github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4366] Steam Proton (Experimental) doesn't work, even under an empty profile #2636

New issue
Closed
opened 2026-05-05 09:17:48 -06:00 by gitea-mirror · 28 comments
gitea-mirror commented 2026-05-05 09:17:48 -06:00
Owner
Copy link

Originally created by @matthew-cline on GitHub (Jun 20, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4366

While using Steam with experimental Proton to try to run the Windows game Dig or Die the game immediately exits after hitting "play", even I use an entirely empty profile for Steam. Running Steam directly/natively there's no problem. Using PROTON_LOG=1 doesn't cause a log file to be generated, so Proton seems to be crashing/exiting before it even gets a chance to create the log file. Even with STEAM_LINUX_RUNTIME_LOG=1 and STEAM_LINUX_RUNTIME_VERBOSE=1 set neither the stdout/stderr of the Steam client nor any of the Steam log files shows any errors or warnings when attempting to launch the game.

I tried running Steam under strace to see what the problem might be, but Steam crashes under strace, even if run outside of the Firejail sandbox.

Environment
Distro: Fedora 34
Steam: built Jun 8 2021, version 1623193086

firejail --version 
firejail version 0.9.64.4

Compile time support:
        - AppArmor support is disabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is enabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled
Originally created by @matthew-cline on GitHub (Jun 20, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4366 While using Steam with experimental Proton to try to run the Windows game [*Dig or Die*](https://store.steampowered.com/app/315460/Dig_or_Die/) the game immediately exits after hitting "play", even I use an entirely empty profile for Steam. Running Steam directly/natively there's no problem. Using `PROTON_LOG=1` doesn't cause a log file to be generated, so Proton seems to be crashing/exiting before it even gets a chance to create the log file. Even with `STEAM_LINUX_RUNTIME_LOG=1` and `STEAM_LINUX_RUNTIME_VERBOSE=1` set neither the stdout/stderr of the Steam client nor any of the Steam log files shows any errors or warnings when attempting to launch the game. I tried running Steam under strace to see what the problem might be, but Steam crashes under strace, even if run outside of the Firejail sandbox. **Environment** Distro: Fedora 34 Steam: built Jun 8 2021, version 1623193086 <details><summary>firejail --version</summary> ``` firejail version 0.9.64.4 Compile time support: - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is enabled - user namespace support is enabled - X11 sandboxing support is enabled ``` </details>
gitea-mirror commented 2026-05-05 09:17:51 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Jun 20, 2021):

Likely related:
https://github.com/flathub/com.valvesoftware.Steam/issues/642
https://github.com/flatpak/flatpak/issues/3797

<!-- gh-comment-id:864502338 --> @SkewedZeppelin commented on GitHub (Jun 20, 2021): Likely related: https://github.com/flathub/com.valvesoftware.Steam/issues/642 https://github.com/flatpak/flatpak/issues/3797
gitea-mirror commented 2026-05-05 09:17:52 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 20, 2021):

Is anything in the syslog? Does it work with noprofile.profile?

<!-- gh-comment-id:864502339 --> @rusty-snake commented on GitHub (Jun 20, 2021): Is anything in the syslog? Does it work with [noprofile.profile](https://gist.github.com/rusty-snake/bb234cb3e50e1e4e7429f29a7931cc72)?
gitea-mirror commented 2026-05-05 09:17:53 -06:00
Author
Owner
Copy link

@matthew-cline commented on GitHub (Jun 20, 2021):

Same behavior with noprofile.profile. The only thing that the the syslog shows is that it's uploading a MiniDump crash log (something I'd missed when looking at the client's stdout), so there is some sort of crash going on.

<!-- gh-comment-id:864505347 --> @matthew-cline commented on GitHub (Jun 20, 2021): Same behavior with `noprofile.profile`. The only thing that the the syslog shows is that it's uploading a MiniDump crash log (something I'd missed when looking at the client's stdout), so there is some sort of crash going on.
gitea-mirror commented 2026-05-05 09:17:53 -06:00
Author
Owner
Copy link

@matthew-cline commented on GitHub (Jun 20, 2021):

I tried running Steam outside of Firejail but with a private PID namespace (unshare -p), and while that doesn't exactly duplicate the problem it does cause things to freeze at the "launching game" popup stage. So Firejail creating a private PID namespace probably has something to do with it.

<!-- gh-comment-id:864507175 --> @matthew-cline commented on GitHub (Jun 20, 2021): I tried running Steam outside of Firejail but with a private PID namespace (`unshare -p`), and while that doesn't exactly duplicate the problem it does cause things to freeze at the "launching game" popup stage. So Firejail creating a private PID namespace probably has something to do with it.
gitea-mirror commented 2026-05-05 09:17:54 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Aug 4, 2021):

still an issue?

<!-- gh-comment-id:892562976 --> @rusty-snake commented on GitHub (Aug 4, 2021): still an issue?
gitea-mirror commented 2026-05-05 09:17:54 -06:00
Author
Owner
Copy link

@Rult commented on GitHub (Aug 20, 2021):

Still an issue. It also occurs for Proton 6.3-5 and 5.13-6.
Distro: Manjaro KDE (kernel 5.10.59-1)

firejail version 0.9.66 
Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is enabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled
Output log example (ShareX under Proton Experimental) 
GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to ProcessingInstallScript with ""
pressure-vessel-wrap[608]: E: Cannot run bwrap: wait status 256
pressure-vessel-wrap[608]: E: Diagnostic output:
bwrap: Failed to make / slave: Operation not permitted

GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to SiteLicenseSeatCheckout with ""
GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to CreatingProcess with ""
GameAction [AppID 400040, ActionID 5] : LaunchApp waiting for user response to CreatingProcess ""
GameAction [AppID 400040, ActionID 5] : LaunchApp continues with user response "CreatingProcess"
/bin/sh\0-c\0/home/user/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=400040 -- '/home/user/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier'/_v2-entry-point --verb=waitforexitandrun -- '/home/user/.local/share/Steam/steamapps/common/Proton - Experimental'/proton waitforexitandrun  '/home/user/.local/share/Steam/steamapps/common/ShareX/ShareX_Launcher.exe'\0
Game update: AppID 400040 "", ProcID 617, IP 0.0.0.0:0
Starting app 400040
>>> Adding process 617 for game ID 400040
GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to WaitingGameWindow with ""
GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to Completed with ""
pressure-vessel-wrap[618]: E: Cannot run bwrap: wait status 256
pressure-vessel-wrap[618]: E: Diagnostic output:
bwrap: Failed to make / slave: Operation not permitted

Game removed: AppID 400040 "", ProcID 617 
Uploaded AppInterfaceStats to Steam
Exiting app 400040
No cached sticky mapping in ActivateActionSet.

Steam's bubblewrap doesn't seem to work with firejail.

<!-- gh-comment-id:902682138 --> @Rult commented on GitHub (Aug 20, 2021): Still an issue. It also occurs for Proton 6.3-5 and 5.13-6. Distro: Manjaro KDE (kernel 5.10.59-1) <details> <summary>firejail version 0.9.66</summary> ``` Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ``` </details> <details> <summary>Output log example (ShareX under Proton Experimental)</summary> ``` GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to ProcessingInstallScript with "" pressure-vessel-wrap[608]: E: Cannot run bwrap: wait status 256 pressure-vessel-wrap[608]: E: Diagnostic output: bwrap: Failed to make / slave: Operation not permitted GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to SiteLicenseSeatCheckout with "" GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to CreatingProcess with "" GameAction [AppID 400040, ActionID 5] : LaunchApp waiting for user response to CreatingProcess "" GameAction [AppID 400040, ActionID 5] : LaunchApp continues with user response "CreatingProcess" /bin/sh\0-c\0/home/user/.local/share/Steam/ubuntu12_32/reaper SteamLaunch AppId=400040 -- '/home/user/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier'/_v2-entry-point --verb=waitforexitandrun -- '/home/user/.local/share/Steam/steamapps/common/Proton - Experimental'/proton waitforexitandrun '/home/user/.local/share/Steam/steamapps/common/ShareX/ShareX_Launcher.exe'\0 Game update: AppID 400040 "", ProcID 617, IP 0.0.0.0:0 Starting app 400040 >>> Adding process 617 for game ID 400040 GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to WaitingGameWindow with "" GameAction [AppID 400040, ActionID 5] : LaunchApp changed task to Completed with "" pressure-vessel-wrap[618]: E: Cannot run bwrap: wait status 256 pressure-vessel-wrap[618]: E: Diagnostic output: bwrap: Failed to make / slave: Operation not permitted Game removed: AppID 400040 "", ProcID 617 Uploaded AppInterfaceStats to Steam Exiting app 400040 No cached sticky mapping in ActivateActionSet. ``` </details> Steam's bubblewrap doesn't seem to work with firejail.
gitea-mirror commented 2026-05-05 09:17:55 -06:00
Author
Owner
Copy link

@SkewedZeppelin commented on GitHub (Aug 20, 2021):

flatpak install com.valvesoftware.Steam com.valvesoftware.Steam.CompatibilityTool.Proton com.github.tchx84.Flatseal

Use flatseal to further restrict access, start Steam, set "Proton (community build)" as default

<!-- gh-comment-id:902739497 --> @SkewedZeppelin commented on GitHub (Aug 20, 2021): ``` flatpak install com.valvesoftware.Steam com.valvesoftware.Steam.CompatibilityTool.Proton com.github.tchx84.Flatseal ``` Use flatseal to further restrict access, start Steam, set "Proton (community build)" as default
gitea-mirror commented 2026-05-05 09:17:55 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Nov 9, 2021):

Proton 5.13-6, 6.3-7 and current (2021-11-09) Experimental work for me if running with --noprofile. With the default profile (+my local additions for additional library folders) it fails with the following message in the terminal output:

pressure-vessel-wrap[711]: E: Cannot run …/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/bin/pv-bwrap: wait status 256
pressure-vessel-wrap[711]: E: Diagnostic output:
bwrap: Failed to make / slave: Operation not permitted

Proton ≤ 5.0 continues to work with the default profile.

firejail --version 

firejail version 0.9.66

Compile time support:

- always force nonewprivs support is disabled

- AppArmor support is enabled

- AppImage support is enabled

- chroot support is enabled

- D-BUS proxy support is enabled

- file and directory whitelisting support is enabled

- file transfer support is enabled

- firetunnel support is enabled

- networking support is enabled

- output logging is enabled

- overlayfs support is disabled

- private-home support is enabled

- private-cache and tmpfs as user enabled

- SELinux support is disabled

- user namespace support is enabled

- X11 sandboxing support is enabled

<!-- gh-comment-id:964602549 --> @TheOneric commented on GitHub (Nov 9, 2021): Proton 5.13-6, 6.3-7 and current (2021-11-09) Experimental work for me **if** running with `--noprofile`. With the default profile *(+my local additions for additional library folders)* it fails with the following message in the terminal output: ``` pressure-vessel-wrap[711]: E: Cannot run …/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/bin/pv-bwrap: wait status 256 pressure-vessel-wrap[711]: E: Diagnostic output: bwrap: Failed to make / slave: Operation not permitted ``` Proton ≤ 5.0 continues to work with the default profile. <details> <summary>firejail --version</summary> <pre><code> firejail version 0.9.66 Compile time support: - always force nonewprivs support is disabled - AppArmor support is enabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file and directory whitelisting support is enabled - file transfer support is enabled - firetunnel support is enabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled </pre></code> </details>
gitea-mirror commented 2026-05-05 09:17:55 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Nov 10, 2021):

Proton 5.13-6 and 6.3-7 appear to work for me if --ignore=seccomp is added to the dfeault profile.
Ofc, ideally we'd like to only allow the syscalls actually needed for Proton+bubblewrap, but unfortunately I do not know what those are or how to find this out. If I can help by testing configurations, let me know.

<!-- gh-comment-id:965733744 --> @TheOneric commented on GitHub (Nov 10, 2021): Proton 5.13-6 and 6.3-7 appear to work for me if `--ignore=seccomp` is added to the dfeault profile. Ofc, ideally we'd like to only allow the syscalls actually needed for Proton+bubblewrap, but unfortunately I do not know what those are or how to find this out. If I can help by testing configurations, let me know.
gitea-mirror commented 2026-05-05 09:17:56 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 10, 2021):

9a81078ddb/etc/templates/syscalls.txt (L89-L112)

<!-- gh-comment-id:965738306 --> @rusty-snake commented on GitHub (Nov 10, 2021): https://github.com/netblue30/firejail/blob/9a81078ddbbb4215d06f7d1861481ece05ebda99/etc/templates/syscalls.txt#L89-L112
gitea-mirror commented 2026-05-05 09:17:56 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Nov 10, 2021):

I tried to follow the instructions, but no related messages show up in journalctl when running firejail --seccomp-error-action=log /usr/bin/steam. I ran journalctl --grep=SECCOMP --follow as the same user as steam, as root and (as root) without --grep=SECCOMP, but no related messages showed up.
While running steam with --seccomp-error-action=log the games using Proton > 5.0 did start successfully, when started without this flag they did not.

<!-- gh-comment-id:965808460 --> @TheOneric commented on GitHub (Nov 10, 2021): I tried to follow the instructions, but no related messages show up in journalctl when running `firejail --seccomp-error-action=log /usr/bin/steam`. I ran `journalctl --grep=SECCOMP --follow` as the same user as steam, as root and (as root) without `--grep=SECCOMP`, but no related messages showed up. While running steam with `--seccomp-error-action=log` the games using Proton > 5.0 did start successfully, when started without this flag they did not.
gitea-mirror commented 2026-05-05 09:17:57 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (Nov 10, 2021):

FWIW, 5.13+ never worked for me.

I assume it's either because it now requires bwrap and that it is incompatible
with firejail and/or because the new runtime requires allowing unprivileged
user ns for steam. I haven't looked too much into it and didn't try disabling
things in the profile though.

5.0-10 and earlier still work.

Environment: firejail-git on Artix Linux.

<!-- gh-comment-id:965831447 --> @kmk3 commented on GitHub (Nov 10, 2021): FWIW, 5.13+ never worked for me. I assume it's either because it now requires bwrap and that it is incompatible with firejail and/or because the new runtime requires allowing unprivileged user ns for steam. I haven't looked too much into it and didn't try disabling things in the profile though. 5.0-10 and earlier still work. Environment: firejail-git on Artix Linux.
gitea-mirror commented 2026-05-05 09:17:57 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 11, 2021):

@TheOneric does firejail --seccomp=openat --seccomp-error-action=log cat /etc/profile show-up in journalctl (i.e. is this likely a 32 bit seccomp issues or a configuration of your system)?

<!-- gh-comment-id:966150483 --> @rusty-snake commented on GitHub (Nov 11, 2021): @TheOneric does `firejail --seccomp=openat --seccomp-error-action=log cat /etc/profile` show-up in journalctl (i.e. is this likely a 32 bit seccomp issues or a configuration of your system)?
gitea-mirror commented 2026-05-05 09:17:58 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Nov 11, 2021):

does firejail --seccomp=openat --seccomp-error-action=log cat /etc/profile show-up in journalct

Hmmm, this too does not cause any seccomp related messages to show up in journalctl. Grepping through sudo journalctl --all also doesn't show any messages other than a messages during boot and the invokation of firejail or journalctl with a seccomp paramter.
Can I somehow tell firejail to log seccomp-errors to a file, stdout or stderr instead?

<!-- gh-comment-id:966554115 --> @TheOneric commented on GitHub (Nov 11, 2021): > does firejail --seccomp=openat --seccomp-error-action=log cat /etc/profile show-up in journalct Hmmm, this too does not cause any seccomp related messages to show up in journalctl. Grepping through `sudo journalctl --all` also doesn't show any messages other than a messages during boot and the invokation of `firejail` or `journalctl` with a seccomp paramter. Can I somehow tell firejail to log seccomp-errors to a file, stdout or stderr instead?
gitea-mirror commented 2026-05-05 09:17:58 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Nov 11, 2021):

This logging isn't done by firejail, it is done by your kernel. Which distro do you use?

<!-- gh-comment-id:966555526 --> @rusty-snake commented on GitHub (Nov 11, 2021): This logging isn't done by firejail, it is done by your kernel. Which distro do you use?
gitea-mirror commented 2026-05-05 09:17:58 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Nov 11, 2021):

Which distro do you use?

openSUSE Tumbleweed

<!-- gh-comment-id:966556063 --> @TheOneric commented on GitHub (Nov 11, 2021): > Which distro do you use? openSUSE Tumbleweed
gitea-mirror commented 2026-05-05 09:17:59 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Dec 3, 2021):

Since #4686 mentioned the seccomp lines showing up in Fedora, I tried to recompile the prisitine kernel.org sources dor 5.15.6 with a matching config from fedora, but this failed to boot with openSUSE just looping some failure messages regarding CUPS scheduler. If it's known which kernel configurations need to be changed to get the seccomp logs, I could try to recompile a openSUSE kernel with the nedded config change to get more info.

<!-- gh-comment-id:985876234 --> @TheOneric commented on GitHub (Dec 3, 2021): Since #4686 mentioned the seccomp lines showing up in Fedora, I tried to recompile the prisitine kernel.org sources dor 5.15.6 with a matching config from fedora, but this failed to boot with openSUSE just looping some failure messages regarding CUPS scheduler. If it's known which kernel configurations need to be changed to get the seccomp logs, I could try to recompile a openSUSE kernel with the nedded config change to get more info.
gitea-mirror commented 2026-05-05 09:17:59 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Dec 4, 2021):

What audit config does openSUSE use?

Fedora:

CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
CONFIG_KVM_MMU_AUDIT=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_INTEGRITY_AUDIT=y
<!-- gh-comment-id:985992958 --> @rusty-snake commented on GitHub (Dec 4, 2021): What audit config does openSUSE use? Fedora: ``` CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_ARCH=y CONFIG_KVM_MMU_AUDIT=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_INTEGRITY_AUDIT=y ```
gitea-mirror commented 2026-05-05 09:18:00 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Dec 4, 2021):

What audit config does openSUSE use?

Seems to be the same:

$ grep AUDIT /boot/config-5.15.2-1-default
CONFIG_AUDIT=y
CONFIG_HAVE_ARCH_AUDITSYSCALL=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_ARCH=y
CONFIG_KVM_MMU_AUDIT=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024
CONFIG_INTEGRITY_AUDIT=y
# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
<!-- gh-comment-id:986034041 --> @TheOneric commented on GitHub (Dec 4, 2021): > What audit config does openSUSE use? Seems to be the same: ``` $ grep AUDIT /boot/config-5.15.2-1-default CONFIG_AUDIT=y CONFIG_HAVE_ARCH_AUDITSYSCALL=y CONFIG_AUDITSYSCALL=y CONFIG_AUDIT_ARCH=y CONFIG_KVM_MMU_AUDIT=y CONFIG_NETFILTER_XT_TARGET_AUDIT=m CONFIG_SECURITY_TOMOYO_MAX_AUDIT_LOG=1024 CONFIG_INTEGRITY_AUDIT=y # CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set ```
gitea-mirror commented 2026-05-05 09:18:00 -06:00
Author
Owner
Copy link

@remyabel2 commented on GitHub (Dec 30, 2021):

The syscall is 165 (mount). Which matches up with the error I get:

pressure-vessel-wrap[4]: E: Diagnostic output:
bwrap: Failed to make / slave: Operation not permitted

Note that I'm running proton manually which is why I'm able to see this diagnostic, likely it's swallowed by steam if you're running it that way.

<!-- gh-comment-id:1003139479 --> @remyabel2 commented on GitHub (Dec 30, 2021): The syscall is 165 (mount). Which matches up with the error I get: pressure-vessel-wrap[4]: E: Diagnostic output: bwrap: Failed to make / slave: Operation not permitted Note that I'm running proton manually which is why I'm able to see this diagnostic, likely it's swallowed by steam if you're running it that way.
gitea-mirror commented 2026-05-05 09:18:01 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Jan 8, 2022):

@remyabel2: The syscall is 165 (mount). Which matches up with the error I get:

What did you add to your local profile to make it work?
If I add either only the first or both of the following lines, Proton past 5.0 still doesn't work with steam (same error as before and your post).

seccomp !mount,!165
seccomp.32 !mount,!165
<!-- gh-comment-id:1007836303 --> @TheOneric commented on GitHub (Jan 8, 2022): > @remyabel2: The syscall is 165 (mount). Which matches up with the error I get: What did you add to your local profile to make it work? If I add either only the first or both of the following lines, Proton past 5.0 still doesn't work with steam *(same error as before and your post)*. ``` seccomp !mount,!165 seccomp.32 !mount,!165 ```
gitea-mirror commented 2026-05-05 09:18:01 -06:00
Author
Owner
Copy link

@remyabel2 commented on GitHub (Jan 8, 2022):

@TheOneric Sorry for being vague, I didn't actually manage to get it to work, was just adding additional info to the post based on the commands discussed.

Additional info:

There are basically three ways of running proton. Within steam (and the runtime), without steam and the runtime and through protontricks (which can utilize the runtime). On my machine, using --noprofile works for the second option. You will get a diagnostic about something crashing (but everything otherwise works fine) that's linked to --protocol=unix,inet,inet6 from the default profile.

<!-- gh-comment-id:1007838122 --> @remyabel2 commented on GitHub (Jan 8, 2022): @TheOneric Sorry for being vague, I didn't actually manage to get it to work, was just adding additional info to the post based on the commands discussed. Additional info: There are basically three ways of running proton. Within steam (and the runtime), without steam and the runtime and through protontricks (which can utilize the runtime). On my machine, using `--noprofile` works for the second option. You will get a diagnostic about something crashing (but everything otherwise works fine) that's linked to `--protocol=unix,inet,inet6` from the default profile.
gitea-mirror commented 2026-05-05 09:18:01 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jan 8, 2022):

@remyabel2 Please be aware that using the --noprofile option isn't safe for daily use: it offers zero protection!. It's more of a test option to check if firejail is able to sandbox an app.

<!-- gh-comment-id:1007913757 --> @ghost commented on GitHub (Jan 8, 2022): @remyabel2 Please be aware that using the `--noprofile` option isn't safe for daily use: it offers zero protection!. It's more of a test option to check if firejail is able to sandbox an app.
gitea-mirror commented 2026-05-05 09:18:02 -06:00
Author
Owner
Copy link

@remyabel2 commented on GitHub (Jan 8, 2022):

@remyabel2 Please be aware that using the --noprofile option isn't safe for daily use: it offers zero protection!. It's more of a test option to check if firejail is able to sandbox an app.

Yes I'm aware. I was addressing the fact that earlier it mentioned that noprofile does not work. It does now, or maybe it's because they were trying to run it with Steam. Either way, running this out of steam works aside from the one issue I mentioned earlier:

# this is only an example
firejail --private-tmp --net=none exe

Attempting to run it with Steam has issues because of the containerization (discussed elsewhere and in another issue).

I may be leaving information out because of the permutations mentioned earlier/fuzzy memory but i think I covered everything.

<!-- gh-comment-id:1007993226 --> @remyabel2 commented on GitHub (Jan 8, 2022): > @remyabel2 Please be aware that using the `--noprofile` option isn't safe for daily use: it offers zero protection!. It's more of a test option to check if firejail is able to sandbox an app. Yes I'm aware. I was addressing the fact that earlier it mentioned that `noprofile` does not work. It does now, or maybe it's because they were trying to run it with Steam. Either way, running this out of steam works aside from the one issue I mentioned earlier: ``` # this is only an example firejail --private-tmp --net=none exe ``` Attempting to run it with Steam has issues because of the containerization (discussed elsewhere and in another issue). I may be leaving information out because of the permutations mentioned earlier/fuzzy memory but i think I covered everything.
gitea-mirror commented 2026-05-05 09:18:02 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Jan 8, 2022):

@reymabel:
On my machine, using --noprofile works for the second option.

As I mentioned previously, using --ignore=seccomp is already sufficient to get Proton past 5.0 working from within Steam. However, since the instructions to figure out what exactly failes do not work for me on OpenSUSE (they are confirmed to work on Fedora though), we do not know which syscall(s) need to be whitelisted. It does not appear to be (only) the mount-call you mentioned — unless I didn't whitelist it correctly.
Do I understand you correctly, that if run from outside Steam, you do not need to change anything about the default profile, not even whitelist mount to get Proton >5.0 working? Also, if you do have the option to run Proton from Steam and it doesn't bother you too much, could you perhaps try if the instructions work for you and report the result? (Also see here for a quick test of seccomp-logging)

<!-- gh-comment-id:1008074202 --> @TheOneric commented on GitHub (Jan 8, 2022): > @reymabel: > On my machine, using --noprofile works for the second option. As I [mentioned previously](https://github.com/netblue30/firejail/issues/4366#issuecomment-965733744), using `--ignore=seccomp` is already sufficient to get Proton past 5.0 working from within Steam. However, since [the instructions](https://github.com/netblue30/firejail/issues/4366#issuecomment-965738306) to figure out what exactly failes do not work for me on OpenSUSE *(they are confirmed to work on Fedora though)*, we do not know which syscall(s) need to be whitelisted. It does not appear to be (only) the `mount`-call you mentioned — unless I didn't whitelist it correctly. Do I understand you correctly, that if run from outside Steam, you do not need to change anything about the default profile, not even whitelist `mount` to get Proton >5.0 working? Also, if you do have the option to run Proton from Steam and it doesn't bother you too much, could you perhaps try if [the instructions](https://github.com/netblue30/firejail/issues/4366#issuecomment-965738306) work for you and report the result? *(Also see [here](https://github.com/netblue30/firejail/issues/4366#issuecomment-966150483) for a quick test of seccomp-logging)*
gitea-mirror commented 2026-05-05 09:18:03 -06:00
Author
Owner
Copy link

@remyabel2 commented on GitHub (Jan 8, 2022):

I do not use OpenSUSE, I use Fedora.

Do I understand you correctly, that if run from outside Steam, you do not need to change anything about the default profile, not even whitelist mount to get Proton >5.0 working?

Steam runs proton inside a container with the steam runtime and will attempt to mount parts of the filesystem. If you run proton outside of steam, you are not using containerization or the runtime (it will instead use system libs). You can emulate Steam's behavior with protontrick's bwrap feature.

Also, if you do have the option to run Proton from Steam and it doesn't bother you too much, could you perhaps try if the instructions work for you and report the result? (Also see here for a quick test of seccomp-logging)

I already followed those instructions, that's how I got the syscall for mount on my machine (it likely will be different for other people's machines.) However, I don't really recommend using Firejail and Steam/Proton at the same time, because Valve tends to change the implementation details every now and then and the profile will silently break until it's updated. I'm not qualified to speak on whether or not double sandboxing is worth it.

<!-- gh-comment-id:1008080638 --> @remyabel2 commented on GitHub (Jan 8, 2022): I do not use OpenSUSE, I use Fedora. > Do I understand you correctly, that if run from outside Steam, you do not need to change anything about the default profile, not even whitelist mount to get Proton >5.0 working? Steam runs proton inside a container with the steam runtime and will attempt to mount parts of the filesystem. If you run proton outside of steam, you are not using containerization or the runtime (it will instead use system libs). You can emulate Steam's behavior with protontrick's bwrap feature. > Also, if you do have the option to run Proton from Steam and it doesn't bother you too much, could you perhaps try if the instructions work for you and report the result? (Also see here for a quick test of seccomp-logging) I already followed those instructions, that's how I got the syscall for mount on my machine (it likely will be different for other people's machines.) However, I don't really recommend using Firejail and Steam/Proton at the same time, because Valve tends to change the implementation details every now and then and the profile will silently break until it's updated. I'm not qualified to speak on whether or not double sandboxing is worth it.
gitea-mirror commented 2026-05-05 09:18:03 -06:00
Author
Owner
Copy link

@TheOneric commented on GitHub (Feb 28, 2022):

I installed Fedora Workstation in a VM and followed the documented Fedora procedure with a lightweight game. The seccomp logs there show up in journalctl as expected. Here are the results:

teeing the journalctl output to a file and filtering the syscalls like this awk '/^#/ {next} 1 {arch=""; syscall=""; for(i = 0; i < NF; ++i) {if($i ~ /^arch=/) arch=$i; else if($i ~ /^syscall=/) syscall=$i; } if (arch && syscall) print arch" "syscall;}' steam-seccomp.log | sort | uniq -c yields the following result:

      8 arch=c000003e  syscall=155
    646 arch=c000003e  syscall=165
      8 arch=c000003e  syscall=166
      4 arch=c000003e  syscall=303

$ firejail --debug-syscalls | grep -E '155|165|166|303'
165 - mount
303 - name_to_handle_at
155 - pivot_root
166 - umount2

Adding seccomp !mount,!name_to_handle_at,!pivot_root,!umount2 to /etc/firejail/steam.local did not result in this working and if run with logging we can see the very same syscalls as before being still blocked (@rusty-snake: is this expected?). But instead altering the seccomp !ptrace line in the default steam-profile to the below allows Proton 7.0, Proton 6.3 — and presumably also Proton 5.13 — to work, fixing the issue.

  # seccomp sometimes causes issues (see #2951, #3267).
  # Add 'ignore seccomp' to your steam.local if you experience this
- seccomp !ptrace
+ seccomp !ptrace,!mount,!name_to_handle_at,!pivot_root,!umount2
  # tracelog breaks integrated browser
  #tracelog
<!-- gh-comment-id:1053756405 --> @TheOneric commented on GitHub (Feb 28, 2022): I installed Fedora Workstation in a VM and followed the documented Fedora procedure with a lightweight game. The seccomp logs there show up in journalctl as expected. Here are the results: `tee`ing the journalctl output to a file and filtering the syscalls like this `awk '/^#/ {next} 1 {arch=""; syscall=""; for(i = 0; i < NF; ++i) {if($i ~ /^arch=/) arch=$i; else if($i ~ /^syscall=/) syscall=$i; } if (arch && syscall) print arch" "syscall;}' steam-seccomp.log | sort | uniq -c` yields the following result: ``` 8 arch=c000003e syscall=155 646 arch=c000003e syscall=165 8 arch=c000003e syscall=166 4 arch=c000003e syscall=303 $ firejail --debug-syscalls | grep -E '155|165|166|303' 165 - mount 303 - name_to_handle_at 155 - pivot_root 166 - umount2 ``` Adding `seccomp !mount,!name_to_handle_at,!pivot_root,!umount2` to `/etc/firejail/steam.local` did not result in this working and if run with logging we can see the very same syscalls as before being still blocked *(@rusty-snake: is this expected?)*. But instead altering the `seccomp !ptrace` line in the default `steam-profile` to the below allows Proton 7.0, Proton 6.3 — and presumably also Proton 5.13 — to work, fixing the issue. ```diff # seccomp sometimes causes issues (see #2951, #3267). # Add 'ignore seccomp' to your steam.local if you experience this - seccomp !ptrace + seccomp !ptrace,!mount,!name_to_handle_at,!pivot_root,!umount2 # tracelog breaks integrated browser #tracelog ```
gitea-mirror commented 2026-05-05 09:18:04 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 28, 2022):

@rusty-snake: is this expected?

IIRC the accumulated in the past.

<!-- gh-comment-id:1054053562 --> @rusty-snake commented on GitHub (Feb 28, 2022): > @rusty-snake: is this expected? IIRC the accumulated in the past.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2636
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?