Package: firejail
Version: 0.9.42-1
Severity: normal
Dear Maintainer,
*** Reporter, please consider answering these questions, where appropriate ***
* What led up to the situation?
It seems to be that after the latest nvidia-driver update to 367.44-2, steam no
longer runs in firejail. It previously worked without issue.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Launcning from terminal gives me this:
xxxx@titanV:~$ firejail --debug steam
Autoselecting /bin/bash as shell
Command name #steam#
Found steam profile in /etc/firejail directory
Reading profile /etc/firejail/steam.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
DISPLAY :1, 1
Using the local network stack
Parent pid 8220, child pid 8221
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Mounting read-only /bin, /sbin, /lib, /lib32, /lib64, /usr, /etc, /var
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/snmp
Mounting tmpfs on /var/lib/sudo
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/x11
Remounting /proc and /proc/sys filesystems
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/fs
Disable /sys/module
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/sched_debug
Disable /proc/timer_list
Disable /proc/timer_stats
Disable /proc/kcore
Disable /proc/kallsyms
Disable /lib/modules
Disable /boot
Disable /dev/port
Disable /dev/kmsg
Disable /proc/kmsg
Disable /home/xxxx/.bash_history
Mounting read-only /home/xxxx/.local/share/applications
Disable /home/xxxx/.config/autostart
Disable /etc/xdg/autostart
Disable /etc/X11/Xsession.d
Disable /var/spool/cron
Disable /var/spool/anacron
Disable /run/minissdpd.sock
Disable /run/rpcbind.sock
Disable /etc/cron.d
Disable /etc/cron.hourly
Disable /etc/cron.daily
Disable /etc/cron.weekly
Disable /etc/cron.monthly
Disable /etc/profile.d
Disable /etc/rc.local
Disable /etc/anacrontab
Mounting read-only /home/xxxx/.profile
Mounting read-only /home/xxxx/.bashrc
Mounting read-only /home/xxxx/.bash_logout
Mounting read-only /home/xxxx/.profile
Mounting read-only /home/xxxx/.reportbugrc
Disable /home/xxxx/.ssh
Disable /home/xxxx/.gnupg
Disable /etc/shadow
Disable /etc/gshadow
Disable /etc/passwd-
Disable /etc/group-
Disable /etc/shadow-
Disable /etc/gshadow-
Disable /etc/ssh
Disable /bin/umount
Disable /bin/mount
Disable /bin/fusermount
Disable /bin/su
Disable /usr/bin/sudo
Disable /usr/bin/xev
Disable /bin/nc.traditional
Disable /usr/bin/ncat
Disable /sbin
Disable /usr/sbin
Disable /usr/local/sbin
Disable /usr/bin/gnome-terminal
Disable /usr/bin/gnome-terminal.wrapper
Disable /home/xxxx/.config/libreoffice
Disable /home/xxxx/.mozilla
Disable /home/xxxx/.config/chromium
Not blacklist /home/xxxx/.steam
Disable /home/xxxx/.cache/mozilla
Disable /home/xxxx/.cache/chromium
Not blacklist /home/xxxx/.local/share/steam
Disable /tmp/ssh-oNRep5al0P30
Disable /usr/include
Disable /usr/lib/gcc
Disable /usr/bin/gcc-4.8
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/gcc-nm-4.8
Disable /usr/bin/gcc-ar-5
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-ranlib-5
Disable /usr/bin/gcc-ar-4.8
Disable /usr/bin/gcc-ranlib-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/bin/gcc-nm-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-ar-4.9
Disable /usr/bin/gcc-nm-5
Disable /usr/bin/gcc-5
Disable /usr/bin/gcc-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/bin/gcc-ranlib-4.8
Disable /usr/bin/x86_64-linux-gnu-cpp-6
Disable /usr/bin/cpp-4.8
Disable /usr/bin/x86_64-linux-gnu-cpp-6
Disable /usr/bin/cpp-5
Disable /usr/bin/cpp-4.9
Disable /usr/bin/c99-gcc
Disable /usr/bin/c99-gcc
Disable /usr/bin/c89-gcc
Disable /usr/bin/c89-gcc
Disable /usr/bin/x86_64-linux-gnu-c++filt
Disable /usr/bin/x86_64-linux-gnu-as
Disable /usr/bin/x86_64-linux-gnu-ld.bfd
Disable /usr/bin/gcc-nm-4.9
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-nm-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/bin/gcc-ar-4.9
Disable /usr/bin/gcc-ranlib-5
Disable /usr/bin/gcc-5
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-nm-4.8
Disable /usr/bin/gcc-4.9
Disable /usr/bin/gcc-nm-5
Disable /usr/bin/x86_64-linux-gnu-gcc-ar-6
Disable /usr/bin/gcc-ar-5
Disable /usr/bin/gcc-ranlib-4.9
Disable /usr/bin/gcc-ar-4.8
Disable /usr/bin/x86_64-linux-gnu-gcc-6
Disable /usr/bin/gcc-4.8
Disable /usr/bin/gcc-ranlib-4.8
Disable /usr/bin/x86_64-linux-gnu-gcc-ranlib-6
Disable /usr/lib/valgrind
Disable /usr/bin/perl
Disable /usr/bin/cpan5.24-x86_64-linux-gnu
Disable /usr/bin/cpan
Disable /usr/share/perl5
Disable /usr/share/perl
Disable /usr/lib/perl5
Disable /home/xxxx/.pki/nssdb
DISPLAY :1, 1
Mounting tmpfs on /tmp/.X11-unix directory
Dropping all capabilities
Set protocol filter: unix,inet,inet6
Dual i386/amd64 seccomp filter configured
SECCOMP Filter:
VALIDATE_ARCHITECTURE
EXAMINE_SYSCAL
UNKNOWN ENTRY!!!
UNKNOWN ENTRY!!!
UNKNOWN ENTRY!!!
BLACKLIST 165 mount
BLACKLIST 166 umount2
BLACKLIST 101 ptrace
BLACKLIST 246 kexec_load
BLACKLIST 320 kexec_file_load
BLACKLIST 304 open_by_handle_at
BLACKLIST 303 name_to_handle_at
BLACKLIST 175 init_module
BLACKLIST 313 finit_module
BLACKLIST 174 create_module
BLACKLIST 176 delete_module
BLACKLIST 172 iopl
BLACKLIST 173 ioperm
BLACKLIST 251 ioprio_set
BLACKLIST 167 swapon
BLACKLIST 168 swapoff
BLACKLIST 103 syslog
BLACKLIST 310 process_vm_readv
BLACKLIST 311 process_vm_writev
BLACKLIST 139 sysfs
BLACKLIST 156 _sysctl
BLACKLIST 159 adjtimex
BLACKLIST 305 clock_adjtime
BLACKLIST 212 lookup_dcookie
BLACKLIST 298 perf_event_open
BLACKLIST 300 fanotify_init
BLACKLIST 312 kcmp
BLACKLIST 248 add_key
BLACKLIST 249 request_key
BLACKLIST 250 keyctl
BLACKLIST 134 uselib
BLACKLIST 163 acct
BLACKLIST 154 modify_ldt
BLACKLIST 155 pivot_root
BLACKLIST 206 io_setup
BLACKLIST 207 io_destroy
BLACKLIST 208 io_getevents
BLACKLIST 209 io_submit
BLACKLIST 210 io_cancel
BLACKLIST 216 remap_file_pages
BLACKLIST 237 mbind
BLACKLIST 239 get_mempolicy
BLACKLIST 238 set_mempolicy
BLACKLIST 256 migrate_pages
BLACKLIST 279 move_pages
BLACKLIST 278 vmsplice
BLACKLIST 161 chroot
BLACKLIST 184 tuxcall
BLACKLIST 169 reboot
BLACKLIST 180 nfsservctl
BLACKLIST 177 get_kernel_syms
RETURN_ALLOW
Save seccomp filter, size 880 bytes
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Running 'steam' command through /bin/bash
execvp argument 0: /bin/bash
execvp argument 1: -c
execvp argument 2: 'steam'
Child process initialized
monitoring pid 2
Running Steam on debian 64-bit
STEAM_RUNTIME is enabled automatically
[2016-10-05 12:36:45] Startup - updater built Sep 20 2016 18:20:24
Looks like steam didn't shutdown cleanly, scheduling immediate update check
[2016-10-05 12:36:45] Checking for update on startup
[2016-10-05 12:36:45] Checking for available updates...
[2016-10-05 12:36:46] Download skipped: /client/steam_client_ubuntu12 version
1474415843, installed version 1474415843
[2016-10-05 12:36:46] Nothing to do
[2016-10-05 12:36:46] Verifying installation...
[2016-10-05 12:36:46] Performing checksum verification of executable files
[2016-10-05 12:36:46] Verification complete
Forced create but already created for SharedObjectEvent
Sandbox monitor: waitpid 2 retval 2 status 0
Sandbox monitor: monitoring 96
monitoring pid 96
Sandbox monitor: waitpid 96 retval 96 status 0
Parent is shutting down, bye...
xxxx@titanV:~$
* What was the outcome of this action?
steam fails to launch. Journalctl shows the following:
Oct 05 12:36:45 titanV firejail[8220]: firejail --debug steam
Oct 05 12:36:45 titanV firejail[8223]: sandbox 8220, execvp into 'steam'
Oct 05 12:36:45 titanV firejail[8221]: monitoring pid 2
Oct 05 12:36:47 titanV kernel: steam[8310]: segfault at 0 ip 00000000f72738da
sp 00000000fff5ef00 error 4 in libc-2.24.so[f71fd000+1b1000]
Oct 05 12:36:47 titanV firejail[8221]: monitoring pid 96
Oct 05 12:36:47 titanV firejail[8220]: exiting...
* What outcome did you expect instead?
Previously steam would launch and run without issue in firejail.
*** End of the template - remove these template lines ***
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.7.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages firejail depends on:
ii libapparmor1 2.10.95-4+b1
ii libc6 2.24-3
Versions of packages firejail recommends:
ii xserver-xephyr 2:1.18.4-2
firejail suggests no packages.
-- no debconf information
