[GH-ISSUE #2681] gimp: failure due to seccomp (needs mbind syscall) #1689

New issue

Open

opened 2026-05-05 08:20:10 -06:00 by gitea-mirror · 22 comments

gitea-mirror commented 2026-05-05 08:20:10 -06:00

Owner

Copy link

Originally created by @carloabelli on GitHub (May 7, 2019).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2681

Gimp 2.10.10 fails to load (hangs without any output).

Firejail version 0.9.58.2 on Arch Linux. Runs fine with --noprofile. Disabling seccomp in gimp.profile fixes the issue.

Originally created by @carloabelli on GitHub (May 7, 2019). Original GitHub issue: https://github.com/netblue30/firejail/issues/2681 Gimp 2.10.10 fails to load (hangs without any output). Firejail version 0.9.58.2 on Arch Linux. Runs fine with `--noprofile`. Disabling `seccomp` in `gimp.profile` fixes the issue.

gitea-mirror added the

workaround

label 2026-05-05 08:20:10 -06:00

gitea-mirror commented 2026-05-05 08:20:12 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (May 7, 2019):

I cannot reproduce this.
Are you using the proprietary NVIDIA drivers? or AppArmor?

<!-- gh-comment-id:489970434 --> @SkewedZeppelin commented on GitHub (May 7, 2019): I cannot reproduce this. Are you using the proprietary NVIDIA drivers? or AppArmor?

gitea-mirror commented 2026-05-05 08:20:13 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (May 7, 2019):

@SkewedZeppelin Using AppArmor

<!-- gh-comment-id:489970865 --> @carloabelli commented on GitHub (May 7, 2019): @SkewedZeppelin Using AppArmor

gitea-mirror commented 2026-05-05 08:20:14 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (May 8, 2019):

Does sudo journalctl | grep syscall return something? Or do you see other messages related to gimp in your syslog?

Thanks.

<!-- gh-comment-id:490671664 --> @smitsohu commented on GitHub (May 8, 2019): Does `sudo journalctl | grep syscall` return something? Or do you see other messages related to gimp in your syslog? Thanks.

gitea-mirror commented 2026-05-05 08:20:15 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (May 9, 2019):

@smitsohu Yup:

May 08 21:42:31 arch audit[16327]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0
May 08 21:42:31 arch kernel: audit: type=1326 audit(1557366151.446:165): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0
                                              #4  0x00006a42015c897d syscall (libc.so.6)
                                              #0  0x00006a42015c897d syscall (libc.so.6)
                                              #0  0x00006a42015c897d syscall (libc.so.6)

<!-- gh-comment-id:490713035 --> @carloabelli commented on GitHub (May 9, 2019): @smitsohu Yup: ``` May 08 21:42:31 arch audit[16327]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0 May 08 21:42:31 arch kernel: audit: type=1326 audit(1557366151.446:165): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0 #4 0x00006a42015c897d syscall (libc.so.6) #0 0x00006a42015c897d syscall (libc.so.6) #0 0x00006a42015c897d syscall (libc.so.6) ```

gitea-mirror commented 2026-05-05 08:20:16 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (May 9, 2019):

syscall=237

Ok, then firejail --debug-syscalls | grep 237 will return the syscall that was used by gimp although it was forbidden by seccomp.

<!-- gh-comment-id:490817166 --> @smitsohu commented on GitHub (May 9, 2019): > syscall=237 Ok, then `firejail --debug-syscalls | grep 237` will return the syscall that was used by gimp although it was forbidden by seccomp.

gitea-mirror commented 2026-05-05 08:20:17 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (May 10, 2019):

@smitsohu mbind

<!-- gh-comment-id:491383556 --> @carloabelli commented on GitHub (May 10, 2019): @smitsohu `mbind`

gitea-mirror commented 2026-05-05 08:20:18 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (May 10, 2019):

@carloabelli Cool, thanks!

Now the question is why it is failing for you. As this is not caused by AppArmor and there are no proprietary video drivers, another wild guess would be OpenCL... do you have OpenCL enabled on your system?

It seems there is an evironment variable to turn OpenCL off in Gimp, could you please try firejail --env=GEGL_USE_OPENCL=no gimp? There should be also a toggle somewhere in the preferences, not sure if that would work as well.

<!-- gh-comment-id:491396528 --> @smitsohu commented on GitHub (May 10, 2019): @carloabelli Cool, thanks! Now the question is why it is failing for you. As this is not caused by AppArmor and there are no proprietary video drivers, another wild guess would be OpenCL... do you have OpenCL enabled on your system? It seems there is an evironment variable to turn OpenCL off in Gimp, could you please try `firejail --env=GEGL_USE_OPENCL=no gimp`? There should be also a toggle somewhere in the preferences, not sure if that would work as well.

gitea-mirror commented 2026-05-05 08:20:18 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (May 10, 2019):

@smitsohu I don't believe I have OpenCL enabled. Running with that env variable did not resolve the issue.

<!-- gh-comment-id:491399574 --> @carloabelli commented on GitHub (May 10, 2019): @smitsohu I don't believe I have OpenCL enabled. Running with that env variable did not resolve the issue.

gitea-mirror commented 2026-05-05 08:20:19 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (May 10, 2019):

Ok. How does the output of firejail gimp --verbose look when it is not responding any more (probably only the last couple of lines are interesting)?

<!-- gh-comment-id:491409562 --> @smitsohu commented on GitHub (May 10, 2019): Ok. How does the output of `firejail gimp --verbose` look when it is not responding any more (probably only the last couple of lines are interesting)?

gitea-mirror commented 2026-05-05 08:20:19 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (May 10, 2019):

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice

is the default seccomp filter just without mbind. If you want you can add it to /etc/firejail/gimp.local along with ignore seccomp to keep going with the filter.

<!-- gh-comment-id:491415452 --> @smitsohu commented on GitHub (May 10, 2019): `seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice` is the default seccomp filter just without `mbind`. If you want you can add it to /etc/firejail/gimp.local along with `ignore seccomp` to keep going with the filter.

gitea-mirror commented 2026-05-05 08:20:19 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (May 11, 2019):

@smitsohu

Unfortunately there is no output before it stops responding with the verbose flag.

Adding gimp.local with those contents does allow gimp to run.

<!-- gh-comment-id:491461005 --> @carloabelli commented on GitHub (May 11, 2019): @smitsohu Unfortunately there is no output before it stops responding with the verbose flag. Adding gimp.local with those contents does allow gimp to run.

gitea-mirror commented 2026-05-05 08:20:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jun 23, 2019):

Closing for now, since there is a workaround.

<!-- gh-comment-id:504727989 --> @rusty-snake commented on GitHub (Jun 23, 2019): Closing for now, since there is a workaround.

gitea-mirror commented 2026-05-05 08:20:20 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 25, 2020):

I don't have anything against this per se, but my gimp runs just fine on Arch/Ubuntu with seccomp and doesn't need this at all. https://github.com/netblue30/firejail/issues/2681 had a workaround, so I wonder why we merged this for everybody while the OP can use 'seccomp !mbind' in gimp.local. Or am I missing something here?

<!-- gh-comment-id:578443192 --> @ghost commented on GitHub (Jan 25, 2020): I don't have anything against this per se, but my gimp runs just fine on Arch/Ubuntu with seccomp and doesn't need this at all. https://github.com/netblue30/firejail/issues/2681 had a workaround, so I wonder why we merged this for everybody while the OP can use 'seccomp !mbind' in gimp.local. Or am I missing something here?

gitea-mirror commented 2026-05-05 08:20:20 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (Jan 26, 2020):

@glitsj16 I was wondering that too...

<!-- gh-comment-id:578532315 --> @Fred-Barclay commented on GitHub (Jan 26, 2020): @glitsj16 I was wondering that too...

gitea-mirror commented 2026-05-05 08:20:21 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (Jan 27, 2020):

@glitsj16 @Fred-Barclay I wasn't sure how wide ranging the issue is, so if it's too isolated I'd be happy to revert this (perhaps a comment should be added about allowing mbind in some cases). Also happy to help figure out exactly what it is about my setup that causes this.

<!-- gh-comment-id:578995548 --> @carloabelli commented on GitHub (Jan 27, 2020): @glitsj16 @Fred-Barclay I wasn't sure how wide ranging the issue is, so if it's too isolated I'd be happy to revert this (perhaps a comment should be added about allowing mbind in some cases). Also happy to help figure out exactly what it is about my setup that causes this.

gitea-mirror commented 2026-05-05 08:20:21 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 27, 2020):

@carloabelli No worries. If we can reproduce, we already have a fix. If we cannot, we can reverse later on. But indeed, let's try to determine why your firejailed gimp hangs exactly. I assume both have been updated since your original report. Can you provide details on the environment in which this occurs please? Desktop environment, using Xorg or Wayland, content of gimp.local if you have that etcetera. For example, a memory-deny-write-execute in gimp.local could make it hang.

May 08 21:42:31 arch audit[16327]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0
May 08 21:42:31 arch kernel: audit: type=1326 audit(1557366151.446:165): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0

Those look like AppArmor. Have you tried --ignore=apparmor yet (using the original full seccomp obviously)?

<!-- gh-comment-id:579011214 --> @ghost commented on GitHub (Jan 27, 2020): @carloabelli No worries. If we can reproduce, we already have a fix. If we cannot, we can reverse later on. But indeed, let's try to determine why your firejailed gimp hangs exactly. I assume both have been updated since your original report. Can you provide details on the environment in which this occurs please? Desktop environment, using Xorg or Wayland, content of gimp.local if you have that etcetera. For example, a memory-deny-write-execute in gimp.local could make it hang. > May 08 21:42:31 arch audit[16327]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0 > May 08 21:42:31 arch kernel: audit: type=1326 audit(1557366151.446:165): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0 Those look like AppArmor. Have you tried --ignore=apparmor yet (using the original full seccomp obviously)?

gitea-mirror commented 2026-05-05 08:20:22 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (Jan 28, 2020):

@glitsj16 Sounds good. I'm currently running Arch Linux with sway as my window manager (so wayland). GIMP version 2.10.14 and firejail version 0.9.62. Currently my gimp.local just contains seccomp !mbind. Removing that line causes GIMP to hang. Using ignore apparmor also has no effect (still hangs). Disabling apparmor system wide also does not help, so it seems that its not apparmor related.

<!-- gh-comment-id:579019840 --> @carloabelli commented on GitHub (Jan 28, 2020): @glitsj16 Sounds good. I'm currently running Arch Linux with sway as my window manager (so wayland). GIMP version 2.10.14 and firejail version 0.9.62. Currently my gimp.local just contains `seccomp !mbind`. Removing that line causes GIMP to hang. Using `ignore apparmor` also has no effect (still hangs). Disabling apparmor system wide also does not help, so it seems that its not apparmor related.

gitea-mirror commented 2026-05-05 08:20:22 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Jan 28, 2020):

@carloabelli Thanks for the update. I assume you still get the same syscall 237. Sway has Xwayland support correct? It's just a shot in the dark, but do you get the same issue/syscall when running GIMP under X11? I run the same GIMP version on Arch under GNOME Wayland and nothing indicates it needs access to kernel memory or NUMA settings, which is what mbind does if I'm not mistaken. Under X11 just the same, a rather exceptionally clean, silent run. Do you run the stock Arch kernel? Default factory settings for GIMP? As you notice, at the moment I'm clueless as to what might cause this for you. No need to respond to all these questions if they don't trigger any change (for the better). We'll just keep tracking this and see if other collaborators/users chime in. Regards!

<!-- gh-comment-id:579033319 --> @ghost commented on GitHub (Jan 28, 2020): @carloabelli Thanks for the update. I assume you still get the same syscall 237. Sway has Xwayland support correct? It's just a shot in the dark, but do you get the same issue/syscall when running GIMP under X11? I run the same GIMP version on Arch under GNOME Wayland and nothing indicates it needs access to kernel memory or NUMA settings, which is what mbind does if I'm not mistaken. Under X11 just the same, a rather exceptionally clean, silent run. Do you run the stock Arch kernel? Default factory settings for GIMP? As you notice, at the moment I'm clueless as to what might cause this for you. No need to respond to all these questions if they don't trigger any change (for the better). We'll just keep tracking this and see if other collaborators/users chime in. Regards!

gitea-mirror commented 2026-05-05 08:20:22 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (Jan 28, 2020):

@glitsj16 Yup looks to be the same issue. Sway does have Xwayland support. I am running the hardened arch kernel so maybe that could be it. Stock GIMP. Also pretty stumped what this could be. When I have more time I'll try running with the stock kernel and also X11 to see if that helps and report back. Thanks for your suggestions!

<!-- gh-comment-id:579082775 --> @carloabelli commented on GitHub (Jan 28, 2020): @glitsj16 Yup looks to be the same issue. Sway does have Xwayland support. I am running the hardened arch kernel so maybe that could be it. Stock GIMP. Also pretty stumped what this could be. When I have more time I'll try running with the stock kernel and also X11 to see if that helps and report back. Thanks for your suggestions!

gitea-mirror commented 2026-05-05 08:20:23 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (Feb 1, 2020):

Tried with stock kernel and i3 (X11) and still no luck with mbind disabled.

<!-- gh-comment-id:580989890 --> @carloabelli commented on GitHub (Feb 1, 2020): Tried with stock kernel and i3 (X11) and still no luck with mbind disabled.

gitea-mirror commented 2026-05-05 08:20:23 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Feb 3, 2020):

@carloabelli Thanks for the feedback. Still stumped on what might cause this for you. I've retested GIMP on all machines I have access to and the full seccomp filter works just fine. So I'm going to revert #3178 for now. You can add the 'seccomp !mbind' to your gimp.local to keep it going. If you ever find out what exactly causes this for you, please keep us informed.

<!-- gh-comment-id:581653771 --> @ghost commented on GitHub (Feb 3, 2020): @carloabelli Thanks for the feedback. Still stumped on what might cause this for you. I've retested GIMP on all machines I have access to and the full seccomp filter works just fine. So I'm going to revert #3178 for now. You can add the 'seccomp !mbind' to your gimp.local to keep it going. If you ever find out what exactly causes this for you, please keep us informed.

gitea-mirror commented 2026-05-05 08:20:24 -06:00

Author

Owner

Copy link

@carloabelli commented on GitHub (Feb 3, 2020):

@glitsj16 Sounds good to me. I will update this if anything changes.

<!-- gh-comment-id:581656273 --> @carloabelli commented on GitHub (Feb 3, 2020): @glitsj16 Sounds good to me. I will update this if anything changes.

gitea-mirror referenced this issue 2026-05-05 10:12:44 -06:00

[PR #1689] [MERGED] disable-common.inc: read-only access to ~/.ssh/authorized_keys #4044

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1689

No description provided.