github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1879] Lighter profile for cinelerra #1267

New issue

Closed

opened 2026-05-05 07:45:25 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 07:45:25 -06:00

Owner

Originally created by @HotelBellaMuerte on GitHub (Apr 11, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1879

If you try to use x265 cin hangs

with this x265 works (with it i got 4-6 threads instead of <4, and as i've and 8t cpu its fine)
https://p.teknik.io/pYzl9

Originally created by @HotelBellaMuerte on GitHub (Apr 11, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1879 If you try to use x265 cin hangs with this x265 works (with it i got 4-6 threads instead of <4, and as i've and 8t cpu its fine) https://p.teknik.io/pYzl9

gitea-mirror

2026-05-05 07:45:25 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 07:45:29 -06:00

Author

Owner

@HotelBellaMuerte commented on GitHub (Apr 11, 2018):

Extra!

i've run a small bench

With default profile: 2 minutes 40 seconds

Now: 40 seconds

@HotelBellaMuerte commented on GitHub (Apr 11, 2018): Extra! i've run a small bench With default profile: 2 minutes 40 seconds Now: 40 seconds

gitea-mirror commented

2026-05-05 07:45:30 -06:00

Author

Owner

@smitsohu commented on GitHub (Apr 11, 2018):

Hi @bn0785ac,

do you use some proprietary graphics driver? With regards to seccomp, run sudo journalctl | grep syscall after cinelerra has been killed by firejail, it should show the violation.

In order to identify the problem with private-bin, easiest is to start the program as firejail --build cinelerra, then play a bit with it and close it again. In your terminal you'll find some profile suggestions, including for private-bin. Note however that the --build option is only available in firejail 0.9.52.

@smitsohu commented on GitHub (Apr 11, 2018): Hi @bn0785ac, do you use some proprietary graphics driver? With regards to seccomp, run `sudo journalctl | grep syscall` after cinelerra has been killed by firejail, it should show the violation. In order to identify the problem with private-bin, easiest is to start the program as `firejail --build cinelerra`, then play a bit with it and close it again. In your terminal you'll find some profile suggestions, including for private-bin. Note however that the `--build` option is only available in firejail 0.9.52.

gitea-mirror commented

2026-05-05 07:45:32 -06:00

Author

Owner

@HotelBellaMuerte commented on GitHub (Apr 11, 2018):

Its more a caps issue (if i remove seccomp works), its rare that caps.drop.all doesnt block anything.

Render setup: CPU Only

GPU: RX 560

Driver: amdgpu (default)

@HotelBellaMuerte commented on GitHub (Apr 11, 2018): Its more a caps issue (if i remove seccomp works), its rare that caps.drop.all doesnt block anything. Render setup: CPU Only GPU: RX 560 Driver: amdgpu (default)

gitea-mirror commented

2026-05-05 07:45:34 -06:00

Author

Owner

@smitsohu commented on GitHub (Apr 13, 2018):

Its more a caps issue (if i remove seccomp works), its rare that caps.drop.all doesnt block anything.

protocol unix is enabled in your profile, can you confirm it works with this option?

@smitsohu commented on GitHub (Apr 13, 2018): > Its more a caps issue (if i remove seccomp works), its rare that caps.drop.all doesnt block anything. `protocol unix` is enabled in your profile, can you confirm it works with this option?

gitea-mirror commented

2026-05-05 07:45:35 -06:00

Author

Owner

@HotelBellaMuerte commented on GitHub (Apr 16, 2018):

works fine here (i've uploaded music videos to youtube with that)

@HotelBellaMuerte commented on GitHub (Apr 16, 2018): works fine here (i've uploaded music videos to youtube with that)

gitea-mirror commented

2026-05-05 07:45:36 -06:00

Author

Owner

@smitsohu commented on GitHub (Apr 17, 2018):

@bn0785ac Thanks. Can you please run firejail cinelerra and paste here what you get in the terminal (error messages, warnings)? Do you get anything from sudo journalctl | grep syscall, or does it return nothing?

If you want we find the problematic system call(s) together. Then we could consider doing something like in /etc/firejail/clementine.profile and selectively allow only the needed system call(s), in order to keep most of the seccomp filter in place.

@smitsohu commented on GitHub (Apr 17, 2018): @bn0785ac Thanks. Can you please run `firejail cinelerra` and paste here what you get in the terminal (error messages, warnings)? Do you get anything from `sudo journalctl | grep syscall`, or does it return nothing? If you want we find the problematic system call(s) together. Then we could consider doing something like in /etc/firejail/clementine.profile and selectively allow only the needed system call(s), in order to keep most of the seccomp filter in place.

gitea-mirror commented

2026-05-05 07:45:37 -06:00

Author

Owner

@smitsohu commented on GitHub (Apr 18, 2018):

Some time ago I came across this wiki article, which seems to indicate that seccomp.keep is lighter.

@smitsohu commented on GitHub (Apr 18, 2018): Some time ago I came across this [wiki article](https://wiki.tizen.org/Security:Seccomp), which seems to indicate that `seccomp.keep` is lighter.

gitea-mirror commented

2026-05-05 07:45:38 -06:00

Author

Owner

@smitsohu commented on GitHub (Aug 23, 2018):

@HotelBellaMuerte As the problems were either fixed or documented in the profiles, I'm closing the issue. Thank you for the bug report!

@smitsohu commented on GitHub (Aug 23, 2018): @HotelBellaMuerte As the problems were either fixed or documented in the profiles, I'm closing the issue. Thank you for the bug report!

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1267

No description provided.

Rows
Columns