github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2119] Running any GOG game under Firejail is extremely awkward #1437

New issue

Closed

opened 2026-05-05 08:06:08 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 08:06:08 -06:00

Owner

Originally created by @kozross on GitHub (Sep 22, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2119

I'm on Firejail 0.9.54 with seccomp support. Previously, I would run GOG games with Firejail as follows:

HOME=/home/koz/games firejail --protocol=unix ./games/gog/darkest-dungeon/start.sh

and everything worked fine (using Darkest Dungeon as an example). However, the GOG support library requires the name_to_handle_at syscall in at least this particular case, which is on the default blocklist. Aside from being an incredible pain to figure out, as far as I can tell, this mandates the call now look like this:

HOME=/home/koz/games firejail --seccomp.drop=modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,adjtimex,clock_adjtime,clock_settime,settimeofday,delete_module,finit_module,init_module,ioperm,iopl,kexec_load,kexec_file_load,reboot,swapon,swapoff,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,set_mempolicy,migrate_pages,move_pages,mbind,open_by_handle_at,ioprio_set,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,personality,userfaultfd --protocol=unix ./games/gog/darkest-dungeon/start.sh

While I understand that I could stuff that in a bash script and go about my day, this is rather annoying, as all I really want to do is whitelist a single syscall from the default list. Additionally, as far as I can tell, I can't create my own seccomp group (like @darkestdungeon or something).

Am I missing something here?

Originally created by @kozross on GitHub (Sep 22, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2119 I'm on Firejail 0.9.54 with seccomp support. Previously, I would run GOG games with Firejail as follows: ``` HOME=/home/koz/games firejail --protocol=unix ./games/gog/darkest-dungeon/start.sh ``` and everything worked fine (using Darkest Dungeon as an example). However, the GOG support library requires the ``name_to_handle_at`` syscall in at least this particular case, which is on the default blocklist. Aside from being an incredible pain to figure out, as far as I can tell, this mandates the call now look like this: ``` HOME=/home/koz/games firejail --seccomp.drop=modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,adjtimex,clock_adjtime,clock_settime,settimeofday,delete_module,finit_module,init_module,ioperm,iopl,kexec_load,kexec_file_load,reboot,swapon,swapoff,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,set_mempolicy,migrate_pages,move_pages,mbind,open_by_handle_at,ioprio_set,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,personality,userfaultfd --protocol=unix ./games/gog/darkest-dungeon/start.sh ``` While I understand that I could stuff that in a bash script and go about my day, this is rather annoying, as all I really want to do is whitelist a single syscall from the default list. Additionally, as far as I can tell, I can't create my own seccomp group (like @darkestdungeon or something). Am I missing something here?

gitea-mirror closed this issue

2026-05-05 08:06:09 -06:00

gitea-mirror commented

2026-05-05 08:06:11 -06:00

Author

Owner

@SkewedZeppelin commented on GitHub (Sep 22, 2018):

You can create a profile for that and just
firejail --profile=./games/gogs.profile ./games/x/y/z/start.sh

# Firejail profile for gogs games
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/gogs.local
# Persistent global definitions
include /etc/firejail/globals.local


include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
# include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
#include /etc/firejail/disable-xdg.inc

caps.drop all
ipc-namespace
net none
nodbus
nodvd
nogroups
nonewprivs
noroot
notv
novideo
protocol unix
seccomp.drop modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,adjtimex,clock_adjtime,clock_settime,settimeofday,delete_module,finit_module,init_module,ioperm,iopl,kexec_load,kexec_file_load,reboot,swapon,swapoff,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,set_mempolicy,migrate_pages,move_pages,mbind,open_by_handle_at,ioprio_set,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,personality,userfaultfd
shell none

# disable-mnt
private $HOME/games
private-cache
private-dev
private-tmp

noexec /tmp

for any games that use something more unique then start.sh, we can upstream this profile and add many aliases for it so you can just eg. firejail ./games/gogs/darkest-dungeon/ddgame or if it is in your path simply firejail ddgame

@SkewedZeppelin commented on GitHub (Sep 22, 2018): You can create a profile for that and just `firejail --profile=./games/gogs.profile ./games/x/y/z/start.sh` ``` # Firejail profile for gogs games # This file is overwritten after every install/update # Persistent local customizations include /etc/firejail/gogs.local # Persistent global definitions include /etc/firejail/globals.local include /etc/firejail/disable-common.inc include /etc/firejail/disable-devel.inc # include /etc/firejail/disable-interpreters.inc include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc #include /etc/firejail/disable-xdg.inc caps.drop all ipc-namespace net none nodbus nodvd nogroups nonewprivs noroot notv novideo protocol unix seccomp.drop modify_ldt,lookup_dcookie,perf_event_open,process_vm_writev,_sysctl,afs_syscall,create_module,get_kernel_syms,getpmsg,putpmsg,query_module,security,sysfs,tuxcall,uselib,ustat,vserver,adjtimex,clock_adjtime,clock_settime,settimeofday,delete_module,finit_module,init_module,ioperm,iopl,kexec_load,kexec_file_load,reboot,swapon,swapoff,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,set_mempolicy,migrate_pages,move_pages,mbind,open_by_handle_at,ioprio_set,syslog,fanotify_init,kcmp,add_key,request_key,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,vmsplice,personality,userfaultfd shell none # disable-mnt private $HOME/games private-cache private-dev private-tmp noexec /tmp ``` for any games that use something more unique then start.sh, we can upstream this profile and add many aliases for it so you can just eg. `firejail ./games/gogs/darkest-dungeon/ddgame` or if it is in your path simply `firejail ddgame`

gitea-mirror commented

2026-05-05 08:06:12 -06:00

Author

Owner

@kozross commented on GitHub (Sep 22, 2018):

@SkewedZeppelin Thanks for the suggestion! Unfortunately, all GOG games have a start.sh entry point, because they have some incredibly heterogenous ways of being called. I'll definitely start making more use of profiles either way, though.

@kozross commented on GitHub (Sep 22, 2018): @SkewedZeppelin Thanks for the suggestion! Unfortunately, _all_ GOG games have a ``start.sh`` entry point, because they have some incredibly heterogenous ways of being called. I'll definitely start making more use of profiles either way, though.

gitea-mirror commented

2026-05-05 08:06:13 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 30, 2019):

do we want to continue or close the idea with profiles for gog?

@rusty-snake commented on GitHub (Jun 30, 2019): do we want to continue or close the idea with profiles for gog?

gitea-mirror commented

2026-05-05 08:06:14 -06:00

Author

Owner

@kozross commented on GitHub (Jul 1, 2019):

Close it - I'm not sure I have the time to do this now.

@kozross commented on GitHub (Jul 1, 2019): Close it - I'm not sure I have the time to do this now.

gitea-mirror referenced this issue

2026-05-05 10:11:14 -06:00

[PR #1437] [MERGED] fix steam startup with >=llvm-4 #3965

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1437

No description provided.

Rows
Columns