mirror of
https://github.com/netblue30/firejail.git
synced 2026-05-15 14:16:14 -06:00
[GH-ISSUE #4237] Steam wont launch in firejail using Sea Island GPU(AMD) with vulkan(RADV) support enabled #2591
Labels
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/firejail#2591
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @swimik on GitHub (May 4, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4237
Thanks for taking the time to read this I tried to fill it out as best I can. I really apprieciate firejail compared to the other container options so many thanks to everyone that puts the time into this project
Bug and expected behavior
Launching
firejail steamusing radeon driver works fine starting steam. However, graphics performance is poor in many games on a Radeon R9 390(Hawaii) using this driver. Performance is also poor with the radeon driver while not using firejail notably when playing games meant for Windows but also many games built or ported to linux as native programs.Vulkan(RADV) drivers are enabled via a change to the grub2 config file via editing /etc/default/grub to include:
GRUB_CMDLINE_LINUX_DEFAULT="quiet splash **radeon.cik_support=0 amdgpu.cik_support=1**"This changes the driver from radeon to amdgpu
Valve suggests enabling Vulkan driver support for this card which works great in non firejailed steam. Firejailed steam does not load yielding a multitude of warnings although the predominant one is:
Could not connect to X session manager: None of the authentication protocols specified are supportedit then begins to install a breakpad exception handler over and over again.
If I switch back to the radeon driver by removing the radeon.cik_support=0 amdgpu.cik_support=1 steam will load in a firejail and operate fine but its not very useful.
Steam to start up and run correctly in a firejail and games will use the RADV driver so that they are playable. Similar to when I run steam with this configuration without using firejail.
No profile and disabling firejail
firejail --noprofile /path/to/programin a terminal?Calling
firejail --noprofile steamdoes boot steam with amdgpu(RADV) enabled(the desired outcome). There are still many errors forCould not connect to X session manager: None of the authentication protocols specified are supported. This does not seem to affect anythingfirejail --listshows a jailed instance of SteamGames appear to work fine.
/usr/bin/vlc)?There is no steam referenced in /usr/bin
Environment
lsb_release -a,screenfetchorcat /etc/os-release)lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux bullseye/sid Release: testing Codename: bullseyeI am running Gnome with GDM on wayland.
This also occurs using Gnome/GDM/x11, Gnome/LightDM/wayland, Gnome/LightDM/x11, and LXDE.
firejail --version) exclusive or used git commit (git rev-parse HEAD)`firejail --version
firejail version 0.9.64.4
Compile time support:
- AppArmor support is enabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file and directory whitelisting support is enabled
- file transfer support is enabled
- firetunnel support is enabled
- networking support is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is enabled
- user namespace support is enabled
- X11 sandboxing support is enabled`
Additional context
Other context about the problem like related errors to understand the problem.
A similar issue happens with VLC in firejail that is probably related. With amdgpu enabled
firejail vlcwill appear to load a file but not actually play any video or audio. Both the steam problem and the vlc problem goes away in a firejail by switching back to radeon drivers so I think solving one problem will help solve the other problem.Checklist
The profile (and redirect profile if exists) hasn't already been fixed upstream.
no
The program has a profile. (If not, request one in
https://github.com/netblue30/firejail/issues/1139)there is a steam.profile
I have performed a short search for similar issues (to avoid opening a duplicate).
From what I can tell this may only affect a "sea island" card running linux trying to use vulkan drivers on current AAA games. I have not found any other issue about this
If it is a AppImage,
--profile=PROFILENAMEis used to set the right profile.not an appimage
Used
LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAMto get english error-messages.I hope this is all in english
I'm aware of
browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.sure
This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.
debug output
@rusty-snake commented on GitHub (May 4, 2021):
Duplicate of #3219? At least vlc yes.
fix vlc with this
and try this for steam
@swimik commented on GitHub (May 4, 2021):
This did work to fix vlc by creating a firejail folder in /home/username/.config/firejail and then adding a vlc.local to there.
adding seccomp !kcmp to the vlc.profile(or vlc.local) located in /etc/firejail did not work. Odd, but whatever
I assume you meant
echo 'seccomp !kcmp,!ptrace' >> ~/-config/firejail/**steam**.localThis did not enable steam to work. I also tried
ignore seccompor commenting out seccomp to no effect. It does try to load steam, the login window does appear but the steam console does not load.Perhaps there is a feature of firejail that is recognizing the fact I am loading the 'wrong' driver for this card and sees that as some sort of security breach?
@rusty-snake commented on GitHub (May 4, 2021):
Is anything relevant in the syslog? If not, try
firejail --ignore=private-etc --ignore=nogroups --ignore=noroot steam. If this still don't help, you need to comment steam.profile and uncomment it line for line.@swimik commented on GitHub (May 4, 2021):
Ok, looking it over more it seems it wasn't reading steam.local because when I commented out seccomp it had no effect.
Deleting steam.local and commenting out seccomp in steam.profile did enable steam to work again. This was the only comment I made in the file.
My syslog shows this error when trying to run steam with seccomp enabled.
kernel: [ 587.823999] audit: type=1326 audit(1620170477.091:19): auid=1000 uid=1000 gid=1000 ses=3 subj==unconfined pid=3988 comm="steam" exe="/home/username/.steam/debian-installation/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f01559 code=0x0following the seccomp guide found here https://firejail.wordpress.com/documentation-2/seccomp-guide/
I tried running
firejail --debug-syscall | grep 349but this didnt return anything. A quick search shows that this is the rcmp syscall but I cant seem to exclude it in steam.profile(currently the only profile in use).I tried
seccomp !ptrace,!kcmpandseccomp !ptrace,kcmpand it still gives me the kernel error for syscall=349I take it my syntax is wrong?
@swimik commented on GitHub (May 4, 2021):
Also, my debian installation is amd64 but steam is 32 bit and I have the i386 architecture enabled to use it. I see syscall 349 is for i386 so maybe the issue is firejail cant reference the i386 architecture on an amd64 install?
I could be blowing smoke but it could be relevant so I figured I would add it incase someone wasn't aware of this about steam.
@rusty-snake commented on GitHub (May 5, 2021):
You can try
but IDK if this works. If not use
seccomp.drop.@swimik commented on GitHub (May 5, 2021):
seccomp !kcmp,!ptraceseccomp.32 !kcmp.!ptraceThis works only with separate lines for the 32bit syscall and the 64 bit syscall being split.
I guess vlc for debian is 32 bit? And/or this is only a problem if there need to be 64 bit and 32 bit exceptions? It might be worth updating the manpage to mention that seccomp.32 is an option when there is split 64bit and 32bit usage, or maybe this is something that can be fixed internally to firejail.
Ill keep testing to see if there are other issues.
@swimik commented on GitHub (May 6, 2021):
There are some other issues with games within Steam but overall the initial problem I cited is fixed so I will close this and diagnose the game issues on a case by case basis.
Thanks