested /bin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd
Disable /usr/bin/unix_chkpwd (requested /usr/sbin/unix_chkpwd)
Disable /usr/bin/unix_chkpwd (requested /sbin/unix_chkpwd)
Disable /usr/bin/xev (requested /bin/xev)
Disable /usr/bin/xev
Disable /usr/bin/xev (requested /usr/sbin/xev)
Disable /usr/bin/xev (requested /sbin/xev)
Disable /usr/bin/xinput (requested /bin/xinput)
Disable /usr/bin/xinput
Disable /usr/bin/xinput (requested /usr/sbin/xinput)
Disable /usr/bin/xinput (requested /sbin/xinput)
Disable /proc/config.gz
Disable /home/user1/.config/mpv
Disable /home/user1/.config/straw-viewer
Disable /home/user1/.config/torbrowser
Disable /home/user1/.config/youtube-dl
Disable /home/user1/.links
Disable /home/user1/.local/share/torbrowser
Disable /home/user1/.mozilla
Disable /home/user1/.cache/mozilla
Disable /home/user1/.cache/straw-viewer
Disable /home/user1/.cache/torbrowser
Disable /sys/fs
Disable /sys/module
Mounting noexec /run/firejail/mnt/pulse
251 87 0:43 /pulse /run/firejail/mnt/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=251 fsname=/pulse dir=/run/firejail/mnt/pulse fstype=tmpfs
Mounting /run/firejail/mnt/pulse on /home/user1/.config/pulse
252 101 0:43 /pulse /home/user1/.config/pulse rw,nosuid,nodev,noexec - tmpfs tmpfs rw,mode=755,inode64
mountid=252 fsname=/pulse dir=/home/user1/.config/pulse fstype=tmpfs
Current directory: /home/user1
Install protocol filter: unix,inet,inet6
configuring 20 seccomp entries in /run/firejail/mnt/seccomp/seccomp.protocol
sbox run: /usr/lib64/firejail/fsec-print /run/fire line  OP JT JF    K
...
jail/mnt/seccomp/seccomp.protocol
configuring 101 seccomp entries in /run/firejail/mnt/seccomp/seccomp.32
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp.32
Dual 32/64 bit seccomp filter configured
configuring 134 seccomp entries in /run/firejail/mnt/seccomp/seccomp
sbox run: /usr/lib64/firejail/fsec-print /run/firejail/mnt/seccomp/seccomp
seccomp filter configured
Mounting read-only /run/firejail/mnt/seccomp
254 87 0:43 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=254 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             160 .
drwxr-xr-x root     root             300 ..
-rw-r--r-- user1 users           1072 seccomp
-rw-r--r-- user1 users            808 seccomp.32
-rw-r--r-- user1 users            114 seccomp.list
-rw-r--r-- user1 users              0 seccomp.postexec
-rw-r--r-- user1 users              0 seccomp.postexec32
-rw-r--r-- user1 users            160 seccomp.protocol
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 100, nogroups 1
No supplementary groups
Starting application
LD_PRELOAD=(null)
Running 'id'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'id'
uid=1000(user1) gid=100(users) groups=100(users)

몇 가지 중요한 관련 디버깅 정보를 얻었고 일부 개인 정보를 제거했으며 여기서 문자 공간 제한을 유지했습니다. 저는 UNIX를 처음 접했기 때문에 이 정보를 사용하여 재정의 및 오디오 그룹 액세스를 수정하는 방법을 잘 모르겠습니다. 이것이 내 마지막 메시지가 될 것입니다.