[GH-ISSUE #5035] gamemoderun doesn't work with firejail #2860

New issue

Open

opened 2026-05-05 09:31:17 -06:00 by gitea-mirror · 23 comments

gitea-mirror commented 2026-05-05 09:31:17 -06:00

Owner

Copy link

Originally created by @ademlabs on GitHub (Mar 11, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5035

With reference to the firejail and gamemoderun discussion, I tried running gamemoderun on glxgears instead of supertuxkart for testing.

I'm on EndeavourOS (Arch-based) running firejail version 0.9.68

In my ~/.config/firejail/supertuxcart.local file I have added glxgears to the private-bin:

# Required by gamemoderun
noblacklist ${PATH}/bash
private-bin gamemoderun,bash,env,glxgears
ignore dbus-user none
dbus-user filter
dbus-user.talk com.feralinteractive.GameMode

Then I ran the command

firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears

Which produced the following output:

Reading profile /etc/firejail/supertuxkart.profile
Reading profile /home/ademlabs/.config/firejail/supertuxkart.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 381125, child pid 381128
Warning: skipping none for private /opt
Private /opt installed in 0.11 ms
Warning: skipping none for private /srv
Private /srv installed in 0.07 ms
4 programs installed in 4.89 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping drirc for private /etc
Warning: skipping openal for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 21.53 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 157.85 ms
gamemodeauto:
Running synchronized to the vertical refresh.  The framerate should be
approximately the same as the monitor refresh rate.
316 frames in 5.0 seconds = 63.038 FPS
300 frames in 5.0 seconds = 59.996 FPS
300 frames in 5.0 seconds = 59.996 FPS
300 frames in 5.0 seconds = 59.996 FPS

In a separate terminal window I checked gamemoded -s but it always gives me

gamemode is inactive

Running gamemoderun /usr/bin/glxgears will work as expected though and I'll see gamemode is active.
I'm not sure what next to check it seems this should just work with those config. Maybe dbus communication is not working as expected?

Originally created by @ademlabs on GitHub (Mar 11, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/5035 With reference to the [firejail and gamemoderun](https://github.com/netblue30/firejail/discussions/4201) discussion, I tried running gamemoderun on glxgears instead of supertuxkart for testing. I'm on EndeavourOS (Arch-based) running firejail version 0.9.68 In my `~/.config/firejail/supertuxcart.local` file I have added glxgears to the private-bin: ``` # Required by gamemoderun noblacklist ${PATH}/bash private-bin gamemoderun,bash,env,glxgears ignore dbus-user none dbus-user filter dbus-user.talk com.feralinteractive.GameMode ``` Then I ran the command ``` firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears ``` Which produced the following output: ``` Reading profile /etc/firejail/supertuxkart.profile Reading profile /home/ademlabs/.config/firejail/supertuxkart.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 381125, child pid 381128 Warning: skipping none for private /opt Private /opt installed in 0.11 ms Warning: skipping none for private /srv Private /srv installed in 0.07 ms 4 programs installed in 4.89 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping drirc for private /etc Warning: skipping openal for private /etc Warning: skipping pki for private /etc Private /etc installed in 21.53 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 157.85 ms gamemodeauto: Running synchronized to the vertical refresh. The framerate should be approximately the same as the monitor refresh rate. 316 frames in 5.0 seconds = 63.038 FPS 300 frames in 5.0 seconds = 59.996 FPS 300 frames in 5.0 seconds = 59.996 FPS 300 frames in 5.0 seconds = 59.996 FPS ``` In a separate terminal window I checked `gamemoded -s` but it always gives me ``` gamemode is inactive ``` Running `gamemoderun /usr/bin/glxgears` will work as expected though and I'll see `gamemode is active`. I'm not sure what next to check it seems this should just work with those config. Maybe dbus communication is not working as expected?

gitea-mirror commented 2026-05-05 09:31:19 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 11, 2022):

~/.config/firejail/supertuxcart.local

Typo in comment or in real filename?

<!-- gh-comment-id:1065301861 --> @rusty-snake commented on GitHub (Mar 11, 2022): > ~/.config/firejail/supertux***c***art.local Typo in comment or in real filename?

gitea-mirror commented 2026-05-05 09:31:19 -06:00

Author

Owner

Copy link

@ademlabs commented on GitHub (Mar 11, 2022):

~/.config/firejail/supertux_c_art.local

Typo in comment or in real filename?

Yes, sorry there is a typo in comment, the file on disk is properly named supertuxkart.local. In the output from firejail, it does load the correct file:

...
Reading profile /home/ademlabs/.config/firejail/supertuxkart.local
...

<!-- gh-comment-id:1065314344 --> @ademlabs commented on GitHub (Mar 11, 2022): > > ~/.config/firejail/supertux_**c**_art.local > > Typo in comment or in real filename? Yes, sorry there is a typo in comment, the file on disk is properly named `supertuxkart.local`. In the output from firejail, it does load the correct file: ``` ... Reading profile /home/ademlabs/.config/firejail/supertuxkart.local ... ```

gitea-mirror commented 2026-05-05 09:31:20 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 11, 2022):

Does it work if you comment

dbus-user filter
dbus-user.talk com.feralinteractive.GameMode

<!-- gh-comment-id:1065315994 --> @rusty-snake commented on GitHub (Mar 11, 2022): Does it work if you comment ``` dbus-user filter dbus-user.talk com.feralinteractive.GameMode ```

gitea-mirror commented 2026-05-05 09:31:21 -06:00

Author

Owner

Copy link

@ademlabs commented on GitHub (Mar 11, 2022):

No, I have the same result when commenting those lines.

I tried looking at the running processes. glxgears is currently running with PID 422074:

$ ps aux | grep -i glxgears
ademlabs    422052  0.0  0.0   4596  2732 pts/3    S+   21:17   0:00 firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears
ademlabs    422057  0.1  0.0   4608  2016 pts/3    S+   21:17   0:00 firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears
ademlabs    422074  1.0  0.3 1309524 102236 pts/3  Sl+  21:17   0:00 /usr/bin/glxgears

I also checked for any gamemoded logs with journalctl -n 5 _COMM=gamemoded:

Mar 11 21:15:52 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 420625: Permission denied
Mar 11 21:15:52 valkyrja gamemoded[37205]: ERROR: Failed to register client [420625]: Permission denied
Mar 11 21:17:12 valkyrja gamemoded[37205]: ERROR: Removal requested for unknown process [420625].
Mar 11 21:17:47 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 422074: Permission denied
Mar 11 21:17:47 valkyrja gamemoded[37205]: ERROR: Failed to register client [422074]: Permission denied

Seems gamemoded is not able to register the PID process, so I tried with a manual request as well:

$ gamemoded -r422074
gamemode not active for client, requesting start for 422074...
ERROR: gamemode_request_start_for(422074) failed:

And journalctl shows the same error again:

Mar 11 21:23:52 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 422074: Permission denied
Mar 11 21:23:52 valkyrja gamemoded[37205]: ERROR: Failed to register client [422074]: Permission denied

I'm not sure where the permission error is coming from, I'm running everything with the same user here.

<!-- gh-comment-id:1065330726 --> @ademlabs commented on GitHub (Mar 11, 2022): No, I have the same result when commenting those lines. I tried looking at the running processes. `glxgears` is currently running with PID 422074: ``` $ ps aux | grep -i glxgears ademlabs 422052 0.0 0.0 4596 2732 pts/3 S+ 21:17 0:00 firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears ademlabs 422057 0.1 0.0 4608 2016 pts/3 S+ 21:17 0:00 firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears ademlabs 422074 1.0 0.3 1309524 102236 pts/3 Sl+ 21:17 0:00 /usr/bin/glxgears ``` I also checked for any `gamemoded` logs with `journalctl -n 5 _COMM=gamemoded`: ``` Mar 11 21:15:52 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 420625: Permission denied Mar 11 21:15:52 valkyrja gamemoded[37205]: ERROR: Failed to register client [420625]: Permission denied Mar 11 21:17:12 valkyrja gamemoded[37205]: ERROR: Removal requested for unknown process [420625]. Mar 11 21:17:47 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 422074: Permission denied Mar 11 21:17:47 valkyrja gamemoded[37205]: ERROR: Failed to register client [422074]: Permission denied ``` Seems gamemoded is not able to register the PID process, so I tried with a manual request as well: ``` $ gamemoded -r422074 gamemode not active for client, requesting start for 422074... ERROR: gamemode_request_start_for(422074) failed: ``` And journalctl shows the same error again: ``` Mar 11 21:23:52 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 422074: Permission denied Mar 11 21:23:52 valkyrja gamemoded[37205]: ERROR: Failed to register client [422074]: Permission denied ``` I'm not sure where the permission error is coming from, I'm running everything with the same user here.

gitea-mirror commented 2026-05-05 09:31:21 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 11, 2022):

If this is caused by the pid namespace, you can give up.

Does firejail --noprofile gamemoderun … work?

<!-- gh-comment-id:1065334722 --> @rusty-snake commented on GitHub (Mar 11, 2022): If this is caused by the pid namespace, you can give up. Does `firejail --noprofile gamemoderun …` work?

gitea-mirror commented 2026-05-05 09:31:22 -06:00

Author

Owner

Copy link

@ademlabs commented on GitHub (Mar 11, 2022):

Yes, it works with the --noprofile option.

<!-- gh-comment-id:1065348862 --> @ademlabs commented on GitHub (Mar 11, 2022): Yes, it works with the `--noprofile` option.

gitea-mirror commented 2026-05-05 09:31:22 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 11, 2022):

Can you confirm that ignore noroot works.

<!-- gh-comment-id:1065358506 --> @rusty-snake commented on GitHub (Mar 11, 2022): Can you confirm that `ignore noroot` works.

gitea-mirror commented 2026-05-05 09:31:23 -06:00

Author

Owner

Copy link

@ademlabs commented on GitHub (Mar 11, 2022):

Indeed, passing the --ignore=noroot option allows gamemode to run

firejail --ignore=noroot --profile=supertuxkart gamemoderun /usr/bin/glxgears

Also, I noticed that whenever gamemode works correctly (with or without firejail), I have this line in my system logs for the gamemoded service:

Mar 11 22:28:39 valkyrja pkexec[473366]: pam_unix(polkit-1:session): session opened for user root(uid=0) by (uid=1000)

Not sure if this is related.

<!-- gh-comment-id:1065377695 --> @ademlabs commented on GitHub (Mar 11, 2022): Indeed, passing the --ignore=noroot option allows gamemode to run ``` firejail --ignore=noroot --profile=supertuxkart gamemoderun /usr/bin/glxgears ``` Also, I noticed that whenever gamemode works correctly (with or without firejail), I have this line in my system logs for the `gamemoded` service: ``` Mar 11 22:28:39 valkyrja pkexec[473366]: pam_unix(polkit-1:session): session opened for user root(uid=0) by (uid=1000) ``` Not sure if this is related.

gitea-mirror commented 2026-05-05 09:31:23 -06:00

Author

Owner

Copy link

@ademlabs commented on GitHub (Mar 15, 2022):

Is there a way to debug this? I'm trying to understand why it doesn't work then noroot is specified.

<!-- gh-comment-id:1068393213 --> @ademlabs commented on GitHub (Mar 15, 2022): Is there a way to debug this? I'm trying to understand why it doesn't work then `noroot` is specified.

gitea-mirror commented 2026-05-05 09:31:23 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 19, 2022):

Does unshare --map-current-user gamemoderun /usr/bin/glxgears work?

<!-- gh-comment-id:1072969419 --> @rusty-snake commented on GitHub (Mar 19, 2022): Does `unshare --map-current-user gamemoderun /usr/bin/glxgears` work?

gitea-mirror commented 2026-05-05 09:31:24 -06:00

Author

Owner

Copy link

@ademlabs commented on GitHub (Mar 19, 2022):

Yes it works, gamemode is active when running unshare --map-current-user ...

<!-- gh-comment-id:1072975797 --> @ademlabs commented on GitHub (Mar 19, 2022): Yes it works, gamemode is active when running `unshare --map-current-user ...`

gitea-mirror commented 2026-05-05 09:31:24 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Mar 19, 2022):

Ok, so it's not caused by userns in general but instead by firejail's implementation. When I run firejail --noprofile [--noroot] sleep 1m and compare ls -l /proc/<PID of sleep> the difference is that the targets of the cwd, exe and root symlinks are only accessible for root but not for a regular user.

Is this something we can change? @smitsohu

That's also the cause for flatpak/xdg-desktop-portal#737.

<!-- gh-comment-id:1072977408 --> @rusty-snake commented on GitHub (Mar 19, 2022): Ok, so it's not caused by userns in general but instead by firejail's implementation. When I run `firejail --noprofile [--noroot] sleep 1m` and compare `ls -l /proc/<PID of sleep>` the difference is that the targets of the `cwd`, `exe` and `root` symlinks are only accessible for root but not for a regular user. Is this something we can change? @smitsohu That's also the cause for flatpak/xdg-desktop-portal#737.

gitea-mirror commented 2026-05-05 09:31:24 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Mar 20, 2022):

Related: #3727 and possibly more.

What could be done on our end is creating the user namespace with user privileges where possible, falling back to root only if that fails.

<!-- gh-comment-id:1073134866 --> @smitsohu commented on GitHub (Mar 20, 2022): Related: #3727 and possibly more. What could be done on our end is creating the user namespace with user privileges where possible, falling back to root only if that fails.

gitea-mirror commented 2026-05-05 09:31:25 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Mar 20, 2022):

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96407d08..3d8e3330 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1220,8 +1220,10 @@ int sandbox(void* sandbox_arg) {
        //****************************************
        save_nogroups();
        if (arg_noroot) {
+               EUID_USER();
                int rv = unshare(CLONE_NEWUSER);
-               if (rv == -1) {
+               EUID_ROOT();
+               if (rv && unshare(CLONE_NEWUSER)) {
                        fwarning("cannot create a new user namespace, going forward without it...\n");
                        arg_noroot = 0;
                }

EDIT: This is broken because

In a user namespace where the uid_map file has not been written, the system calls that change user IDs will fail.

<!-- gh-comment-id:1073295546 --> @smitsohu commented on GitHub (Mar 20, 2022): ``` diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index 96407d08..3d8e3330 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c @@ -1220,8 +1220,10 @@ int sandbox(void* sandbox_arg) { //**************************************** save_nogroups(); if (arg_noroot) { + EUID_USER(); int rv = unshare(CLONE_NEWUSER); - if (rv == -1) { + EUID_ROOT(); + if (rv && unshare(CLONE_NEWUSER)) { fwarning("cannot create a new user namespace, going forward without it...\n"); arg_noroot = 0; } ``` EDIT: This is broken because > In a user namespace where the uid_map file has not been written, the system calls that change user IDs will fail.

gitea-mirror commented 2026-05-05 09:31:25 -06:00

Author

Owner

Copy link

@smitsohu commented on GitHub (Mar 20, 2022):

Also related: #4623

<!-- gh-comment-id:1073353196 --> @smitsohu commented on GitHub (Mar 20, 2022): Also related: #4623

gitea-mirror commented 2026-05-05 09:31:26 -06:00

Author

Owner

Copy link

@inittux111 commented on GitHub (Mar 20, 2024):

I'm also running into this, except I am having this with the Steam profile. Once a solution has been made for this, will this also be applicable for using firejail with steam and gamemoderun, so that when you launch a game through Steam gamemode will be active when being used with firejail?

<!-- gh-comment-id:2010626130 --> @inittux111 commented on GitHub (Mar 20, 2024): I'm also running into this, except I am having this with the Steam profile. Once a solution has been made for this, will this also be applicable for using firejail with steam and gamemoderun, so that when you launch a game through Steam gamemode will be active when being used with firejail?

gitea-mirror commented 2026-05-05 09:31:26 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 20, 2024):

@Hydranet
Hard to answer what will happen in the future. For now - almost two years later - the referenced issues haven't seen any progress. Have you tested/tried the suggested workaround yet? If not, here's an updated example for gamemoderun and steam with Firejail 0.9.72:

$ cat ~/.config/firejail/steam.local
# Required by gamemoderun
# steam.profile doesn't 'include disable-shell.inc'
#include allow-bin-sh.inc
ignore noroot
# steam.profile doesn't enable 'private-bin' by default
#private-bin bash,env,gamemoderun
# steam.profile doesn't enable D-Bus filtering
#ignore dbus-user none
#dbus-user filter
#dbus-user.talk com.feralinteractive.GameMode

After creating the above file, try running firejail --profile=steam gamemoderun /usr/bin/steam.

HTH

<!-- gh-comment-id:2010753505 --> @ghost commented on GitHub (Mar 20, 2024): @Hydranet Hard to answer what will happen in the future. For now - almost two years later - the referenced issues haven't seen any progress. Have you tested/tried the suggested workaround yet? If not, here's an updated example for gamemoderun and steam with Firejail `0.9.72`: ```sh $ cat ~/.config/firejail/steam.local # Required by gamemoderun # steam.profile doesn't 'include disable-shell.inc' #include allow-bin-sh.inc ignore noroot # steam.profile doesn't enable 'private-bin' by default #private-bin bash,env,gamemoderun # steam.profile doesn't enable D-Bus filtering #ignore dbus-user none #dbus-user filter #dbus-user.talk com.feralinteractive.GameMode ``` After creating the above file, try running `firejail --profile=steam gamemoderun /usr/bin/steam`. HTH

gitea-mirror commented 2026-05-05 09:31:27 -06:00

Author

Owner

Copy link

@inittux111 commented on GitHub (Mar 22, 2024):

@glitsj16 Thanks for your response!
I did try that when I do that I get the following error message.
Steam on Linux now requires the ability to create new user namespaces.

steam-runtime-check-requirements[149]: E: Diagnostic output:
dbus[152]: arguments to dbus_pending_call_block() were incorrect, assertion "pending != NULL" failed in file dbus-pending-call.c line 766.
This is normally a bug in some application using the D-Bus library.

  D-Bus not built with -rdynamic so unable to print a backtrace

steam.sh[32]: Error: Steam on Linux now requires the ability to create new user namespaces.

If the file /proc/sys/kernel/unprivileged_userns_clone exists, check that
it contains value 1.

If the file /proc/sys/user/max_user_namespaces exists, check that its
value is high enough.

This requirement is the same as for Flatpak, which has more detailed
information available:
https://github.com/flatpak/flatpak/wiki/User-namespace-requirements

When I check those values on my system I get these.

cat /proc/sys/kernel/unprivileged_userns_clone
1

cat /proc/sys/user/max_user_namespaces
125114

<!-- gh-comment-id:2014822073 --> @inittux111 commented on GitHub (Mar 22, 2024): @glitsj16 Thanks for your response! I did try that when I do that I get the following error message. Steam on Linux now requires the ability to create new user namespaces. ``` steam-runtime-check-requirements[149]: E: Diagnostic output: dbus[152]: arguments to dbus_pending_call_block() were incorrect, assertion "pending != NULL" failed in file dbus-pending-call.c line 766. This is normally a bug in some application using the D-Bus library. D-Bus not built with -rdynamic so unable to print a backtrace steam.sh[32]: Error: Steam on Linux now requires the ability to create new user namespaces. If the file /proc/sys/kernel/unprivileged_userns_clone exists, check that it contains value 1. If the file /proc/sys/user/max_user_namespaces exists, check that its value is high enough. This requirement is the same as for Flatpak, which has more detailed information available: https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ``` When I check those values on my system I get these. ``` cat /proc/sys/kernel/unprivileged_userns_clone 1 cat /proc/sys/user/max_user_namespaces 125114 ```

gitea-mirror commented 2026-05-05 09:31:27 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 22, 2024):

Steam on Linux now requires the ability to create new user namespaces.

Not sure if that's really a 'new' requirement. I'd try to pin-point the offending line(s) in the steam profile to see what else it needs. Some 'possible candidates' are noroot, nonewprivs and seccomp. The latter has a somewhat cryptic comment in the profile:

3f4d6df041/etc/profile-m-z/steam.profile (L165-L169)

You'll have to experiment a bit here.

<!-- gh-comment-id:2014939091 --> @ghost commented on GitHub (Mar 22, 2024): > Steam on Linux now requires the ability to create new user namespaces. Not sure if that's really a 'new' requirement. I'd try to pin-point the offending line(s) in the steam profile to see what else it needs. Some 'possible candidates' are `noroot`, `nonewprivs` and `seccomp`. The latter has a somewhat cryptic comment in the profile: https://github.com/netblue30/firejail/blob/3f4d6df0410f2b6e7ea295b7a3d7a0293f478fa9/etc/profile-m-z/steam.profile#L165-L169 You'll have to experiment a bit here.

gitea-mirror commented 2026-05-05 09:31:28 -06:00

Author

Owner

Copy link

@inittux111 commented on GitHub (Mar 22, 2024):

Thanks, I'll try experimenting with that and report back here if I get it to work.

<!-- gh-comment-id:2014950574 --> @inittux111 commented on GitHub (Mar 22, 2024): Thanks, I'll try experimenting with that and report back here if I get it to work.

gitea-mirror commented 2026-05-05 09:31:28 -06:00

Author

Owner

Copy link

@inittux111 commented on GitHub (Mar 22, 2024):

@glitsj16 I got it to work with ignore noroot. I still hard the same errors when running this.
firejail --profile=steam gamemoderun /usr/bin/steam
However I figured this doesn't make sense because firejail launches Steam and then when Steam is started and you launch a game, Steam launch options launch gamemoderun. Then I tried noroot, nonewprivs and seccomp. Seems only the first one is needed to get gamemoderun to work when launching a game from Steam. Thanks for your help! I'll remember to read the comments in the profiles if I run into something again and use and try overriding different settings with ignore in my local file if I run into something again. Thanks for your help!

Just one question, since ignore noroot fixes it what does noroot actually do with the sandbox so that I can maybe undestand why ignore that allows gamemoderun to be used by Steam when launching a game?

<!-- gh-comment-id:2015034373 --> @inittux111 commented on GitHub (Mar 22, 2024): @glitsj16 I got it to work with` ignore noroot`. I still hard the same errors when running this. `firejail --profile=steam gamemoderun /usr/bin/steam` However I figured this doesn't make sense because firejail launches Steam and then when Steam is started and you launch a game, Steam launch options launch gamemoderun. Then I tried `noroot`, `nonewprivs` and `seccomp`. Seems only the first one is needed to get gamemoderun to work when launching a game from Steam. Thanks for your help! I'll remember to read the comments in the profiles if I run into something again and use and try overriding different settings with ignore in my local file if I run into something again. Thanks for your help! Just one question, since `ignore noroot` fixes it what does `noroot` actually do with the sandbox so that I can maybe undestand why ignore that allows gamemoderun to be used by Steam when launching a game?

gitea-mirror commented 2026-05-05 09:31:28 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Mar 22, 2024):

@Hydranet

I got it to work with 'ignore noroot'.

Nice!

Just one question, since 'ignore noroot' fixes it what does noroot actually do with the sandbox so that I can maybe undestand why ignore that allows gamemoderun to be used by Steam when launching a game?

The noroot option creates a user namespace containing only your current (unprivileged) user, so without the 'root' user. Most of the time that doesn't create any problems for the application being sandboxed and therefore is considered a 'plus' to enable in firejail profiles. In your Steam and gamemoderun combo though, the 'root' user needs to exist so Steam can actually handle the namespace switching. Now that might sound bad - root historically has 'danger' attached to it all over. But steam.profile still protects the sandbox via options like nogroups and especially nonewprivs + seccomp filtering. The end result being an 'acceptable' balance between security and usability... Hope this helps clearing up some of the cryptics of the interaction between all the possible sandbox options firejail offers.

In general it's a good thing to look at the content of the profiles. Agreed, it can take some time and effort to familiarize oneself with their syntax, structure etc. But after a while you'll be in a much better position to make the kind of informed decisions on how to protect the system. Your comments suggest you're on the right track :-)

Happy sandboxing!

<!-- gh-comment-id:2015079844 --> @ghost commented on GitHub (Mar 22, 2024): @Hydranet > I got it to work with 'ignore noroot'. Nice! > Just one question, since 'ignore noroot' fixes it what does noroot actually do with the sandbox so that I can maybe undestand why ignore that allows gamemoderun to be used by Steam when launching a game? The `noroot` option creates a user namespace containing only your current (unprivileged) user, so without the 'root' user. Most of the time that doesn't create any problems for the application being sandboxed and therefore is considered a 'plus' to enable in firejail profiles. In your Steam and gamemoderun combo though, the 'root' user needs to exist so Steam can actually handle the namespace switching. Now that might sound bad - root historically has 'danger' attached to it all over. But steam.profile still protects the sandbox via options like `nogroups` and especially `nonewprivs` + seccomp filtering. The end result being an 'acceptable' balance between security and usability... Hope this helps clearing up some of the cryptics of the interaction between all the possible sandbox options firejail offers. In general it's a good thing to look at the content of the profiles. Agreed, it can take some time and effort to familiarize oneself with their syntax, structure etc. But after a while you'll be in a much better position to make the kind of `informed decisions` on how to protect the system. Your comments suggest you're on the right track :-) Happy sandboxing!

gitea-mirror commented 2026-05-05 09:31:29 -06:00

Author

Owner

Copy link

@inittux111 commented on GitHub (Mar 22, 2024):

@glitsj16

The noroot option creates a user namespace containing only your current (unprivileged) user, so without the 'root' user.

Thanks for the explanation!

In general it's a good thing to look at the content of the profiles. Agreed, it can take some time and effort to familiarize oneself with their syntax, structure etc. But after a while you'll be in a much better position to make the kind of informed decisions on how to protect the system. Your comments suggest you're on the right track :-)

Happy sandboxing!

Thanks again for your help and thanks for Firejail!

<!-- gh-comment-id:2015100981 --> @inittux111 commented on GitHub (Mar 22, 2024): @glitsj16 > The `noroot` option creates a user namespace containing only your current (unprivileged) user, so without the 'root' user. Thanks for the explanation! > In general it's a good thing to look at the content of the profiles. Agreed, it can take some time and effort to familiarize oneself with their syntax, structure etc. But after a while you'll be in a much better position to make the kind of `informed decisions` on how to protect the system. Your comments suggest you're on the right track :-) > > Happy sandboxing! Thanks again for your help and thanks for Firejail!

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2860

No description provided.