github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #6306] lutris: Lutris 5.17 uses new paths and syscalls #3235

New issue
Open
opened 2026-05-05 09:50:46 -06:00 by gitea-mirror · 7 comments
gitea-mirror commented 2026-05-05 09:50:46 -06:00
Owner
Copy link

Originally created by @nutta-git on GitHub (Apr 12, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6306

Description

Lutris 5.17 is a Major update with more than 540 commits. New features include the new umu wine-launcher package.
This requires new file / syscall permissions to run games (tested with uplay).
I won't follow the traditional reporting style since it's a lot of work.
Yes, I tested it without the firejail profile and lutris 5.17-1 did run fine.

Steps to Reproduce

Steps to reproduce the behavior

  1. Download and install the following: Lutris 5.17-1 and firejail-git (lutirs 5.17-2 wont work for some reason, not releated to firejail as far as I know)
  2. ln -s /usr/bin/firejail /usr/local/bin/lutris
  3. cp /etc/firejail/lutris.profile ~/.config/firejail/lutris.profile
  4. firecfg --fix
  5. Launch Lutris
  6. Start Ubisoft Connect [WINE- Latest Version]
    lutris_reprodue

New File permission

noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/umu
whitelist ${HOME}/.local/share/Steam
whitelist ${HOME}/.local/share/umu

*whitlisting .local/share/Steam/Compatabliltytools.d will not work, lutris now need access to the whole /Steam folder (as far as i can see)

New syscall permission

!clone,!mount,!pivot_root,!umount2

Other permission

remove restrict-namespaces

Copy of my current lutris.profile:

# Firejail profile for lutris
# Description: Multi-library game handler with special support for Wine
# This file is overwritten after every install/update
# Persistent local customizations
include lutris.local
# Persistent global definitions
include globals.local

noblacklist ${PATH}/llvm*
noblacklist ${HOME}/Games
noblacklist ${HOME}/.cache/lutris
noblacklist ${HOME}/.cache/wine
noblacklist ${HOME}/.cache/winetricks
noblacklist ${HOME}/.config/lutris
noblacklist ${HOME}/.config/MangoHud
noblacklist ${HOME}/.local/share/lutris
noblacklist ${HOME}/.local/share/Steam
noblacklist ${HOME}/.local/share/umu
# noblacklist ${HOME}/.wine
noblacklist /tmp/.wine-*
# Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise
# Lutris won't even start.
noblacklist /sbin
noblacklist /usr/sbin

ignore noexec ${HOME}

# Allow python (blacklisted by disable-interpreters.inc)
include allow-python2.inc
include allow-python3.inc

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/Games
mkdir ${HOME}/.cache/lutris
mkdir ${HOME}/.cache/wine
mkdir ${HOME}/.cache/winetricks
mkdir ${HOME}/.config/lutris
mkdir ${HOME}/.local/share/lutris
# mkdir ${HOME}/.wine
whitelist ${DOWNLOADS}
whitelist ${HOME}/Games
whitelist ${HOME}/.cache/lutris
whitelist ${HOME}/.cache/wine
whitelist ${HOME}/.cache/winetricks
whitelist ${HOME}/.config/lutris
whitelist ${HOME}/.config/MangoHud
whitelist ${HOME}/.local/share/lutris
whitelist ${HOME}/.local/share/Steam
whitelist ${HOME}/.local/share/umu
# whitelist ${HOME}/.wine
whitelist /usr/share/lutris
whitelist /usr/share/wine
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-runuser-common.inc
include whitelist-var-common.inc

# allow-debuggers
# apparmor
caps.drop all
ipc-namespace
ignore netfilter
nodvd
nogroups
nonewprivs
#noroot
notv
nou2f
protocol unix,inet,inet6,netlink
seccomp !modify_ldt,!clone3,!ptrace,!process_vm_readv,!clone,!mount,!pivot_root,!umount2
seccomp.32 !modify_ldt,!process_vm_readv
# Add the next line to your lutris.local if you do not need controller support.
#private-dev
#private-tmp

dbus-user filter
dbus-user.own net.lutris.Lutris
dbus-user.talk com.feralinteractive.GameMode
dbus-system none

#restrict-namespaces
Originally created by @nutta-git on GitHub (Apr 12, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6306 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description Lutris 5.17 is a Major update with more than 540 [commits](https://github.com/lutris/lutris/compare/v0.5.16...v0.5.17). New features include the new umu wine-launcher [package](https://github.com/Open-Wine-Components/umu-launcher). This requires new file / syscall permissions to run games (tested with [uplay](https://lutris.net/games/ubisoft-connect/)). I won't follow the traditional reporting style since it's a lot of work. Yes, I tested it without the firejail profile and lutris 5.17-1 did run fine. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Download and install the following: Lutris [5.17-1 ](https://archlinux.org/packages/extra-testing/any/lutris/download/) and [firejail-git](https://aur.archlinux.org/packages/firejail-git) (lutirs 5.17-2 wont work for some reason, not releated to firejail as far as I know) 2. ln -s /usr/bin/firejail /usr/local/bin/lutris 3. cp /etc/firejail/lutris.profile ~/.config/firejail/lutris.profile 4. firecfg --fix 5. Launch Lutris 6. Start [Ubisoft Connect](https://lutris.net/games/ubisoft-connect/) [WINE- Latest Version] ![lutris_reprodue](https://github.com/netblue30/firejail/assets/59726608/46a2c386-8f2d-4a98-9686-17997cf87678) ### New File permission ``` noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/umu whitelist ${HOME}/.local/share/Steam whitelist ${HOME}/.local/share/umu ``` *whitlisting .local/share/Steam/Compatabliltytools.d will not work, lutris now need access to the whole /Steam folder (as far as i can see) ### New syscall permission `!clone,!mount,!pivot_root,!umount2` ### Other permission remove `restrict-namespaces` Copy of my current lutris.profile: ``` # Firejail profile for lutris # Description: Multi-library game handler with special support for Wine # This file is overwritten after every install/update # Persistent local customizations include lutris.local # Persistent global definitions include globals.local noblacklist ${PATH}/llvm* noblacklist ${HOME}/Games noblacklist ${HOME}/.cache/lutris noblacklist ${HOME}/.cache/wine noblacklist ${HOME}/.cache/winetricks noblacklist ${HOME}/.config/lutris noblacklist ${HOME}/.config/MangoHud noblacklist ${HOME}/.local/share/lutris noblacklist ${HOME}/.local/share/Steam noblacklist ${HOME}/.local/share/umu # noblacklist ${HOME}/.wine noblacklist /tmp/.wine-* # Don't block access to /sbin and /usr/sbin to allow using ldconfig. Otherwise # Lutris won't even start. noblacklist /sbin noblacklist /usr/sbin ignore noexec ${HOME} # Allow python (blacklisted by disable-interpreters.inc) include allow-python2.inc include allow-python3.inc include disable-common.inc include disable-devel.inc include disable-exec.inc include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/Games mkdir ${HOME}/.cache/lutris mkdir ${HOME}/.cache/wine mkdir ${HOME}/.cache/winetricks mkdir ${HOME}/.config/lutris mkdir ${HOME}/.local/share/lutris # mkdir ${HOME}/.wine whitelist ${DOWNLOADS} whitelist ${HOME}/Games whitelist ${HOME}/.cache/lutris whitelist ${HOME}/.cache/wine whitelist ${HOME}/.cache/winetricks whitelist ${HOME}/.config/lutris whitelist ${HOME}/.config/MangoHud whitelist ${HOME}/.local/share/lutris whitelist ${HOME}/.local/share/Steam whitelist ${HOME}/.local/share/umu # whitelist ${HOME}/.wine whitelist /usr/share/lutris whitelist /usr/share/wine include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-runuser-common.inc include whitelist-var-common.inc # allow-debuggers # apparmor caps.drop all ipc-namespace ignore netfilter nodvd nogroups nonewprivs #noroot notv nou2f protocol unix,inet,inet6,netlink seccomp !modify_ldt,!clone3,!ptrace,!process_vm_readv,!clone,!mount,!pivot_root,!umount2 seccomp.32 !modify_ldt,!process_vm_readv # Add the next line to your lutris.local if you do not need controller support. #private-dev #private-tmp dbus-user filter dbus-user.own net.lutris.Lutris dbus-user.talk com.feralinteractive.GameMode dbus-system none #restrict-namespaces ```
gitea-mirror commented 2026-05-05 09:50:48 -06:00
Author
Owner
Copy link

@nutta-git commented on GitHub (Apr 12, 2024):

Once this is tested, I can make a pull request.

<!-- gh-comment-id:2051135369 --> @nutta-git commented on GitHub (Apr 12, 2024): Once this is tested, I can make a pull request.
gitea-mirror commented 2026-05-05 09:50:49 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 12, 2024):

ignore netfilter

ignore looks odd here. It's supposed to override an option that get's included later (in either the same foo.profile or in a redirect). Is netfilter causing breakage?

<!-- gh-comment-id:2051586332 --> @ghost commented on GitHub (Apr 12, 2024): > ignore netfilter `ignore` looks odd here. It's supposed to override an option that get's included later (in either the same foo.profile or in a redirect). Is `netfilter` causing breakage?
gitea-mirror commented 2026-05-05 09:50:50 -06:00
Author
Owner
Copy link

@nutta-git commented on GitHub (Apr 12, 2024):

When I included a copy of my lutris.profile it wasn't meant to be used a reference implementation for this issue, but
It was meant to show a visual of how the new rules are added.

Please "ignore" that.
I think I added that because i was already using a firewall and/or was testing around stuff.

<!-- gh-comment-id:2051669692 --> @nutta-git commented on GitHub (Apr 12, 2024): When I included a copy of my lutris.profile it wasn't meant to be used a reference implementation for this issue, but It was meant to show a visual of how the new rules are added. Please "ignore" that. I think I added that because i was already using a firewall and/or was testing around stuff.
gitea-mirror commented 2026-05-05 09:50:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 12, 2024):

Thanks for clearing that up!

<!-- gh-comment-id:2051687164 --> @ghost commented on GitHub (Apr 12, 2024): Thanks for clearing that up!
gitea-mirror commented 2026-05-05 09:50:52 -06:00
Author
Owner
Copy link

@OwlInSpace commented on GitHub (May 4, 2024):

Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.

Without those I get this on repeat until it gives up after I think 8 tries:

[0504/110919.095:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 1 time(s)
[0504/110919.279:ERROR:gpu_process_host.cc(985)] GPU process launch failed: error_code=43
[0504/110919.279:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 2 time(s)

I'm on the latest version of Firejail and Lutris from the Fedora repo, and I tested this with Steam for Windows.

I haven't tried the new features though, so I don't know what works with those. I used the default wine runner for testing so different runners might need more permissions as @nutta-git mentioned

This has already been fixed with #6067

<!-- gh-comment-id:2094125095 --> @OwlInSpace commented on GitHub (May 4, 2024): ~~Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I tried seeing the minimum possible permissions to make it work, and all I really needed was `seccomp !modify_ldt,!ptrace,!process_vm_readv`.~~ ~~Without those I get this on repeat until it gives up after I think 8 tries:~~ ```[0504/110919.095:ERROR:gpu_process_host.cc(985)] GPU process launch failed: error_code=43 [0504/110919.095:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 1 time(s) [0504/110919.279:ERROR:gpu_process_host.cc(985)] GPU process launch failed: error_code=43 [0504/110919.279:WARNING:gpu_process_host.cc(1338)] The GPU process has crashed 2 time(s) ``` ~~I'm on the latest version of Firejail and Lutris from the Fedora repo, and I tested this with Steam for Windows.~~ ~~I haven't tried the new features though, so I don't know what works with those. I used the default wine runner for testing so different runners might need more permissions as @nutta-git mentioned~~ This has already been fixed with #6067
gitea-mirror commented 2026-05-05 09:50:53 -06:00
Author
Owner
Copy link

@kmk3 commented on GitHub (May 4, 2024):

Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I
tried seeing the minimum possible permissions to make it work, and all I
really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.

This was already done in #6067.

Does it work with firejail-git?

<!-- gh-comment-id:2094206198 --> @kmk3 commented on GitHub (May 4, 2024): > Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I > tried seeing the minimum possible permissions to make it work, and all I > really needed was `seccomp !modify_ldt,!ptrace,!process_vm_readv`. This was already done in #6067. Does it work with firejail-git?
gitea-mirror commented 2026-05-05 09:50:53 -06:00
Author
Owner
Copy link

@OwlInSpace commented on GitHub (May 4, 2024):

Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I
tried seeing the minimum possible permissions to make it work, and all I
really needed was seccomp !modify_ldt,!ptrace,!process_vm_readv.

This was already done in #6067.

Does it work with firejail-git?

I'm using the Fedora 40 package which is Firejail 0.9.72. That is the latest release, but it was released on Jan 16, 2023 which is before #6067. I should've checked if there was other issues on this in hindsight, thanks for mentioning the pull request

<!-- gh-comment-id:2094210487 --> @OwlInSpace commented on GitHub (May 4, 2024): > > Lutris 5.17 wasn't working for me too. I like restrictive sandboxes, so I > > tried seeing the minimum possible permissions to make it work, and all I > > really needed was `seccomp !modify_ldt,!ptrace,!process_vm_readv`. > > This was already done in #6067. > > Does it work with firejail-git? I'm using the [Fedora 40 package](https://packages.fedoraproject.org/pkgs/firejail/firejail/) which is Firejail 0.9.72. That is the latest release, but it was released on [Jan 16, 2023](https://github.com/netblue30/firejail/releases/tag/0.9.72) which is before #6067. I should've checked if there was other issues on this in hindsight, thanks for mentioning the pull request
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3235
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?