github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3904] VScode can't execute certain script when seccom is enabled #2448

New issue

Closed

opened 2026-05-05 09:07:56 -06:00 by gitea-mirror · 7 comments

gitea-mirror commented

2026-05-05 09:07:56 -06:00

Owner

Originally created by @GreatBigWhiteWorld on GitHub (Jan 20, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3904

Bug and expected behavior
Simple python code as the following would hang when executed:

import pandas as pd
df = pd.DataFrame({'name': ['A', 'B', 'C'], 'val': [10, 30, 20]})
chart = df.plot.bar(x='name', y='val')

It is expected to draw a simple bar chart but the execution would just hang there forever.
I tried to disable "seccom" in the /etc/firejail/code.profile and the script would then show the chart as expected.

Reproduce
Steps to reproduce the behavior:

Run in bash firejail code
Write the above python code to draw a chart with from a dataframe.
Right click the file to choose "execute script in interactive window" in VScode.
The interactive window hangs on there and can't finish the execution.

Environment

Linux distribution and version openSUSE Leap 15.2
firejail version 0.9.64

Originally created by @GreatBigWhiteWorld on GitHub (Jan 20, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/3904 **Bug and expected behavior** Simple python code as the following would hang when executed: ``` import pandas as pd df = pd.DataFrame({'name': ['A', 'B', 'C'], 'val': [10, 30, 20]}) chart = df.plot.bar(x='name', y='val') ``` It is expected to draw a simple bar chart but the execution would just hang there forever. I tried to disable "seccom" in the /etc/firejail/code.profile and the script would then show the chart as expected. **Reproduce** Steps to reproduce the behavior: 1. Run in bash `firejail code` 2. Write the above python code to draw a chart with from a dataframe. 3. Right click the file to choose "execute script in interactive window" in VScode. 4. The interactive window hangs on there and can't finish the execution. **Environment** - Linux distribution and version openSUSE Leap 15.2 - firejail version 0.9.64

gitea-mirror closed this issue

2026-05-05 09:07:57 -06:00

gitea-mirror commented

2026-05-05 09:07:59 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 20, 2021):

If you replace the seccomp line in vscode with seccomp !kcmp or seccomp !mbind, does it work then? If not, run with --seccomp-error-action=log and watch your syslog for the violation.

@rusty-snake commented on GitHub (Jan 20, 2021): If you replace the `seccomp` line in vscode with `seccomp !kcmp` or `seccomp !mbind`, does it work then? If not, run with `--seccomp-error-action=log` and watch your syslog for the violation.

gitea-mirror commented

2026-05-05 09:08:00 -06:00

Author

Owner

@GreatBigWhiteWorld commented on GitHub (Jan 20, 2021):

If you replace the seccomp line in vscode with seccomp !kcmp or seccomp !mbind, does it work then? If not, run with --seccomp-error-action=log and watch your syslog for the violation.

Both !kcmp and !mbind work. Which one should I use?
Do you suggest that I make a code.local? If so, what content should I put in the file?

@GreatBigWhiteWorld commented on GitHub (Jan 20, 2021): > If you replace the `seccomp` line in vscode with `seccomp !kcmp` or `seccomp !mbind`, does it work then? If not, run with `--seccomp-error-action=log` and watch your syslog for the violation. Both !kcmp and !mbind work. Which one should I use? Do you suggest that I make a code.local? If so, what content should I put in the file?

gitea-mirror commented

2026-05-05 09:08:01 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 20, 2021):

Both !kcmp and !mbind work.

❓ ❗ 🤯
Can you run with --seccomp-error-action=log.

@rusty-snake commented on GitHub (Jan 20, 2021): > Both !kcmp and !mbind work. :question: :exclamation: :exploding_head: Can you run with `--seccomp-error-action=log`.

gitea-mirror commented

2026-05-05 09:08:03 -06:00

Author

Owner

@GreatBigWhiteWorld commented on GitHub (Jan 21, 2021):

Both !kcmp and !mbind work.

Can you run with --seccomp-error-action=log.

Where do I check its log? The terminal shows nothing new after running with --seccomp-error-action=log
In syslog when vscode is run there is this:
[system] Activating via systemd: service name='org.bluez' unit='dbus-org.bluez.service' requested by ':1.73' (uid=1000 pid=11351 comm="/usr/share/code/code --no-sandbox ")

Why does vscode request bluetooth service??

When running with code.local which has "seccomp !kcmp" and --seccomp-error-action=log it's the same result except that the chart can show fine.

@GreatBigWhiteWorld commented on GitHub (Jan 21, 2021): > > Both !kcmp and !mbind work. > > > Can you run with `--seccomp-error-action=log`. Where do I check its log? The terminal shows nothing new after running with `--seccomp-error-action=log` In syslog when vscode is run there is this: `[system] Activating via systemd: service name='org.bluez' unit='dbus-org.bluez.service' requested by ':1.73' (uid=1000 pid=11351 comm="/usr/share/code/code --no-sandbox ")` Why does vscode request bluetooth service?? When running with code.local which has "seccomp !kcmp" and `--seccomp-error-action=log` it's the same result except that the chart can show fine.

gitea-mirror commented

2026-05-05 09:08:04 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 21, 2021):

Where do I check its log?

Watch journalctl --grep=SECCOMP --follow while starting vscode.

When running with code.local which has "seccomp !kcmp" and --seccomp-error-action=log it's the same result except that the chart can show fine.

Logging must be done without exceptions (e.g. firejail --seccomp --seccomp-error-action=log --ignore=seccomp …)

seccomp-error-action=log is like SELinux in permissive mode or AppArmor in complaining mode.

@rusty-snake commented on GitHub (Jan 21, 2021): > Where do I check its log? Watch `journalctl --grep=SECCOMP --follow` while starting vscode. > When running with code.local which has "seccomp !kcmp" and --seccomp-error-action=log it's the same result except that the chart can show fine. Logging must be done without exceptions (e.g. `firejail --seccomp --seccomp-error-action=log --ignore=seccomp …`) `seccomp-error-action=log ` is like SELinux in permissive mode or AppArmor in complaining mode.

gitea-mirror commented

2026-05-05 09:08:04 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 21, 2021):

!mbind is definitely required, because numpy requires it and numpy is a dependency of pandas, see https://github.com/pandas-dev/pandas#dependencies.

!kcmp is required too if you have an AMD GPU.

@rusty-snake commented on GitHub (Jan 21, 2021): `!mbind` is definitely required, because numpy requires it and numpy is a dependency of pandas, see https://github.com/pandas-dev/pandas#dependencies. `!kcmp` is required too if you have an AMD GPU.

gitea-mirror commented

2026-05-05 09:08:05 -06:00

Author

Owner

@GreatBigWhiteWorld commented on GitHub (Jan 21, 2021):

!mbind is definitely required, because numpy requires it and numpy is a dependency of pandas, see https://github.com/pandas-dev/pandas#dependencies.

!kcmp is required too if you have an AMD GPU.

Alright, thanks.

@GreatBigWhiteWorld commented on GitHub (Jan 21, 2021): > `!mbind` is definitely required, because numpy requires it and numpy is a dependency of pandas, see https://github.com/pandas-dev/pandas#dependencies. > > `!kcmp` is required too if you have an AMD GPU. Alright, thanks.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2448

No description provided.

Rows
Columns