github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

, which is blacklisted in disable-devel.inc #1423

New issue

Closed

opened 2026-05-05 08:05:22 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 08:05:22 -06:00

Owner

Originally created by @creideiki on GitHub (Sep 3, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2106

After switching from a GeForce to a Radeon GPU (using the open source drivers in Mesa), I no longer got hardware acceleration in Firefox.

Terminal output when starting Firefox:

~ $ firejail firefox
Reading profile /etc/firejail/firefox.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: noroot option is not available
Parent pid 29820, child pid 29821
Blacklist violations are logged to syslog
Child process initialized in 64.10 ms
libGL error: unable to load driver: radeonsi_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: radeonsi
libGL error: unable to load driver: radeonsi_dri.so
libGL error: driver pointer missing
libGL error: failed to load driver: radeonsi
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast
JavaScript error: jar:file:///usr/lib64/firefox/omni.ja!/components/XULStore.js, line 65: Error: Can't 
find profile directory.
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: [OPENGL] Failed to init compositor with reason: 
FEATURE_FAILURE_OPENGL_CREATE_CONTEXT (t=0.684968) [GFX1-]: [OPENGL] Failed to init compositor with 
reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT

strace:ing the process pointed to a failure to access LLVM:

[pid 29900] openat(AT_FDCWD, "/usr/lib/llvm/6/lib64/libLLVMAMDGPUCodeGen.so.6", O_RDONLY|O_CLOEXEC) = 
-1 EACCES (Permission denied)
[pid 29900] openat(AT_FDCWD, "/lib64/libLLVMAMDGPUCodeGen.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No 
such file or directory)
[pid 29900] openat(AT_FDCWD, "/usr/lib64/libLLVMAMDGPUCodeGen.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT 
(No such file or directory)
[pid 29900] munmap(0x7f61ceb4e000, 348310) = 0
[pid 29900] munmap(0x7f61c4ea5000, 11903880) = 0
[pid 29900] write(2, "libGL error: ", 13) = 13
[pid 29900] write(2, "unable to load driver: radeonsi_"..., 39) = 39

disable-devel.inc, which is included in the Firefox profile, blacklists the entire /usr/lib/llvm/ tree, seemingly in an attempt to disable the clang compiler:

# clang/llvm
blacklist /usr/bin/clang*
blacklist /usr/bin/lldb*
blacklist /usr/bin/llvm*
blacklist /usr/lib/llvm*

I removed the blacklist of the lib directory by creating /etc/firejail/disable-devel.local containing:

noblacklist /usr/lib/llvm

which makes Firefox hardware acceleration work.

Is there a good reason for the lib directory to be blacklisted as well as bin? The commit that added it, 823b1ae6d5, does not explain the rationale.

I tried making a more specific hole, in particular:

noblacklist /usr/lib/llvm/6/lib*

which did not work. I did not strace further do see what else is required.

firejail --version:

firejail version 0.9.52

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - bind support is enabled
        - chroot support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - git install support is disabled
        - networking support is enabled
        - networking features are available only to root user
        - overlayfs support is enabled
        - private-home support is enabled
        - seccomp-bpf support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

GPU information, according to Firefox:

Description X.Org -- Radeon RX 580 Series (POLARIS10, DRM 3.26.0, 4.18.5-gentoo, LLVM 6.0.1)
Driver Version 4.4 (Compatibility Profile) Mesa 18.2.0-rc5

Originally created by @creideiki on GitHub (Sep 3, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2106 After switching from a GeForce to a Radeon GPU (using the open source drivers in Mesa), I no longer got hardware acceleration in Firefox. Terminal output when starting Firefox: ``` ~ $ firejail firefox Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: noroot option is not available Parent pid 29820, child pid 29821 Blacklist violations are logged to syslog Child process initialized in 64.10 ms libGL error: unable to load driver: radeonsi_dri.so libGL error: driver pointer missing libGL error: failed to load driver: radeonsi libGL error: unable to load driver: radeonsi_dri.so libGL error: driver pointer missing libGL error: failed to load driver: radeonsi libGL error: unable to load driver: swrast_dri.so libGL error: failed to load driver: swrast JavaScript error: jar:file:///usr/lib64/firefox/omni.ja!/components/XULStore.js, line 65: Error: Can't find profile directory. Crash Annotation GraphicsCriticalError: |[0][GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT (t=0.684968) [GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT ``` `strace`:ing the process pointed to a failure to access LLVM: ``` [pid 29900] openat(AT_FDCWD, "/usr/lib/llvm/6/lib64/libLLVMAMDGPUCodeGen.so.6", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) [pid 29900] openat(AT_FDCWD, "/lib64/libLLVMAMDGPUCodeGen.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 29900] openat(AT_FDCWD, "/usr/lib64/libLLVMAMDGPUCodeGen.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) [pid 29900] munmap(0x7f61ceb4e000, 348310) = 0 [pid 29900] munmap(0x7f61c4ea5000, 11903880) = 0 [pid 29900] write(2, "libGL error: ", 13) = 13 [pid 29900] write(2, "unable to load driver: radeonsi_"..., 39) = 39 ``` `disable-devel.inc`, which is included in the Firefox profile, blacklists the entire `/usr/lib/llvm/` tree, seemingly in an attempt to disable the clang compiler: ``` # clang/llvm blacklist /usr/bin/clang* blacklist /usr/bin/lldb* blacklist /usr/bin/llvm* blacklist /usr/lib/llvm* ``` I removed the blacklist of the lib directory by creating `/etc/firejail/disable-devel.local` containing: ``` noblacklist /usr/lib/llvm ``` which makes Firefox hardware acceleration work. Is there a good reason for the lib directory to be blacklisted as well as bin? The commit that added it, 823b1ae6d5ba6fc4a5e15982eebf972a0e8e626b, does not explain the rationale. I tried making a more specific hole, in particular: ``` noblacklist /usr/lib/llvm/6/lib* ``` which did not work. I did not `strace` further do see what else is required. `firejail --version`: ``` firejail version 0.9.52 Compile time support: - AppArmor support is disabled - AppImage support is enabled - bind support is enabled - chroot support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - git install support is disabled - networking support is enabled - networking features are available only to root user - overlayfs support is enabled - private-home support is enabled - seccomp-bpf support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` GPU information, according to Firefox: ``` Description X.Org -- Radeon RX 580 Series (POLARIS10, DRM 3.26.0, 4.18.5-gentoo, LLVM 6.0.1) Driver Version 4.4 (Compatibility Profile) Mesa 18.2.0-rc5 ```

gitea-mirror closed this issue

2026-05-05 08:05:23 -06:00

gitea-mirror commented

2026-05-05 08:05:25 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 3, 2018):

See #1437

So this is an issue with LLVM >=4 and is noblacklisted in a number of existing profiles (wine, steam, qutebrowser, etc). When that blacklist was added in late 2015, LLVM 4 had only just come out and wasn't widely adopted by distros.

However now LLVM 7 is on the horizon and with mesa's increasing dependence on it (mainly for radeonsi), we probably should consider removing /usr/lib/llvm* from the blacklist

@SkewedZeppelin commented on GitHub (Sep 3, 2018): See #1437 So this is an issue with LLVM >=4 and is noblacklisted in a number of existing profiles (wine, steam, qutebrowser, etc). When that blacklist was added in late 2015, LLVM 4 had only just come out and wasn't widely adopted by distros. However now LLVM 7 is on the horizon and with mesa's increasing dependence on it (mainly for radeonsi), we probably should consider removing /usr/lib/llvm* from the blacklist

gitea-mirror commented

2026-05-05 08:05:26 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 7, 2018):

Fixed: cef2514caa

@netblue30 commented on GitHub (Sep 7, 2018): Fixed: https://github.com/netblue30/firejail/commit/cef2514caa5585a61d2d5528a9cab5007056baa6

gitea-mirror commented

2026-05-05 08:05:27 -06:00

Author

Owner

@Fred-Barclay commented on GitHub (Sep 19, 2018):

Closing for now since the blacklist has been removed in 0.9.56.

@Fred-Barclay commented on GitHub (Sep 19, 2018): Closing for now since the blacklist has been removed in 0.9.56.

gitea-mirror referenced this issue

2026-05-05 10:11:02 -06:00

[PR #1423] [MERGED] Add some /proc dirs to firejail apparmor profile #3953

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1423

No description provided.

Rows
Columns