[GH-ISSUE #4428] vscodium: crashes due to seccomp #2668

New issue

Closed

opened 2026-05-05 09:19:52 -06:00 by gitea-mirror · 11 comments

gitea-mirror commented 2026-05-05 09:19:52 -06:00

Owner

Copy link

Originally created by @mYnDstrEAm on GitHub (Jul 29, 2021).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4428

Codium (v1.58.2) doesn't run with firejail anymore.

When I run firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium I get:

Reading profile /etc/firejail/vscodium.profile
Reading profile /etc/firejail/code.profile
Reading profile /etc/firejail/allow-common-devel.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid [...], child pid [...]
Child process initialized in [...] ms

Parent is shutting down, bye...

with the only thing in syslog being this:
kernel: [...] traps: codium[...] trap int3 ip:... sp:... error:0 in codium[...]

Furthermore, the profile should be renamed to codium.profile as vscodium has been renamed: #3871.

Bug and expected behavior
I expected it to start VsCodium like it used to but it didn't.

No profile and disabling firejail

Reproduce
Steps to reproduce the behavior:

1. Run firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium

Environment

• Debian 10 stable with KDE
• Firejail version 0.9.64.4

Additional context

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

debug output

[...]
Active seccomp files:
cat /run/firejail/mnt/seccomp/seccomp.list
/run/firejail/mnt/seccomp/seccomp.protocol
/run/firejail/mnt/seccomp/seccomp.32
/run/firejail/mnt/seccomp/seccomp
Dropping all capabilities
noroot user namespace installed
Dropping all capabilities
NO_NEW_PRIVS set
Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1
No supplementary groups
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/codium
Child process initialized in ... ms
Installing /run/firejail/mnt/seccomp/seccomp seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter
Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter
monitoring pid 6

Sandbox monitor: waitpid 6 retval 6 status 0
Sandbox monitor: monitoring 23
monitoring pid 23

Sandbox monitor: waitpid 23 retval 23 status 5
Sandbox monitor: monitoring 25
monitoring pid 25

Sandbox monitor: waitpid 25 retval 25 status 0

Parent is shutting down, bye...

Originally created by @mYnDstrEAm on GitHub (Jul 29, 2021). Original GitHub issue: https://github.com/netblue30/firejail/issues/4428 Codium (v1.58.2) doesn't run with firejail anymore. When I run `firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium` I get: ``` Reading profile /etc/firejail/vscodium.profile Reading profile /etc/firejail/code.profile Reading profile /etc/firejail/allow-common-devel.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-common.local Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Warning: networking feature is disabled in Firejail configuration file Parent pid [...], child pid [...] Child process initialized in [...] ms Parent is shutting down, bye... ``` with the only thing in syslog being this: `kernel: [...] traps: codium[...] trap int3 ip:... sp:... error:0 in codium[...]` Furthermore, the profile should be renamed to codium.profile as vscodium has been renamed: #3871. **Bug and expected behavior** I expected it to start VsCodium like it used to but it didn't. **No profile and disabling firejail** **Reproduce** Steps to reproduce the behavior: 1. Run `firejail --profile=/etc/firejail/vscodium.profile /usr/bin/codium` **Environment** - Debian 10 stable with KDE - Firejail version 0.9.64.4 **Additional context** **Checklist** - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] If it is a AppImage, `--profile=PROFILENAME` is used to set the right profile. - [x] Used `LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM` to get english error-messages. - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions. <details><summary> debug output </summary> ``` [...] Active seccomp files: cat /run/firejail/mnt/seccomp/seccomp.list /run/firejail/mnt/seccomp/seccomp.protocol /run/firejail/mnt/seccomp/seccomp.32 /run/firejail/mnt/seccomp/seccomp Dropping all capabilities noroot user namespace installed Dropping all capabilities NO_NEW_PRIVS set Drop privileges: pid 1, uid 1000, gid 1000, nogroups 1 No supplementary groups Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/codium Child process initialized in ... ms Installing /run/firejail/mnt/seccomp/seccomp seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.32 seccomp filter Installing /run/firejail/mnt/seccomp/seccomp.protocol seccomp filter monitoring pid 6 Sandbox monitor: waitpid 6 retval 6 status 0 Sandbox monitor: monitoring 23 monitoring pid 23 Sandbox monitor: waitpid 23 retval 23 status 5 Sandbox monitor: monitoring 25 monitoring pid 25 Sandbox monitor: waitpid 25 retval 25 status 0 Parent is shutting down, bye... ``` </details>

gitea-mirror 2026-05-05 09:19:52 -06:00

• closed this issue
• added the
  duplicate
  label

gitea-mirror commented 2026-05-05 09:19:56 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

I've no idea, looks like you need to comment the profile and uncomment it like for line.

disable-common.local

What's in it.

<!-- gh-comment-id:889049829 --> @rusty-snake commented on GitHub (Jul 29, 2021): I've no idea, looks like you need to comment the profile and uncomment it like for line. > disable-common.local What's in it.

gitea-mirror commented 2026-05-05 09:19:57 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Jul 29, 2021):

a few blacklist ${HOME}/... and caps.drop all. I'll try removing the latter even though I don't know why it worked earlier in that case.
Edit: Commenting out caps.drop all didn't make the profile work and I think it should probably not be removed.

<!-- gh-comment-id:889051217 --> @mYnDstrEAm commented on GitHub (Jul 29, 2021): a few `blacklist ${HOME}/...` and `caps.drop all`. I'll try removing the latter even though I don't know why it worked earlier in that case. Edit: Commenting out `caps.drop all` didn't make the profile work and I think it should probably not be removed.

gitea-mirror commented 2026-05-05 09:19:58 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

caps.drop all […] I think it should probably not be removed.

well

$ grep -L "^caps.drop all$" $(grep -l "^include disable-common.inc$" /etc/firejail/*.profile)
/etc/firejail/bitlbee.profile
/etc/firejail/chromium-common.profile
/etc/firejail/dnscrypt-proxy.profile
/etc/firejail/dnsmasq.profile
/etc/firejail/electron.profile
/etc/firejail/fdns.profile
/etc/firejail/gnome-nettool.profile
/etc/firejail/gnome-schedule.profile
/etc/firejail/k3b.profile
/etc/firejail/ping.profile
/etc/firejail/qupzilla.profile
/etc/firejail/server.profile
/etc/firejail/spectre-meltdown-checker.profile
/etc/firejail/tcpdump.profile
/etc/firejail/tor.profile
/etc/firejail/unbound.profile
/etc/firejail/virtualbox.profile
/etc/firejail/vmware.profile
/etc/firejail/wireshark.profile

<!-- gh-comment-id:889056956 --> @rusty-snake commented on GitHub (Jul 29, 2021): > `caps.drop all` […] I think it should probably not be removed. well ```console $ grep -L "^caps.drop all$" $(grep -l "^include disable-common.inc$" /etc/firejail/*.profile) /etc/firejail/bitlbee.profile /etc/firejail/chromium-common.profile /etc/firejail/dnscrypt-proxy.profile /etc/firejail/dnsmasq.profile /etc/firejail/electron.profile /etc/firejail/fdns.profile /etc/firejail/gnome-nettool.profile /etc/firejail/gnome-schedule.profile /etc/firejail/k3b.profile /etc/firejail/ping.profile /etc/firejail/qupzilla.profile /etc/firejail/server.profile /etc/firejail/spectre-meltdown-checker.profile /etc/firejail/tcpdump.profile /etc/firejail/tor.profile /etc/firejail/unbound.profile /etc/firejail/virtualbox.profile /etc/firejail/vmware.profile /etc/firejail/wireshark.profile ```

gitea-mirror commented 2026-05-05 09:19:58 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Jul 29, 2021):

I added noblacklist ${HOME}/.config/VSCodium to code.local but it still doesn't start with no error message getting displayed that's useful for solving it.

<!-- gh-comment-id:889220554 --> @mYnDstrEAm commented on GitHub (Jul 29, 2021): I added `noblacklist ${HOME}/.config/VSCodium` to code.local but it still doesn't start with no error message getting displayed that's useful for solving it.

gitea-mirror commented 2026-05-05 09:19:59 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

I've no idea, looks like you need to comment the profile and uncomment it like for line.

<!-- gh-comment-id:889222812 --> @rusty-snake commented on GitHub (Jul 29, 2021): > I've no idea, looks like you need to comment the profile and uncomment it like for line.

gitea-mirror commented 2026-05-05 09:20:00 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Jul 29, 2021):

What's the point of sandboxing if you have to disable all of it at least once to get things working?
Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?
Furthermore, there probably should / could be error messages which provide some info about why something is failing / which sandboxing rules are causing the shutdown.

I could get it to work by commenting out these:

#caps.drop all
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp

in code.profile and #caps.drop all in disable-common.local

<!-- gh-comment-id:889233302 --> @mYnDstrEAm commented on GitHub (Jul 29, 2021): What's the point of sandboxing if you have to disable all of it at least once to get things working? Also I had to comment out so many things **this can't be fine**. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted? Furthermore, there probably should / could be error messages which provide some info about why something is failing / which sandboxing rules are causing the shutdown. I could get it to work by commenting out these: ``` #caps.drop all #nonewprivs #noroot #protocol unix,inet,inet6,netlink #seccomp ``` in code.profile and `#caps.drop all` in `disable-common.local`

gitea-mirror commented 2026-05-05 09:20:01 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Jul 29, 2021):

Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik.

There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.

<!-- gh-comment-id:889249475 --> @mYnDstrEAm commented on GitHub (Jul 29, 2021): Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik. There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.

gitea-mirror commented 2026-05-05 09:20:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

I could get it to work by commenting out these:

#caps.drop all
#nonewprivs
#noroot
#protocol unix,inet,inet6,netlink
#seccomp

in code.profile and #caps.drop all in disable-common.local

Duplicate of #4408. Fixed by 8f867d029a

• The profile (and redirect profile if exists) hasn't already been fixed upstream.

8f867d029a

Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik.

See above

There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start.

Nope.

Read #3754, #2946, #2933, #4087, #3871.

Summary: The electron sandbox requires the chroot syscall. And if you disable unprivileged userns it also needs to execute a SUID => you can not use seccomp and nnp. And you need to keep some caps.

It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?

Looks like VsCodium has updated the electron version they use.

What's the point of sandboxing if you have to disable all of it at least once to get things working?

What's the reason you do sandboxing?

<!-- gh-comment-id:889252832 --> @rusty-snake commented on GitHub (Jul 29, 2021): > I could get it to work by commenting out these: > > ``` > #caps.drop all > #nonewprivs > #noroot > #protocol unix,inet,inet6,netlink > #seccomp > ``` > > in code.profile and `#caps.drop all` in `disable-common.local` Duplicate of [#4408](https://github.com/netblue30/firejail/issues/4408). Fixed by 8f867d029a6ae7b757190d9f273886d4bbc1344b > - [x] The profile (and redirect profile if exists) hasn't already been fixed upstream. 8f867d029a6ae7b757190d9f273886d4bbc1344b > Why is it closed before there is at least a pull-request for these changes to code.profile? The duplicate issue is only about renaming the .profile afaik. See above > There should probably also be an issue at vscodium (and/or vscode) about why these changes are suddenly required to make it start. Nope. Read #3754, #2946, #2933, #4087, #3871. Summary: The electron sandbox requires the `chroot` syscall. And if you disable unprivileged userns it also needs to execute a SUID => you can not use seccomp and nnp. And you need to keep some caps. > It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted? Looks like VsCodium has updated the electron version they use. > What's the point of sandboxing if you have to disable all of it at least once to get things working? What's the reason you do sandboxing?

gitea-mirror commented 2026-05-05 09:20:02 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

What's the point of sandboxing if you have to disable all of it at least once to get things working? Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted?

TBH code.profile does to have whitelist ${HOME}/.../read-only ${HOME}/private nor does it have dbus-{user,system} (filter|none). It's already a weak profile that can be escaped easily. Furthermore it has no net IFACE/net none and it also to execute program from ${HOME}. You only need to drop "advanced" sandbox features that protect kernel/root/system in a sandbox that already lacks escape protection.

I recommend to set sysctl kernel.unprivileged_userns_clone=1

<!-- gh-comment-id:889362275 --> @rusty-snake commented on GitHub (Jul 29, 2021): > What's the point of sandboxing if you have to disable all of it at least once to get things working? Also I had to comment out so many things this can't be fine. It used to work with earlier version of VsCodium so what's causing it to require so many sandboxing rules to get lifted? TBH code.profile does to have `whitelist ${HOME}/...`/`read-only ${HOME}`/`private` nor does it have `dbus-{user,system} (filter|none)`. It's already a weak profile that can be escaped easily. Furthermore it has no `net IFACE`/`net none` and it also to execute program from `${HOME}`. You only need to drop "advanced" sandbox features that protect kernel/root/system in a sandbox that already lacks escape protection. ***I*** recommend to set `sysctl kernel.unprivileged_userns_clone=1`

gitea-mirror commented 2026-05-05 09:20:03 -06:00

Author

Owner

Copy link

@mYnDstrEAm commented on GitHub (Jul 29, 2021):

So the weak sandboxing profile for Codium and its further weakening are due to Electron and changes to Electron and the solution you propose for that would be setting sysctl kernel.unprivileged_userns_clone=1. Did I understand that right? After setting that would all Electron-using packages run fine?

<!-- gh-comment-id:889402118 --> @mYnDstrEAm commented on GitHub (Jul 29, 2021): So the weak sandboxing profile for Codium and its further weakening are due to Electron and changes to Electron and the solution you propose for that would be setting `sysctl kernel.unprivileged_userns_clone=1`. Did I understand that right? After setting that would all Electron-using packages run fine?

gitea-mirror commented 2026-05-05 09:20:04 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Jul 29, 2021):

With kernel.unprivileged_userns_clone=1 you can include chromium-common-hardened.inc (Attention: In firejail 0.9.66 and above it is include chromium-common-hardened.inc.profile) in electron.local and chromium-common.local.
https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/electron.profile#L21-L23
https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/chromium-common.profile#L33-L35

Which will set

caps.drop all
nonewprivs
noroot
protocol unix,inet,inet6,netlink
seccomp !chroot

https://github.com/netblue30/firejail/blob/0.9.64.4/etc/inc/chromium-common-hardened.inc

And you can remove the sudi bit from chrome-sandbox and bwrap.

<!-- gh-comment-id:889409745 --> @rusty-snake commented on GitHub (Jul 29, 2021): With `kernel.unprivileged_userns_clone=1` you can `include chromium-common-hardened.inc` (Attention: In firejail 0.9.66 and above it is `include chromium-common-hardened.inc.profile`) in `electron.local` and `chromium-common.local`. https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/electron.profile#L21-L23 https://github.com/netblue30/firejail/blob/0.9.64.4/etc/profile-a-l/chromium-common.profile#L33-L35 Which will set ``` caps.drop all nonewprivs noroot protocol unix,inet,inet6,netlink seccomp !chroot ``` https://github.com/netblue30/firejail/blob/0.9.64.4/etc/inc/chromium-common-hardened.inc And you can remove the sudi bit from `chrome-sandbox` and `bwrap`.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2668

No description provided.