Bug#839868: marked as done (firejail: running steam in firejail causes segfault)

Sun, 16 Oct 2016 15:28:10 -0700 

Your message dated Sun, 16 Oct 2016 22:22:37 +0000
with message-id <e1bvtpf-0005fq...@franck.debian.org>
and subject line Bug#839868: fixed in firejail 0.9.44~rc1-1
has caused the Debian Bug report #839868,
regarding firejail: running steam in firejail causes segfault
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
839868: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=839868
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: firejail
Version: 0.9.42-1
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
It seems to be that after the latest nvidia-driver update to 367.44-2, steam no
longer runs in firejail.  It previously worked without issue.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
Launcning from terminal gives me this:

xxxx@titanV:~$ firejail --debug steam
Autoselecting /bin/bash as shell
Command name #steam#
Found steam profile in /etc/firejail directory
Reading profile /etc/firejail/steam.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
DISPLAY :1, 1
Using the local network stack
Parent pid 8220, child pid 8221
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/fs
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/timer_stats
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/xxxx/.bash_history
Mounting read-only /home/xxxx/.local/share/applications
Disable /home/xxxx/.config/autostart
Disable /etc/xdg/autostart
Disable /etc/X11/Xsession.d
Disable /var/spool/cron
Disable /var/spool/anacron
Disable /run/minissdpd.sock
Disable /run/rpcbind.sock
Disable /etc/cron.d
Disable /etc/cron.hourly
Disable /etc/cron.daily
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/anacrontab
Mounting read-only /home/xxxx/.profile
Mounting read-only /home/xxxx/.bashrc
Mounting read-only /home/xxxx/.bash_logout
Mounting read-only /home/xxxx/.profile
Mounting read-only /home/xxxx/.reportbugrc
Disable /home/xxxx/.ssh
Disable /home/xxxx/.gnupg
Disable /etc/shadow
Disable /etc/gshadow
Disable /etc/passwd-
Disable /etc/group-
Disable /etc/shadow-
Disable /etc/gshadow-
Disable /etc/ssh
Disable /bin/umount
Disable /bin/mount
Disable /bin/fusermount
Disable /bin/su
Disable /usr/bin/sudo
Disable /usr/bin/xev
Disable /bin/nc.traditional
Disable /usr/bin/ncat
Disable /sbin
Disable /usr/sbin
Disable /usr/local/sbin
Disable /usr/bin/gnome-terminal
Disable /usr/bin/gnome-terminal.wrapper
Disable /home/xxxx/.config/libreoffice
Disable /home/xxxx/.mozilla
Disable /home/xxxx/.config/chromium
Not blacklist /home/xxxx/.steam
Disable /home/xxxx/.cache/mozilla
Disable /home/xxxx/.cache/chromium
Not blacklist /home/xxxx/.local/share/steam
Disable /tmp/ssh-oNRep5al0P30
Disable /usr/include
Disable /usr/lib/gcc
Disable /usr/bin/gcc-4.8
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/gcc-nm-4.8
Disable /usr/bin/gcc-ar-5
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-ranlib-5
Disable /usr/bin/gcc-ar-4.8
Disable /usr/bin/gcc-ranlib-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/bin/gcc-nm-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-ar-4.9
Disable /usr/bin/gcc-nm-5
Disable /usr/bin/gcc-5
Disable /usr/bin/gcc-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/bin/gcc-ranlib-4.8
Disable /usr/bin/x86_64-linux-gnu-cpp-6
Disable /usr/bin/cpp-4.8
Disable /usr/bin/x86_64-linux-gnu-cpp-6
Disable /usr/bin/cpp-5
Disable /usr/bin/cpp-4.9
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc
Disable /usr/bin/c89-gcc
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-c++filt
Disable /usr/bin/x86_64-linux-gnu-as
Disable /usr/bin/x86_64-linux-gnu-ld.bfd
Disable /usr/bin/gcc-nm-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/bin/gcc-ar-4.9
Disable /usr/bin/gcc-ranlib-5
Disable /usr/bin/gcc-5
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-nm-4.8
Disable /usr/bin/gcc-4.9
Disable /usr/bin/gcc-nm-5
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-ar-5
Disable /usr/bin/gcc-ranlib-4.9
Disable /usr/bin/gcc-ar-4.8
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/gcc-4.8
Disable /usr/bin/gcc-ranlib-4.8
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/lib/valgrind
Disable /usr/bin/perl
Disable /usr/bin/cpan5.24-x86_64-linux-gnu
Disable /usr/bin/cpan
Disable /usr/share/perl5
Disable /usr/share/perl
Disable /usr/lib/perl5
Disable /home/xxxx/.pki/nssdb
DISPLAY :1, 1
Mounting tmpfs on /tmp/.X11-unix directory
Dropping all capabilities
Set protocol filter: unix,inet,inet6
Dual i386/amd64 seccomp filter configured
SECCOMP Filter:
  VALIDATE_ARCHITECTURE
  EXAMINE_SYSCAL
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  UNKNOWN ENTRY!!!
  BLACKLIST 165 mount
  BLACKLIST 166 umount2
  BLACKLIST 101 ptrace
  BLACKLIST 246 kexec_load
  BLACKLIST 320 kexec_file_load
  BLACKLIST 304 open_by_handle_at
  BLACKLIST 303 name_to_handle_at
  BLACKLIST 175 init_module
  BLACKLIST 313 finit_module
  BLACKLIST 174 create_module
  BLACKLIST 176 delete_module
  BLACKLIST 172 iopl
  BLACKLIST 173 ioperm
  BLACKLIST 251 ioprio_set
  BLACKLIST 167 swapon
  BLACKLIST 168 swapoff
  BLACKLIST 103 syslog
  BLACKLIST 310 process_vm_readv
  BLACKLIST 311 process_vm_writev
  BLACKLIST 139 sysfs
  BLACKLIST 156 _sysctl
  BLACKLIST 159 adjtimex
  BLACKLIST 305 clock_adjtime
  BLACKLIST 212 lookup_dcookie
  BLACKLIST 298 perf_event_open
  BLACKLIST 300 fanotify_init
  BLACKLIST 312 kcmp
  BLACKLIST 248 add_key
  BLACKLIST 249 request_key
  BLACKLIST 250 keyctl
  BLACKLIST 134 uselib
  BLACKLIST 163 acct
  BLACKLIST 154 modify_ldt
  BLACKLIST 155 pivot_root
  BLACKLIST 206 io_setup
  BLACKLIST 207 io_destroy
  BLACKLIST 208 io_getevents
  BLACKLIST 209 io_submit
  BLACKLIST 210 io_cancel
  BLACKLIST 216 remap_file_pages
  BLACKLIST 237 mbind
  BLACKLIST 239 get_mempolicy
  BLACKLIST 238 set_mempolicy
  BLACKLIST 256 migrate_pages
  BLACKLIST 279 move_pages
  BLACKLIST 278 vmsplice
  BLACKLIST 161 chroot
  BLACKLIST 184 tuxcall
  BLACKLIST 169 reboot
  BLACKLIST 180 nfsservctl
  BLACKLIST 177 get_kernel_syms
  RETURN_ALLOW
Save seccomp filter, size 880 bytes
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Running 'steam'  command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'steam'
Child process initialized
monitoring pid 2

Running Steam on debian  64-bit
STEAM_RUNTIME is enabled automatically
[2016-10-05 12:36:45] Startup - updater built Sep 20 2016 18:20:24
Looks like steam didn't shutdown cleanly, scheduling immediate update check
[2016-10-05 12:36:45] Checking for update on startup
[2016-10-05 12:36:45] Checking for available updates...
[2016-10-05 12:36:46] Download skipped: /client/steam_client_ubuntu12 version
1474415843, installed version 1474415843
[2016-10-05 12:36:46] Nothing to do
[2016-10-05 12:36:46] Verifying installation...
[2016-10-05 12:36:46] Performing checksum verification of executable files
[2016-10-05 12:36:46] Verification complete
Forced create but already created for SharedObjectEvent
Sandbox monitor: waitpid 2 retval 2 status 0
Sandbox monitor: monitoring 96
monitoring pid 96

Sandbox monitor: waitpid 96 retval 96 status 0

Parent is shutting down, bye...
xxxx@titanV:~$

   * What was the outcome of this action?
steam fails to launch.  Journalctl shows the following:

Oct 05 12:36:45 titanV firejail[8220]: firejail --debug steam
Oct 05 12:36:45 titanV firejail[8223]: sandbox 8220, execvp into 'steam'
Oct 05 12:36:45 titanV firejail[8221]: monitoring pid 2
Oct 05 12:36:47 titanV kernel: steam[8310]: segfault at 0 ip 00000000f72738da
sp 00000000fff5ef00 error 4 in libc-2.24.so[f71fd000+1b1000]
Oct 05 12:36:47 titanV firejail[8221]: monitoring pid 96
Oct 05 12:36:47 titanV firejail[8220]: exiting...

   * What outcome did you expect instead?
Previously steam would launch and run without issue in firejail.


*** End of the template - remove these template lines ***



-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages firejail depends on:
ii  libapparmor1  2.10.95-4+b1
ii  libc6         2.24-3

Versions of packages firejail recommends:
ii  xserver-xephyr  2:1.18.4-2

firejail suggests no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: firejail
Source-Version: 0.9.44~rc1-1

We believe that the bug you reported is fixed in the latest version of
firejail, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 839...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <rei...@reiner-h.de> (supplier of updated firejail package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Oct 2016 23:35:47 +0200
Source: firejail
Binary: firejail
Architecture: source
Version: 0.9.44~rc1-1
Distribution: experimental
Urgency: low
Maintainer: Reiner Herrmann <rei...@reiner-h.de>
Changed-By: Reiner Herrmann <rei...@reiner-h.de>
Description:
 firejail   - sandbox to restrict the application environment
Closes: 839868
Changes:
 firejail (0.9.44~rc1-1) experimental; urgency=low
 .
   * New upstream release.
     - Fix program crashes with nvidia driver (Closes: #839868)
   * Add iptables to Recommends for netfilter feature.
   * Bump debhelper compat level to 10.
     - Drop --parallel, which is now default behavior
Checksums-Sha1:
 1614c070f955acb5d878ed99e89c9e4b171fdb43 2363 firejail_0.9.44~rc1-1.dsc
 49237f8c29eeb1b1ca2612d1c44cbfefb0d17697 208956 firejail_0.9.44~rc1.orig.tar.xz
 734737dfad4aee2ad77f0cc700683423d6ba5f5c 473 
firejail_0.9.44~rc1.orig.tar.xz.asc
 119fd10575ffb3c7feb5d185b8e9c26709fb6291 5816 
firejail_0.9.44~rc1-1.debian.tar.xz
Checksums-Sha256:
 d41c0268d40401005f73733af2d711492de3df266521c313114edd30d0ec9957 2363 
firejail_0.9.44~rc1-1.dsc
 474d45962708387c322b3c774637d9fe6c45a7458491f54e844e29ec3bc881d6 208956 
firejail_0.9.44~rc1.orig.tar.xz
 5d376f92d54de00778afef91d8d140c5c703dc7a4a4f41b1644479785cc6f91d 473 
firejail_0.9.44~rc1.orig.tar.xz.asc
 46800726ab626b4289b260705f07306e88dc73b0752f00b56b4a9d6888c9248a 5816 
firejail_0.9.44~rc1-1.debian.tar.xz
Files:
 c41bbf5dc272e1e76a4f45b2fb7c0f9f 2363 utils optional firejail_0.9.44~rc1-1.dsc
 f4f17ace2354433446c8140032dcf155 208956 utils optional 
firejail_0.9.44~rc1.orig.tar.xz
 c5030989a2564bcdf433b24ebe2afbc5 473 utils optional 
firejail_0.9.44~rc1.orig.tar.xz.asc
 d7bca8cf5beb4f9ccbd84a605c1989a0 5816 utils optional 
firejail_0.9.44~rc1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYA/NmAAoJEMzwSSjbDuqnDl0P/iAUk2/YdeNuR83dOFFpzQms
/R7R+qi224B7LGeve0DGgooo+3aLHxtoznh2iuuR6dryabZuz/HxhupA0O3mSI/D
1mnZHdu1jsMx/AhpdmBUQFA6bOvU25GJ5CWGqWs81qUU9V0cQQySkw013fBd/FqA
MSzVDxrLvDIKtzUvUo65co8+HO6ywsVdnCfMYQze1OXAiV6FqsLDbKGJ+Oo03OiJ
RKYcnfy3D2Eu+JghxttobV2aiYqjZ3SoYzoAZwAtd5WqGW8VwFZDsho4V3LE0B87
GhQb18pJauSpWrSb0Uq02ukrZcxbCsXQfE802blyRX8P2Itx+dz6cLkQWjRxqV/m
GY1+meykVACEeVkL2zp/3osblXiteSi4zNlDRDkNlZeTzmHeRilENZYviu1K14oo
OkDQJGYhT2CgjocukmLBbc+iVavToaBa74GA/3hsEParTW6ABlXHBZPW7PQXoMz3
SmHirRZDyxaKgyuGjLUFvNUpk5j9FLYyeiD39It4pz780JeOf1lXp17uXfdsnrcN
2d0BsLt12jpZ4Dig0Fx7hdeXeyLb7tDe0fhqUkzLwLBnUiBGLFVV6+h+rnPYrfzT
zN0r/VqzChDG501PXZ/JuhJ9gkpXMK5Pr0h0d4E9Nfzy6wt7PoUC86xt6F1CzAeq
G3+EQ9Vx9mWOxkMVeDBs
=fh/7
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to