github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #3795] teams: program does not start (seccomp/tracelog) #2397

New issue
Closed
opened 2026-05-05 09:04:22 -06:00 by gitea-mirror · 13 comments
gitea-mirror commented 2026-05-05 09:04:22 -06:00
Owner
Copy link

Originally created by @tirasdude on GitHub (Dec 7, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3795

Background:
Ubuntu 20.04 AMD64
Nvidia Quadro on Nvidia 450 Driver
Installed from deb package (firejail_0.9.64-apparmor_1_amd64.deb) from here: https://sourceforge.net/projects/firejail/files/firejail/
MS Teams: teams_1.3.00.30857_amd64
skype and zoom work fine

Issue:
During start get this message:
Reading profile /etc/firejail/teams.profile
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Parent pid 17948, child pid 17949
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Child process initialized in 131.45 ms

Parent is shutting down, bye...

Syslog output:
Dec 7 20:55:11 linux systemd[1]: fwupd.service: Succeeded.
Dec 7 20:55:15 linux kernel: [10615.421160] audit: type=1326 audit(1607360115.564:51): auid=1000 uid=1000 gid=1000 ses=2 pid=18900 comm="teams" exe="/usr/share/teams/teams" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7efe3eeca89d code=0x0
Dec 7 20:55:15 linux kernel: [10615.643281] traps: teams[18895] trap int3 ip:560a38ae97c5 sp:7ffd845749a0 error:0 in teams[560a357d7000+53c4000]

Any ideas what it could be?

Thanks

Originally created by @tirasdude on GitHub (Dec 7, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3795 Background: Ubuntu 20.04 AMD64 Nvidia Quadro on Nvidia 450 Driver Installed from deb package (firejail_0.9.64-apparmor_1_amd64.deb) from here: https://sourceforge.net/projects/firejail/files/firejail/ MS Teams: teams_1.3.00.30857_amd64 skype and zoom work fine Issue: During start get this message: Reading profile /etc/firejail/teams.profile Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: Warning: NVIDIA card detected, nogroups command disabled Parent pid 17948, child pid 17949 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/doc Warning: cleaning all supplementary groups Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Child process initialized in 131.45 ms Parent is shutting down, bye... Syslog output: Dec 7 20:55:11 linux systemd[1]: fwupd.service: Succeeded. Dec 7 20:55:15 linux kernel: [10615.421160] audit: type=1326 audit(1607360115.564:51): auid=1000 uid=1000 gid=1000 ses=2 pid=18900 comm="teams" exe="/usr/share/teams/teams" sig=31 arch=c000003e syscall=161 compat=0 ip=0x7efe3eeca89d code=0x0 Dec 7 20:55:15 linux kernel: [10615.643281] traps: teams[18895] trap int3 ip:560a38ae97c5 sp:7ffd845749a0 error:0 in teams[560a357d7000+53c4000] Any ideas what it could be? Thanks
gitea-mirror commented 2026-05-05 09:04:25 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 7, 2020):

Thanks for reportin, should be fixed.

OT: Should we move !chroot into electro.profile?

<!-- gh-comment-id:740066256 --> @rusty-snake commented on GitHub (Dec 7, 2020): Thanks for reportin, should be fixed. OT: Should we move `!chroot` into electro.profile?
gitea-mirror commented 2026-05-05 09:04:26 -06:00
Author
Owner
Copy link

@tirasdude commented on GitHub (Dec 8, 2020):

Hi again,

Did not really get fixed :(

Reading profile /etc/firejail/teams.profile
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Reading profile /etc/firejail/electron.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: Warning: NVIDIA card detected, nogroups command disabled
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Parent pid 12656, child pid 12657
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Warning: cleaning all supplementary groups
Blacklist violations are logged to syslog
Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 135.05 ms

Parent is shutting down, bye...

Syslog:
Dec 8 18:28:31 linux kernel: [30811.423948] teams[12676]: segfault at 328 ip 00007f3ec53f0c6f sp 00007fff0a1bc398 error 4 in libpthread-2.31.so[7f3ec53e6000+11000]
Dec 8 18:28:31 linux kernel: [30811.423972] Code: 44 00 00 b8 16 00 00 00 c3 66 90 f3 0f 1e fa 83 ff 1f 77 3f 89 f8 48 83 c0 31 48 c1 e0 04 64 48 8b 14 25 10 00 00 00 48 01 d0 <4c> 8b 40 08 4d 85 c0 74 16 89 ff 48 8d 15 bf c6 00 00 48 8b 30 48
Dec 8 18:28:31 linux kernel: [30811.643259] traps: teams[12671] trap int3 ip:5573dca927c5 sp:7ffe3f182750 error:0 in teams[5573d9780000+53c4000]

<!-- gh-comment-id:740654602 --> @tirasdude commented on GitHub (Dec 8, 2020): Hi again, Did not really get fixed :( Reading profile /etc/firejail/teams.profile Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Reading profile /etc/firejail/electron.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: Warning: NVIDIA card detected, nogroups command disabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 12656, child pid 12657 Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/doc Warning: cleaning all supplementary groups Blacklist violations are logged to syslog Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 135.05 ms Parent is shutting down, bye... Syslog: Dec 8 18:28:31 linux kernel: [30811.423948] teams[12676]: segfault at 328 ip 00007f3ec53f0c6f sp 00007fff0a1bc398 error 4 in libpthread-2.31.so[7f3ec53e6000+11000] Dec 8 18:28:31 linux kernel: [30811.423972] Code: 44 00 00 b8 16 00 00 00 c3 66 90 f3 0f 1e fa 83 ff 1f 77 3f 89 f8 48 83 c0 31 48 c1 e0 04 64 48 8b 14 25 10 00 00 00 48 01 d0 <4c> 8b 40 08 4d 85 c0 74 16 89 ff 48 8d 15 bf c6 00 00 48 8b 30 48 Dec 8 18:28:31 linux kernel: [30811.643259] traps: teams[12671] trap int3 ip:5573dca927c5 sp:7ffe3f182750 error:0 in teams[5573d9780000+53c4000]
gitea-mirror commented 2026-05-05 09:04:26 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 8, 2020):

New error, next issues. tracelog breaks chromium, I wonder why teams have set it, can you try firejail --ignore=tracelog teams. If this did not help, I've no idea what it could be. Either teams is badly programmed and fails on a blacklist (admittedly, it is from M$ written in javascript and uses electron), or it is seccomp, protocol, nonewprivs, noroot, nogroups, caps.drop all, dbus-user none. Try to comment them.

<!-- gh-comment-id:740839307 --> @rusty-snake commented on GitHub (Dec 8, 2020): New error, next issues. `tracelog` breaks chromium, I wonder why teams have set it, can you try `firejail --ignore=tracelog teams`. If this did not help, I've no idea what it could be. Either teams is badly programmed and fails on a blacklist (admittedly, it is from M$ written in javascript and uses electron), or it is seccomp, protocol, nonewprivs, noroot, nogroups, caps.drop all, dbus-user none. Try to comment them.
gitea-mirror commented 2026-05-05 09:04:27 -06:00
Author
Owner
Copy link

@micressor commented on GitHub (Dec 9, 2020):

I am not sure if this has anything to do with the nvidia card. Maybe I have to open a separate issue for it?

It works for me this way (since teams 1.3.00.30857) on debian 10 with firejail 0.9.64:

# /etc/firejail/teams.local
ignore caps.drop all
ignore nonewprivs
ignore noroot
ignore protocol unix,inet,inet6,netlink
ignore seccomp

I was also not able to debug that better:

firejail --ignore=nonewprivs  --ignore=protocol --ignore=seccomp --ignore=caps.drop  --build=teams.profile /usr/bin/teams
Error fbuilder: invalid program
Firejail profile builder
Usage: firejail [--debug] --build[=profile-file] program-and-arguments
<!-- gh-comment-id:741849671 --> @micressor commented on GitHub (Dec 9, 2020): I am not sure if this has anything to do with the nvidia card. Maybe I have to open a separate issue for it? It works for me this way (since teams 1.3.00.30857) on debian 10 with firejail 0.9.64: ``` # /etc/firejail/teams.local ignore caps.drop all ignore nonewprivs ignore noroot ignore protocol unix,inet,inet6,netlink ignore seccomp ``` I was also not able to debug that better: ``` firejail --ignore=nonewprivs --ignore=protocol --ignore=seccomp --ignore=caps.drop --build=teams.profile /usr/bin/teams Error fbuilder: invalid program Firejail profile builder Usage: firejail [--debug] --build[=profile-file] program-and-arguments ```
gitea-mirror commented 2026-05-05 09:04:29 -06:00
Author
Owner
Copy link

@jvonhoff commented on GitHub (Dec 9, 2020):

FWIW, I applied change a37c7d4 to /etc/firejail/teams.profile -- adding seccomp !chroot -- and was still unable to start teams.

However, running it with firejail --ignore=tracelog /usr/bin/teams is working for me. Thanks!

<!-- gh-comment-id:741864410 --> @jvonhoff commented on GitHub (Dec 9, 2020): FWIW, I applied change [a37c7d4](https://github.com/netblue30/firejail/commit/a37c7d4e7ee8a928744be509850c7b48ff31badc) to /etc/firejail/teams.profile -- adding `seccomp !chroot` -- and was still unable to start teams. However, running it with `firejail --ignore=tracelog /usr/bin/teams` is working for me. Thanks!
gitea-mirror commented 2026-05-05 09:04:30 -06:00
Author
Owner
Copy link

@tirasdude commented on GitHub (Dec 9, 2020):

Hello Everyone!

Launching with --ignore=tracelog option [terminal command: firejail --ignore=tracelog teams] does indeed start it and it seems to work fine.

Guess that is the workaround for now.

Thank you for your help!

<!-- gh-comment-id:741871118 --> @tirasdude commented on GitHub (Dec 9, 2020): Hello Everyone! Launching with --ignore=tracelog option [terminal command: `firejail --ignore=tracelog teams`] does indeed start it and it seems to work fine. Guess that is the workaround for now. Thank you for your help!
gitea-mirror commented 2026-05-05 09:04:32 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 9, 2020):

I was also not able to debug that better:

FYI

  • as the error-message states, you can not use --ignore=quxqax if you uses --build.
  • it doesn't makes sense because --build uses no profile
  • --build implies nonewprivs and caps.drop all
  • --build uses --trace and both will break if tracelog breaks.

Guess that is the workaround for now.

It's the final solution. tracelog breaks firefox and chromium (=electron=teams).

<!-- gh-comment-id:741874257 --> @rusty-snake commented on GitHub (Dec 9, 2020): > I was also not able to debug that better: FYI - as the error-message states, you can not use `--ignore=quxqax` if you uses `--build`. - it doesn't makes sense because `--build` uses no profile - --build implies `nonewprivs` and `caps.drop all` - `--build` uses `--trace` and both will break if tracelog breaks. > Guess that is the workaround for now. It's the final solution. `tracelog` breaks firefox and chromium (=electron=teams).
gitea-mirror commented 2026-05-05 09:04:33 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 9, 2020):

What does sysctl kernel.unprivileged_userns_clone show?

@micressor: 0 because debian
@tirasdude: 1 on ubuntu?
@jvonhoff: ?

<!-- gh-comment-id:741879279 --> @rusty-snake commented on GitHub (Dec 9, 2020): What does `sysctl kernel.unprivileged_userns_clone` show? @micressor: 0 because debian @tirasdude: 1 on ubuntu? @jvonhoff: ?
gitea-mirror commented 2026-05-05 09:04:34 -06:00
Author
Owner
Copy link

@tirasdude commented on GitHub (Dec 9, 2020):

kernel.unprivileged_userns_clone = 1

<!-- gh-comment-id:741879716 --> @tirasdude commented on GitHub (Dec 9, 2020): kernel.unprivileged_userns_clone = 1
gitea-mirror commented 2026-05-05 09:04:34 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 9, 2020):

Background: #2946 and #3688

@micressor firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/teams should work on debian. If so I add it.

<!-- gh-comment-id:741885095 --> @rusty-snake commented on GitHub (Dec 9, 2020): Background: #2946 and #3688 @micressor `firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/teams` should work on debian. If so I add it.
gitea-mirror commented 2026-05-05 09:04:35 -06:00
Author
Owner
Copy link

@jvonhoff commented on GitHub (Dec 9, 2020):

BTW, I use Arch ;)

kernel.unprivileged_userns_clone = 1

<!-- gh-comment-id:741885816 --> @jvonhoff commented on GitHub (Dec 9, 2020): BTW, I use Arch ;) kernel.unprivileged_userns_clone = 1
gitea-mirror commented 2026-05-05 09:04:36 -06:00
Author
Owner
Copy link

@micressor commented on GitHub (Dec 10, 2020):

What does sysctl kernel.unprivileged_userns_clone show?
@micressor: 0 because debian

kernel.unprivileged_userns_clone = 0

<!-- gh-comment-id:742284327 --> @micressor commented on GitHub (Dec 10, 2020): > What does `sysctl kernel.unprivileged_userns_clone` show? > @micressor: 0 because debian kernel.unprivileged_userns_clone = 0
gitea-mirror commented 2026-05-05 09:04:37 -06:00
Author
Owner
Copy link

@micressor commented on GitHub (Dec 10, 2020):

firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/teams should work on debian. If so I add it.

@rusty-snake: That works for me - thanks!

<!-- gh-comment-id:742285014 --> @micressor commented on GitHub (Dec 10, 2020): > `firejail --ignore=nonewprivs --ignore=noroot --ignore=protocol --ignore=seccomp --ignore=caps.drop --caps.keep=sys_admin,sys_chroot /usr/bin/teams` should work on debian. If so I add it. @rusty-snake: That works for me - thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2397
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?