github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #440] Unexpected behavior with Steam #316

New issue
Closed
opened 2026-05-05 05:35:32 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 05:35:32 -06:00
Owner
Copy link

Originally created by @alexbakker on GitHub (Apr 16, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/440

When I '--join' the Steam process and list what's in my home directory, it appears I have access to the entire thing instead of what would be expected: only the directories with a noblacklist directive in steam.profile. Firejail works fine for me with other software. Am I doing something wrong here?

The steam.profile I'm using is the same as the default, but I'll paste it here for the record:

# Steam profile (applies to games/apps launched from Steam as well)
noblacklist ${HOME}/.steam
noblacklist ${HOME}/.local/share/steam
include /etc/firejail/disable-common.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-passwdmgr.inc

caps.drop all
netfilter
noroot
seccomp
protocol unix,inet,inet6

I launch Steam with the following command:
firejail --env=LD_PRELOAD='/usr/$LIB/libstdc++.so.6' --env=DISPLAY=:0 /usr/bin/steam

And here's the output I get:

Reading profile /etc/firejail/steam.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Warning: user namespaces not available in the current kernel.
Parent pid 17607, child pid 17608
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted

Child process initialized
Running Steam on arch rolling 64-bit
STEAM_RUNTIME is enabled automatically
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element
Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element
Fontconfig warning: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 80: saw unknown, expected number
[0416/114534:ERROR:main_delegate.cc(777)] Could not load cef_extensions.pak
[0416/114534:ERROR:browser_main_loop.cc(203)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on.
Installing breakpad exception handler for appid(steamwebhelper)/version(20160415003031)
Installing breakpad exception handler for appid(steamwebhelper)/version(1460680231)
[0416/114534:ERROR:main_delegate.cc(777)] Could not load cef_extensions.pak
Installing breakpad exception handler for appid(steamwebhelper)/version(20160415003031)
Installing breakpad exception handler for appid(steamwebhelper)/version(1460682547)
Installing breakpad exception handler for appid(steamwebhelper)/version(1460682547)
[0416/114534:ERROR:nss_util.cc(740)] Error initializing NSS with a persistent database (sql:/home/alex/.pki/nssdb): NSS error code: -8174
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
Created shared memory when not owner SteamController_Shared_mem
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)

** (steam:98): WARNING **: Could not initialize NMClient /org/freedesktop/NetworkManager: Unit dbus-org.freedesktop.NetworkManager.service not found.
Installing breakpad exception handler for appid(steam)/version(1460682547)
Generating new string page texture 2: 48x256, total string texture memory is 49.15 KB
Generating new string page texture 3: 256x256, total string texture memory is 311.30 KB
Installing breakpad exception handler for appid(steam)/version(1460682547)
Installing breakpad exception handler for appid(steam)/version(1460682547)
roaming config store loaded successfully - 2702 bytes.
migrating temporary roaming config store
Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element
Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element
Fontconfig warning: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 80: saw unknown, expected number
Installing breakpad exception handler for appid(steam)/version(1460682547)
Failed to init SteamVR because it isn't installed
ExecCommandLine: ""/home/alex/.local/share/Steam/ubuntu12_32/steam" "
Installing breakpad exception handler for appid(steam)/version(1460682547)
System startup time: 13.24 seconds
Running Steam on arch rolling 64-bit
STEAM_RUNTIME has been set by the user to: /home/alex/.local/share/Steam/ubuntu12_32/steam-runtime

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.

(steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent.
Generating new string page texture 77: 1024x256, total string texture memory is 1.36 MB
Generating new string page texture 78: 128x256, total string texture memory is 131.07 KB
Generating new string page texture 79: 128x256, total string texture memory is 1.49 MB
Generating new string page texture 80: 64x256, total string texture memory is 1.56 MB
Generating new string page texture 81: 8x256, total string texture memory is 1.56 MB
Generating new string page texture 82: 32x256, total string texture memory is 1.60 MB
ExecCommandLine: "/home/alex/.steam/root/ubuntu12_32/steam steam://open/driverhelperready"
ExecSteamURL: "steam://open/driverhelperready"
Generating new string page texture 86: 128x256, total string texture memory is 1.73 MB
Generating new string page texture 87: 128x256, total string texture memory is 1.86 MB
Generating new string page texture 90: 512x256, total string texture memory is 2.38 MB
Generating new string page texture 91: 16x256, total string texture memory is 2.40 MB
Generating new string page texture 208: 256x256, total string texture memory is 393.22 KB
Generating new string page texture 209: 256x256, total string texture memory is 2.66 MB
Generating new string page texture 210: 128x256, total string texture memory is 2.79 MB
Originally created by @alexbakker on GitHub (Apr 16, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/440 When I '--join' the Steam process and list what's in my home directory, it appears I have access to the entire thing instead of what would be expected: only the directories with a noblacklist directive in steam.profile. Firejail works fine for me with other software. Am I doing something wrong here? The steam.profile I'm using is the same as the default, but I'll paste it here for the record: ``` # Steam profile (applies to games/apps launched from Steam as well) noblacklist ${HOME}/.steam noblacklist ${HOME}/.local/share/steam include /etc/firejail/disable-common.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-devel.inc include /etc/firejail/disable-passwdmgr.inc caps.drop all netfilter noroot seccomp protocol unix,inet,inet6 ``` I launch Steam with the following command: `firejail --env=LD_PRELOAD='/usr/$LIB/libstdc++.so.6' --env=DISPLAY=:0 /usr/bin/steam` And here's the output I get: ``` Reading profile /etc/firejail/steam.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Warning: user namespaces not available in the current kernel. Parent pid 17607, child pid 17608 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized Running Steam on arch rolling 64-bit STEAM_RUNTIME is enabled automatically Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element Fontconfig warning: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 80: saw unknown, expected number [0416/114534:ERROR:main_delegate.cc(777)] Could not load cef_extensions.pak [0416/114534:ERROR:browser_main_loop.cc(203)] Running without the SUID sandbox! See https://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment for more information on developing with the sandbox on. Installing breakpad exception handler for appid(steamwebhelper)/version(20160415003031) Installing breakpad exception handler for appid(steamwebhelper)/version(1460680231) [0416/114534:ERROR:main_delegate.cc(777)] Could not load cef_extensions.pak Installing breakpad exception handler for appid(steamwebhelper)/version(20160415003031) Installing breakpad exception handler for appid(steamwebhelper)/version(1460682547) Installing breakpad exception handler for appid(steamwebhelper)/version(1460682547) [0416/114534:ERROR:nss_util.cc(740)] Error initializing NSS with a persistent database (sql:/home/alex/.pki/nssdb): NSS error code: -8174 Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) Created shared memory when not owner SteamController_Shared_mem Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) ** (steam:98): WARNING **: Could not initialize NMClient /org/freedesktop/NetworkManager: Unit dbus-org.freedesktop.NetworkManager.service not found. Installing breakpad exception handler for appid(steam)/version(1460682547) Generating new string page texture 2: 48x256, total string texture memory is 49.15 KB Generating new string page texture 3: 256x256, total string texture memory is 311.30 KB Installing breakpad exception handler for appid(steam)/version(1460682547) Installing breakpad exception handler for appid(steam)/version(1460682547) roaming config store loaded successfully - 2702 bytes. migrating temporary roaming config store Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element Fontconfig error: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 72: non-double matrix element Fontconfig warning: "/etc/fonts/conf.d/10-scale-bitmap-fonts.conf", line 80: saw unknown, expected number Installing breakpad exception handler for appid(steam)/version(1460682547) Failed to init SteamVR because it isn't installed ExecCommandLine: ""/home/alex/.local/share/Steam/ubuntu12_32/steam" " Installing breakpad exception handler for appid(steam)/version(1460682547) System startup time: 13.24 seconds Running Steam on arch rolling 64-bit STEAM_RUNTIME has been set by the user to: /home/alex/.local/share/Steam/ubuntu12_32/steam-runtime (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. (steam:98): LIBDBUSMENU-GLIB-WARNING **: Trying to remove a child that doesn't believe we're it's parent. Generating new string page texture 77: 1024x256, total string texture memory is 1.36 MB Generating new string page texture 78: 128x256, total string texture memory is 131.07 KB Generating new string page texture 79: 128x256, total string texture memory is 1.49 MB Generating new string page texture 80: 64x256, total string texture memory is 1.56 MB Generating new string page texture 81: 8x256, total string texture memory is 1.56 MB Generating new string page texture 82: 32x256, total string texture memory is 1.60 MB ExecCommandLine: "/home/alex/.steam/root/ubuntu12_32/steam steam://open/driverhelperready" ExecSteamURL: "steam://open/driverhelperready" Generating new string page texture 86: 128x256, total string texture memory is 1.73 MB Generating new string page texture 87: 128x256, total string texture memory is 1.86 MB Generating new string page texture 90: 512x256, total string texture memory is 2.38 MB Generating new string page texture 91: 16x256, total string texture memory is 2.40 MB Generating new string page texture 208: 256x256, total string texture memory is 393.22 KB Generating new string page texture 209: 256x256, total string texture memory is 2.66 MB Generating new string page texture 210: 128x256, total string texture memory is 2.79 MB ```
gitea-mirror 2026-05-05 05:35:32 -06:00
gitea-mirror commented 2026-05-05 05:35:37 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Apr 16, 2016):

Steam uses a regular profile: all the files are available with the exception of blacklisted files, mainly password and encryption files. The blacklisted files and directories are replaced with empty files and directories, read-only and owned by root. So, in your --join session if you try to go to ~/.ssh directory, the sandbox wouldn't let you.

This is different than what we do for browsers, where the home directory is whitelisted, and only a few files are visible. We intend to do something similar for Steam.

<!-- gh-comment-id:210799252 --> @netblue30 commented on GitHub (Apr 16, 2016): Steam uses a regular profile: all the files are available with the exception of blacklisted files, mainly password and encryption files. The blacklisted files and directories are replaced with empty files and directories, read-only and owned by root. So, in your --join session if you try to go to ~/.ssh directory, the sandbox wouldn't let you. This is different than what we do for browsers, where the home directory is whitelisted, and only a few files are visible. We intend to do something similar for Steam.
gitea-mirror commented 2026-05-05 05:35:39 -06:00
Author
Owner
Copy link

@alexbakker commented on GitHub (Apr 16, 2016):

Oh, I see. Misunderstanding on my part then.
Thanks!

<!-- gh-comment-id:210802923 --> @alexbakker commented on GitHub (Apr 16, 2016): Oh, I see. Misunderstanding on my part then. Thanks!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#316
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?