Package: firejail Version: 0.9.42-1 Severity: normal Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? It seems to be that after the latest nvidia-driver update to 367.44-2, steam no longer runs in firejail. It previously worked without issue. * What exactly did you do (or not do) that was effective (or ineffective)? Launcning from terminal gives me this: xxxx@titanV:~$ firejail --debug steam Autoselecting /bin/bash as shell Command name #steam# Found steam profile in /etc/firejail directory Reading profile /etc/firejail/steam.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc DISPLAY :1, 1 Using the local network stack Parent pid 8220, child pid 8221 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/snmp Mounting tmpfs on /var/lib/sudo Create the new utmp file Mount the new utmp file Cleaning /home directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/x11 Remounting /proc and /proc/sys filesystems Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/fs Disable /sys/module Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/sched_debug Disable /proc/timer_list Disable /proc/timer_stats Disable /proc/kcore Disable /proc/kallsyms Disable /lib/modules Disable /boot Disable /dev/port Disable /dev/kmsg Disable /proc/kmsg Disable /home/xxxx/.bash_history Mounting read-only /home/xxxx/.local/share/applications Disable /home/xxxx/.config/autostart Disable /etc/xdg/autostart Disable /etc/X11/Xsession.d Disable /var/spool/cron Disable /var/spool/anacron Disable /run/minissdpd.sock Disable /run/rpcbind.sock Disable /etc/cron.d Disable /etc/cron.hourly Disable /etc/cron.daily Disable /etc/cron.weekly Disable /etc/cron.monthly Disable /etc/profile.d Disable /etc/rc.local Disable /etc/anacrontab Mounting read-only /home/xxxx/.profile Mounting read-only /home/xxxx/.bashrc Mounting read-only /home/xxxx/.bash_logout Mounting read-only /home/xxxx/.profile Mounting read-only /home/xxxx/.reportbugrc Disable /home/xxxx/.ssh Disable /home/xxxx/.gnupg Disable /etc/shadow Disable /etc/gshadow Disable /etc/passwd- Disable /etc/group- Disable /etc/shadow- Disable /etc/gshadow- Disable /etc/ssh Disable /bin/umount Disable /bin/mount Disable /bin/fusermount Disable /bin/su Disable /usr/bin/sudo Disable /usr/bin/xev Disable /bin/nc.traditional Disable /usr/bin/ncat Disable /sbin Disable /usr/sbin Disable /usr/local/sbin Disable /usr/bin/gnome-terminal Disable /usr/bin/gnome-terminal.wrapper Disable /home/xxxx/.config/libreoffice Disable /home/xxxx/.mozilla Disable /home/xxxx/.config/chromium Not blacklist /home/xxxx/.steam Disable /home/xxxx/.cache/mozilla Disable /home/xxxx/.cache/chromium Not blacklist /home/xxxx/.local/share/steam Disable /tmp/ssh-oNRep5al0P30 Disable /usr/include Disable /usr/lib/gcc Disable /usr/bin/gcc-4.8 Disable /usr/bin/x86_64-linux-gnu-gcc-6 Disable /usr/bin/gcc-nm-4.8 Disable /usr/bin/gcc-ar-5 Disable /usr/bin/x86_64-linux-gnu-gcc-6 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6 Disable /usr/bin/gcc-ranlib-5 Disable /usr/bin/gcc-ar-4.8 Disable /usr/bin/gcc-ranlib-4.9 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6 Disable /usr/bin/gcc-nm-4.9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6 Disable /usr/bin/gcc-ar-4.9 Disable /usr/bin/gcc-nm-5 Disable /usr/bin/gcc-5 Disable /usr/bin/gcc-4.9 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6 Disable /usr/bin/gcc-ranlib-4.8 Disable /usr/bin/x86_64-linux-gnu-cpp-6 Disable /usr/bin/cpp-4.8 Disable /usr/bin/x86_64-linux-gnu-cpp-6 Disable /usr/bin/cpp-5 Disable /usr/bin/cpp-4.9 Disable /usr/bin/c99-gcc Disable /usr/bin/c99-gcc Disable /usr/bin/c89-gcc Disable /usr/bin/c89-gcc Disable /usr/bin/x86_64-linux-gnu-c++filt Disable /usr/bin/x86_64-linux-gnu-as Disable /usr/bin/x86_64-linux-gnu-ld.bfd Disable /usr/bin/gcc-nm-4.9 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6 Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6 Disable /usr/bin/gcc-ar-4.9 Disable /usr/bin/gcc-ranlib-5 Disable /usr/bin/gcc-5 Disable /usr/bin/x86_64-linux-gnu-gcc-6 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6 Disable /usr/bin/gcc-nm-4.8 Disable /usr/bin/gcc-4.9 Disable /usr/bin/gcc-nm-5 Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6 Disable /usr/bin/gcc-ar-5 Disable /usr/bin/gcc-ranlib-4.9 Disable /usr/bin/gcc-ar-4.8 Disable /usr/bin/x86_64-linux-gnu-gcc-6 Disable /usr/bin/gcc-4.8 Disable /usr/bin/gcc-ranlib-4.8 Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6 Disable /usr/lib/valgrind Disable /usr/bin/perl Disable /usr/bin/cpan5.24-x86_64-linux-gnu Disable /usr/bin/cpan Disable /usr/share/perl5 Disable /usr/share/perl Disable /usr/lib/perl5 Disable /home/xxxx/.pki/nssdb DISPLAY :1, 1 Mounting tmpfs on /tmp/.X11-unix directory Dropping all capabilities Set protocol filter: unix,inet,inet6 Dual i386/amd64 seccomp filter configured SECCOMP Filter: VALIDATE_ARCHITECTURE EXAMINE_SYSCAL UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! UNKNOWN ENTRY!!! BLACKLIST 165 mount BLACKLIST 166 umount2 BLACKLIST 101 ptrace BLACKLIST 246 kexec_load BLACKLIST 320 kexec_file_load BLACKLIST 304 open_by_handle_at BLACKLIST 303 name_to_handle_at BLACKLIST 175 init_module BLACKLIST 313 finit_module BLACKLIST 174 create_module BLACKLIST 176 delete_module BLACKLIST 172 iopl BLACKLIST 173 ioperm BLACKLIST 251 ioprio_set BLACKLIST 167 swapon BLACKLIST 168 swapoff BLACKLIST 103 syslog BLACKLIST 310 process_vm_readv BLACKLIST 311 process_vm_writev BLACKLIST 139 sysfs BLACKLIST 156 _sysctl BLACKLIST 159 adjtimex BLACKLIST 305 clock_adjtime BLACKLIST 212 lookup_dcookie BLACKLIST 298 perf_event_open BLACKLIST 300 fanotify_init BLACKLIST 312 kcmp BLACKLIST 248 add_key BLACKLIST 249 request_key BLACKLIST 250 keyctl BLACKLIST 134 uselib BLACKLIST 163 acct BLACKLIST 154 modify_ldt BLACKLIST 155 pivot_root BLACKLIST 206 io_setup BLACKLIST 207 io_destroy BLACKLIST 208 io_getevents BLACKLIST 209 io_submit BLACKLIST 210 io_cancel BLACKLIST 216 remap_file_pages BLACKLIST 237 mbind BLACKLIST 239 get_mempolicy BLACKLIST 238 set_mempolicy BLACKLIST 256 migrate_pages BLACKLIST 279 move_pages BLACKLIST 278 vmsplice BLACKLIST 161 chroot BLACKLIST 184 tuxcall BLACKLIST 169 reboot BLACKLIST 180 nfsservctl BLACKLIST 177 get_kernel_syms RETURN_ALLOW Save seccomp filter, size 880 bytes noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Running 'steam' command through /bin/bash execvp argument 0: /bin/bash execvp argument 1: -c execvp argument 2: 'steam' Child process initialized monitoring pid 2 Running Steam on debian 64-bit STEAM_RUNTIME is enabled automatically [2016-10-05 12:36:45] Startup - updater built Sep 20 2016 18:20:24 Looks like steam didn't shutdown cleanly, scheduling immediate update check [2016-10-05 12:36:45] Checking for update on startup [2016-10-05 12:36:45] Checking for available updates... [2016-10-05 12:36:46] Download skipped: /client/steam_client_ubuntu12 version 1474415843, installed version 1474415843 [2016-10-05 12:36:46] Nothing to do [2016-10-05 12:36:46] Verifying installation... [2016-10-05 12:36:46] Performing checksum verification of executable files [2016-10-05 12:36:46] Verification complete Forced create but already created for SharedObjectEvent Sandbox monitor: waitpid 2 retval 2 status 0 Sandbox monitor: monitoring 96 monitoring pid 96 Sandbox monitor: waitpid 96 retval 96 status 0 Parent is shutting down, bye... xxxx@titanV:~$ * What was the outcome of this action? steam fails to launch. Journalctl shows the following: Oct 05 12:36:45 titanV firejail[8220]: firejail --debug steam Oct 05 12:36:45 titanV firejail[8223]: sandbox 8220, execvp into 'steam' Oct 05 12:36:45 titanV firejail[8221]: monitoring pid 2 Oct 05 12:36:47 titanV kernel: steam[8310]: segfault at 0 ip 00000000f72738da sp 00000000fff5ef00 error 4 in libc-2.24.so[f71fd000+1b1000] Oct 05 12:36:47 titanV firejail[8221]: monitoring pid 96 Oct 05 12:36:47 titanV firejail[8220]: exiting... * What outcome did you expect instead? Previously steam would launch and run without issue in firejail. *** End of the template - remove these template lines *** -- System Information: Debian Release: stretch/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages firejail depends on: ii libapparmor1 2.10.95-4+b1 ii libc6 2.24-3 Versions of packages firejail recommends: ii xserver-xephyr 2:1.18.4-2 firejail suggests no packages. -- no debconf information