github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3267] Steam freezes on start #2051

New issue
Closed
opened 2026-05-05 08:43:23 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 08:43:23 -06:00
Owner
Copy link

Originally created by @TheOneric on GitHub (Mar 4, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3267

I checked recently opened and closed issues with steam beforehand, but couldn't find a solution. Apologies if I missed something and this has been reported before.

I used to run steam with firejail --ignore=private-dev steam and it worked fine. Ignore private-dev is needed for my controller to work.
However now starting steam like this will cause steam to hang up on start. A steam icon is in the tray, but cannot be interacted with, no window opens, but the programm doen't crash.
Using -alllow-debuggersas suggested in another issue did nothing. --ignore-seccomp does work. Checking journalctl I can see the blocked syscall is 349, but using --seccomp=!$349 does nothing and I would prefer to not disable seccomp completely.

journalctl output:

Mär 04 16:45:50 gamestation audit[17983]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=17983 comm="steam" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f2bb49 code=0x0
Mär 04 16:45:50 gamestation kernel: audit: type=1326 audit(1583336750.477:93): auid=1001 uid=1001 gid=60 ses=2 pid=17983 comm="steam" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f2bb49 code=0x0

I am using firejail 0.9.62 on Manjaro.

Originally created by @TheOneric on GitHub (Mar 4, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3267 I checked recently opened and closed issues with steam beforehand, but couldn't find a solution. Apologies if I missed something and this has been reported before. I used to run steam with `firejail --ignore=private-dev steam` and it worked fine. Ignore private-dev is needed for my controller to work. However now starting steam like this will cause steam to hang up on start. A steam icon is in the tray, but cannot be interacted with, no window opens, but the programm doen't crash. Using `-alllow-debuggers`as suggested in another issue did nothing. `--ignore-seccomp` does work. Checking journalctl I can see the blocked syscall is `349`, but using `--seccomp=!$349` does nothing and I would prefer to not disable seccomp completely. journalctl output: ``` Mär 04 16:45:50 gamestation audit[17983]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=17983 comm="steam" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f2bb49 code=0x0 Mär 04 16:45:50 gamestation kernel: audit: type=1326 audit(1583336750.477:93): auid=1001 uid=1001 gid=60 ses=2 pid=17983 comm="steam" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f2bb49 code=0x0 ``` I am using firejail 0.9.62 on Manjaro.
gitea-mirror commented 2026-05-05 08:43:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 4, 2020):

First I was thinking that !$123 simplie does not work. So I check with firejail --noprofile '--seccomp=!$161' --audit, but It works. I tried also to get the name of the syscall with firejail --debug-syscalls | grep 349 but this does not work. Looks like there is no 349 syscall. Then I noticed that the arch differs from the one in my logs from above. After some research I used ausyscall i386 349 to resolve this i386 (x86; 32bit) syscall on a x86_64 (64bit) system, and it is kcmp.

Looks like you have a AMD GPU. see #3219.

<!-- gh-comment-id:594644918 --> @rusty-snake commented on GitHub (Mar 4, 2020): First I was thinking that !$123 simplie does not work. So I check with `firejail --noprofile '--seccomp=!$161' --audit`, but It works. I tried also to get the name of the syscall with `firejail --debug-syscalls | grep 349` but this does not work. Looks like there is no 349 syscall. Then I noticed that the `arch` differs from the one in my logs from above. After some research I used `ausyscall i386 349` to resolve this i386 (x86; 32bit) syscall on a x86_64 (64bit) system, and it is `kcmp`. Looks like you have a AMD GPU. see #3219.
gitea-mirror commented 2026-05-05 08:43:25 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Mar 4, 2020):

Looks like you have a AMD GPU. see # 3219.

Thanks, I do indeed have AMDGPU and Mesa-19.3.4.
I tried firejail --ignore=private-dev '--seccomp=!kcmp' steam" and firejail --ignore=private-dev --ignore=seccomp '--seccomp=!kcmp,!chroot,!ptrace' steam" but it still doesn't work and journalctl keeps reporting 349 as being blocked.
Excerpt of output when running second version:

Private /etc installed in 64.70 ms
Post-exec seccomp protector enabled
Seccomp list in: !kcmp,!chroot,!ptrace, check list: @default-keep, prelist: unknown,unknown,unknown,
Child process initialized in 226.18 ms
Manjaro steam native configuration found!
Running Steam on manjarolinux 19.0.2 64-bit

If there's nothing wrong with the command, does Steam being a 32-bit executable perhaps affect the seccomp filters ? My system and most other applications are 64-bit (x86_64).

<!-- gh-comment-id:594696402 --> @TheOneric commented on GitHub (Mar 4, 2020): > Looks like you have a AMD GPU. see # 3219. Thanks, I do indeed have AMDGPU and Mesa-19.3.4. I tried `firejail --ignore=private-dev '--seccomp=!kcmp' steam"` and `firejail --ignore=private-dev --ignore=seccomp '--seccomp=!kcmp,!chroot,!ptrace' steam"` but it still doesn't work and journalctl keeps reporting 349 as being blocked. Excerpt of output when running second version: ``` Private /etc installed in 64.70 ms Post-exec seccomp protector enabled Seccomp list in: !kcmp,!chroot,!ptrace, check list: @default-keep, prelist: unknown,unknown,unknown, Child process initialized in 226.18 ms Manjaro steam native configuration found! Running Steam on manjarolinux 19.0.2 64-bit ``` If there's nothing wrong with the command, does Steam being a 32-bit executable perhaps affect the seccomp filters ? My system and most other applications are 64-bit (x86_64).
gitea-mirror commented 2026-05-05 08:43:26 -06:00
Author
Owner
Copy link

@polyzen commented on GitHub (Mar 4, 2020):

Arch Linux
amdgpu
firejail 0.9.62

Having the same issue with steam and more/less the same issue with steam-native. The only difference that stands out is that with steam the tray icon appears. Haven't had any issues with firefox.

<!-- gh-comment-id:594715579 --> @polyzen commented on GitHub (Mar 4, 2020): Arch Linux amdgpu firejail 0.9.62 Having the same issue with `steam` and more/less the same issue with `steam-native`. The only difference that stands out is that with `steam` the tray icon appears. Haven't had any issues with `firefox`.
gitea-mirror commented 2026-05-05 08:43:27 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 4, 2020):

@TheOneric @polyzen can (one of) you try this:

firejail '--seccomp.drop=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice' --ignore=seccomp --ignore=private-dev steam

<!-- gh-comment-id:594734226 --> @rusty-snake commented on GitHub (Mar 4, 2020): @TheOneric @polyzen can (one of) you try this: ` firejail '--seccomp.drop=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice' --ignore=seccomp --ignore=private-dev steam `
gitea-mirror commented 2026-05-05 08:43:27 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Mar 4, 2020):

@rusty-snake This improves the situation, but doesn't completely work.
I can now interact with the tray icon and a window is being opened. However similar to #3049 the main content area is black, but I can interact with the Settings etc. A currently active Download is continuing and the download-site is the only one that is working in the main window. Settings etc are working.
Possibly related terminal output:

chrome_ipc_client.cpp (835) : Assertion Failed: Failed to connect to master html process, created shared memory (spawn time 60.11)
chrome_ipc_client.cpp (835) : Assertion Failed: Failed to connect to master html process, created shared memory (spawn time 60.11)
Installing breakpad exception handler for appid(steam)/version(1581460722)
ERROR: ld.so: object '/run/firejail/lib/libpostexecseccomp.so' from /etc/ld.so.preload cannot be preloaded (wrong ELF class: ELFCLASS64): ignored.
assert_20200304195853_32.dmp[327]: Uploading dump (out-of-process)
[…]
Installing breakpad exception handler for appid(steam)/version(1581460722)
ExecuteSteamURL: "steam://open/downloads"
<!-- gh-comment-id:594762476 --> @TheOneric commented on GitHub (Mar 4, 2020): @rusty-snake This improves the situation, but doesn't completely work. I can now interact with the tray icon and a window is being opened. However similar to #3049 the main content area is black, but I can interact with the Settings etc. A currently active Download is continuing and the download-site is the only one that is working in the main window. Settings etc are working. Possibly related terminal output: ``` chrome_ipc_client.cpp (835) : Assertion Failed: Failed to connect to master html process, created shared memory (spawn time 60.11) chrome_ipc_client.cpp (835) : Assertion Failed: Failed to connect to master html process, created shared memory (spawn time 60.11) Installing breakpad exception handler for appid(steam)/version(1581460722) ERROR: ld.so: object '/run/firejail/lib/libpostexecseccomp.so' from /etc/ld.so.preload cannot be preloaded (wrong ELF class: ELFCLASS64): ignored. assert_20200304195853_32.dmp[327]: Uploading dump (out-of-process) […] Installing breakpad exception handler for appid(steam)/version(1581460722) ExecuteSteamURL: "steam://open/downloads" ```
gitea-mirror commented 2026-05-05 08:43:28 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 4, 2020):

@TheOneric is anything in the journal? Has you tried to commet include disable-common.inc? (You can use ignore, you must comment)

@topimiettinen looks like exceptions only working for the native arch. Is that wated? cf. seccomp !kcmp broken seccomp.drop <@default without kcmp> works.

<!-- gh-comment-id:594768713 --> @rusty-snake commented on GitHub (Mar 4, 2020): @TheOneric is anything in the journal? Has you tried to commet `include disable-common.inc`? (You can use ignore, you must comment) --- @topimiettinen looks like exceptions only working for the native arch. Is that wated? cf. `seccomp !kcmp` broken `seccomp.drop <@default without kcmp>` works.
gitea-mirror commented 2026-05-05 08:43:29 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Mar 4, 2020):

Mär 04 19:57:53 gamestation audit[28872]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=28872 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=31 arch=c000003e syscall=117 compat=0 ip=0x7f2431667e63 code=0x0
Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.027:145): auid=1001 uid=1001 gid=60 ses=2 pid=28872 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=31 arch=c000003e syscall=117 compat=0 ip=0x7f2431667e63 code=0x0
Mär 04 19:57:53 gamestation audit[29043]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7f2be6b0760b code=0x0
Mär 04 19:57:53 gamestation audit[29043]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7f2be6bfbb21 code=0x0
Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.947:149): auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7f2be6b0760b code=0x0
Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.947:150): auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7f2be6bfbb21 code=0x0
Mär 04 19:57:54 gamestation audit[29090]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fa27876c60b code=0x0
Mär 04 19:57:54 gamestation audit[29090]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7fa278520b21 code=0x0
Mär 04 19:57:54 gamestation kernel: audit: type=1326 audit(1583348274.980:151): auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fa27876c60b code=0x0
Mär 04 19:57:54 gamestation kernel: audit: type=1326 audit(1583348274.980:152): auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7fa278520b21 code=0x0

syscalls 117(setresuid), 144(sched_setscheduler), 203(sched_setaffinity) and arch=c000003e(afaik x86_64).

<!-- gh-comment-id:594792367 --> @TheOneric commented on GitHub (Mar 4, 2020): ``` Mär 04 19:57:53 gamestation audit[28872]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=28872 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=31 arch=c000003e syscall=117 compat=0 ip=0x7f2431667e63 code=0x0 Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.027:145): auid=1001 uid=1001 gid=60 ses=2 pid=28872 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=31 arch=c000003e syscall=117 compat=0 ip=0x7f2431667e63 code=0x0 Mär 04 19:57:53 gamestation audit[29043]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7f2be6b0760b code=0x0 Mär 04 19:57:53 gamestation audit[29043]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7f2be6bfbb21 code=0x0 Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.947:149): auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7f2be6b0760b code=0x0 Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.947:150): auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7f2be6bfbb21 code=0x0 Mär 04 19:57:54 gamestation audit[29090]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fa27876c60b code=0x0 Mär 04 19:57:54 gamestation audit[29090]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7fa278520b21 code=0x0 Mär 04 19:57:54 gamestation kernel: audit: type=1326 audit(1583348274.980:151): auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fa27876c60b code=0x0 Mär 04 19:57:54 gamestation kernel: audit: type=1326 audit(1583348274.980:152): auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7fa278520b21 code=0x0 ``` syscalls 117(setresuid), 144(sched_setscheduler), 203(sched_setaffinity) and arch=c000003e(afaik x86_64).
gitea-mirror commented 2026-05-05 08:43:30 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Mar 4, 2020):

Typically only one arch is ever used and then you want to block the secondary archs. Steam is indeed an exception where 64-bit and 32-bit code is mixed (are there any others?). The problem here is that currently we can only translate system call names to numbers for the native arch.

Ideally the user should be able to specify different filters for each arch, something like seccomp.64.drop=a,b,c seccomp.32.keep=x,y,z. It would be friendly to users to let them construct filters for the archs with one list of system calls, but there are subtle differences with the system calls, some exist only on one arch and the names do not always match.

Also the error about libpostexecseccomp.so means that 32 bit ld.so doesn't know how to load a 64 bit library. For this to work, we'd need a pre-compiled library for all archs.

Nothing impossible, but needs a bit thought.

<!-- gh-comment-id:594873087 --> @topimiettinen commented on GitHub (Mar 4, 2020): Typically only one arch is ever used and then you want to block the secondary archs. Steam is indeed an exception where 64-bit and 32-bit code is mixed (are there any others?). The problem here is that currently we can only translate system call names to numbers for the native arch. Ideally the user should be able to specify different filters for each arch, something like `seccomp.64.drop=a,b,c seccomp.32.keep=x,y,z`. It would be friendly to users to let them construct filters for the archs with one list of system calls, but there are subtle differences with the system calls, some exist only on one arch and the names do not always match. Also the error about `libpostexecseccomp.so` means that 32 bit ld.so doesn't know how to load a 64 bit library. For this to work, we'd need a pre-compiled library for all archs. Nothing impossible, but needs a bit thought.
gitea-mirror commented 2026-05-05 08:43:31 -06:00
Author
Owner
Copy link

@Vincent43 commented on GitHub (Mar 5, 2020):

Steam is indeed an exception where 64-bit and 32-bit code is mixed (are there any others?)

wine

<!-- gh-comment-id:595150700 --> @Vincent43 commented on GitHub (Mar 5, 2020): > Steam is indeed an exception where 64-bit and 32-bit code is mixed (are there any others?) wine
gitea-mirror commented 2026-05-05 08:43:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 8, 2020):

@TheOneric I get messed up with the seccomp groups, can you try again with this seccomp.drop.

--seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
<!-- gh-comment-id:596184708 --> @rusty-snake commented on GitHub (Mar 8, 2020): @TheOneric I get messed up with the seccomp groups, can you try again with this seccomp.drop. ``` --seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup ```
gitea-mirror commented 2026-05-05 08:43:32 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Mar 8, 2020):

can you try again with this seccomp.drop.

--seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup

This one works without any visible problems, thanks.

<!-- gh-comment-id:596211901 --> @TheOneric commented on GitHub (Mar 8, 2020): > can you try again with this seccomp.drop. > ``` > --seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup > ``` This one works without any visible problems, thanks.
gitea-mirror commented 2026-05-05 08:43:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Mar 8, 2020):

suggestion

diff --git a/etc/steam.profile b/etc/steam.profile
index bc90af83..cd9bb745 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -38,8 +38,6 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
-# allow-debuggers needed for running some games with proton
-allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
@@ -54,9 +52,11 @@ nou2f
 # novideo should be commented for VR
 novideo
 protocol unix,inet,inet6,netlink
-# seccomp cause sometimes issues (see #2860, #2951),
+# seccomp cause sometimes issues (see #2951, #3267),
 # comment it or add 'ignore seccomp' to steam.local if so.
-seccomp
+# @default without kcmp, ptrace is needed by proton.
+# seccomp exception only work for the native architectur at the moment.
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
 shell none
 # tracelog disabled as it breaks integrated browser
 #tracelog
<!-- gh-comment-id:596228862 --> @rusty-snake commented on GitHub (Mar 8, 2020): suggestion ```diff diff --git a/etc/steam.profile b/etc/steam.profile index bc90af83..cd9bb745 100644 --- a/etc/steam.profile +++ b/etc/steam.profile @@ -38,8 +38,6 @@ include disable-programs.inc include whitelist-var-common.inc -# allow-debuggers needed for running some games with proton -allow-debuggers caps.drop all #ipc-namespace netfilter @@ -54,9 +52,11 @@ nou2f # novideo should be commented for VR novideo protocol unix,inet,inet6,netlink -# seccomp cause sometimes issues (see #2860, #2951), +# seccomp cause sometimes issues (see #2951, #3267), # comment it or add 'ignore seccomp' to steam.local if so. -seccomp +# @default without kcmp, ptrace is needed by proton. +# seccomp exception only work for the native architectur at the moment. +seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup shell none # tracelog disabled as it breaks integrated browser #tracelog ```
gitea-mirror commented 2026-05-05 08:43:33 -06:00
Author
Owner
Copy link

@topimiettinen commented on GitHub (Mar 13, 2020):

I made a draft PR #3276 for this.

<!-- gh-comment-id:598954212 --> @topimiettinen commented on GitHub (Mar 13, 2020): I made a draft PR #3276 for this.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2051
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?