github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6566] Vulkan applications don't work even with `--noprofile` (nvidia) #3305

New issue

Closed

opened 2026-05-05 09:54:08 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 09:54:08 -06:00

Owner

Originally created by @Jacajack on GitHub (Dec 14, 2024).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6566

Description

It appears that on my machine Vulkan applications (vulkainfo, vkcube, DXVK in WINE) do not work inside firejail. Even if --noprofile is specified. The error messages report vkEnumeratePhysicalDevices either returning zero devices or failing. I have found another Vulkan issue: https://github.com/netblue30/firejail/issues/2959. In their case, however, --noprofile has fixed it.

Steps to Reproduce

Run firejail --noprofile vulkaninfo

Expected behavior

I expect to see normal vulkaninfo output. Or any Vulkan app working.

Actual behavior

Vulkan applications fail as no Vulkan compatible devices seem to be detected.

$ firejail --noprofile vulkaninfo
Parent pid 1303244, child pid 1303245
Child process initialized in 6.76 ms
ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs:  Failed to detect any valid GPUs in the current config
ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED

Parent is shutting down, bye...

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

Nothing, unfortunately:

$ LC_ALL=C firejail --noprofile /usr/bin/vulkaninfo
Parent pid 1338387, child pid 1338388
Child process initialized in 7.57 ms
ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs:  Failed to detect any valid GPUs in the current config
ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED

Parent is shutting down, bye...

Additional context

Any other detail that may help to understand/debug the problem

I have an Nvidia card - RTX 2070 SUPER and use the nvidia-dkms driver. Nothing else comes to my mind at the moment.

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 6.12.4-arch1-1 x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux
Version of Firejail (firejail --version): 0.9.72
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD): N/A

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
[N/A] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[N/A] The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail /path/to/program

$ LC_ALL=C firejail --noprofile /usr/bin/vulkaninfo
Parent pid 1338387, child pid 1338388
Child process initialized in 7.57 ms
ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs:  Failed to detect any valid GPUs in the current config
ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

$ LC_ALL=C firejail --debug --noprofile /usr/bin/vulkaninfo
Building quoted command line: '/usr/bin/vulkaninfo'
Command name #vulkaninfo#
DISPLAY=:0 parsed as 0
Using the local network stack
Parent pid 1355267, child pid 1355268
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
573 527 259:3 /etc /etc ro,relatime master:1 - ext4 /dev/nvme0n1p2 rw
mountid=573 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
574 573 259:3 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/nvme0n1p2 rw
mountid=574 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
575 527 259:3 /var /var ro,relatime master:1 - ext4 /dev/nvme0n1p2 rw
mountid=575 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
576 575 259:3 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/nvme0n1p2 rw
mountid=576 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
577 527 259:3 /usr /usr ro,relatime master:1 - ext4 /dev/nvme0n1p2 rw
mountid=577 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/hypervisor
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/lib/modules/6.12.4-arch1-1/build (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Current directory: /home/j/misc
DISPLAY=:0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
616 570 0:89 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64
mountid=616 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             160 ..
-rw-r--r-- j        j                640 seccomp
-rw-r--r-- j        j                432 seccomp.32
-rw-r--r-- j        j                  0 seccomp.postexec
-rw-r--r-- j        j                  0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /usr/bin/vulkaninfo
Child process initialized in 15.16 ms
monitoring pid 2

ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs:  Failed to detect any valid GPUs in the current config
ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED
Sandbox monitor: waitpid 2 retval 2 status 256

Parent is shutting down, bye...

Originally created by @Jacajack on GitHub (Dec 14, 2024). Original GitHub issue: https://github.com/netblue30/firejail/issues/6566  ### Description It appears that on my machine Vulkan applications (`vulkainfo`, `vkcube`, DXVK in WINE) do not work inside `firejail`. Even if `--noprofile` is specified. The error messages report `vkEnumeratePhysicalDevices` either returning zero devices or failing. I have found another Vulkan issue: https://github.com/netblue30/firejail/issues/2959. In their case, however, `--noprofile` has fixed it. ### Steps to Reproduce 1. Run `firejail --noprofile vulkaninfo` ### Expected behavior I expect to see normal `vulkaninfo` output. Or any Vulkan app working. ### Actual behavior Vulkan applications fail as no Vulkan compatible devices seem to be detected. ``` $ firejail --noprofile vulkaninfo Parent pid 1303244, child pid 1303245 Child process initialized in 6.76 ms ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs: Failed to detect any valid GPUs in the current config ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED Parent is shutting down, bye... ``` ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /path/to/program` in a terminal?_ Nothing, unfortunately: ``` $ LC_ALL=C firejail --noprofile /usr/bin/vulkaninfo Parent pid 1338387, child pid 1338388 Child process initialized in 7.57 ms ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs: Failed to detect any valid GPUs in the current config ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED Parent is shutting down, bye... ``` ### Additional context _Any other detail that may help to understand/debug the problem_ I have an Nvidia card - RTX 2070 SUPER and use the `nvidia-dkms` driver. Nothing else comes to my mind at the moment. ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): `Linux 6.12.4-arch1-1 x86_64` - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): Arch Linux - Version of Firejail (`firejail --version`): `0.9.72` - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): N/A ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] [N/A] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] [N/A] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` $ LC_ALL=C firejail --noprofile /usr/bin/vulkaninfo Parent pid 1338387, child pid 1338388 Child process initialized in 7.57 ms ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs: Failed to detect any valid GPUs in the current config ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` $ LC_ALL=C firejail --debug --noprofile /usr/bin/vulkaninfo Building quoted command line: '/usr/bin/vulkaninfo' Command name #vulkaninfo# DISPLAY=:0 parsed as 0 Using the local network stack Parent pid 1355267, child pid 1355268 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 573 527 259:3 /etc /etc ro,relatime master:1 - ext4 /dev/nvme0n1p2 rw mountid=573 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 574 573 259:3 /etc /etc ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/nvme0n1p2 rw mountid=574 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 575 527 259:3 /var /var ro,relatime master:1 - ext4 /dev/nvme0n1p2 rw mountid=575 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 576 575 259:3 /var /var ro,nosuid,nodev,noexec,relatime master:1 - ext4 /dev/nvme0n1p2 rw mountid=576 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 577 527 259:3 /usr /usr ro,relatime master:1 - ext4 /dev/nvme0n1p2 rw mountid=577 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/hypervisor Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/lib/modules/6.12.4-arch1-1/build (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Current directory: /home/j/misc DISPLAY=:0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp 616 570 0:89 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755,inode64 mountid=616 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 160 .. -rw-r--r-- j j 640 seccomp -rw-r--r-- j j 432 seccomp.32 -rw-r--r-- j j 0 seccomp.postexec -rw-r--r-- j j 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 1000, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) execvp argument 0: /usr/bin/vulkaninfo Child process initialized in 15.16 ms monitoring pid 2 ERROR: [Loader Message] Code 0 : setup_loader_term_phys_devs: Failed to detect any valid GPUs in the current config ERROR at /usr/src/debug/vulkan-tools/Vulkan-Tools-1.4.303/vulkaninfo/./vulkaninfo.h:247:vkEnumeratePhysicalDevices failed with ERROR_INITIALIZATION_FAILED Sandbox monitor: waitpid 2 retval 2 status 256 Parent is shutting down, bye... ``` </p> </details>

gitea-mirror

2026-05-05 09:54:08 -06:00

closed this issue
added the
graphics

duplicate
labels

gitea-mirror commented

2026-05-05 09:54:10 -06:00

Author

Owner

@Jacajack commented on GitHub (Dec 14, 2024):

Okay, I think I got that. I ran strace vkcube with and without firejail. I noticed that it's accessing /sys/module/nvidia/initstate. The successful call should look like this:

access("/sys/module/nvidia/initstate", R_OK) = 0

But with firejail it's:

access("/sys/module/nvidia/initstate", R_OK) = -1 EACCES (Permission denied)

This can be fixed (or rather worked around) with --noblacklist=/sys/module. Shouldn't GPU driver paths be accessible by default, unless --no3d is set?

@Jacajack commented on GitHub (Dec 14, 2024): Okay, I think I got that. I ran `strace vkcube` with and without `firejail`. I noticed that it's accessing `/sys/module/nvidia/initstate`. The successful call should look like this: ``` access("/sys/module/nvidia/initstate", R_OK) = 0 ``` But with `firejail` it's: ``` access("/sys/module/nvidia/initstate", R_OK) = -1 EACCES (Permission denied) ``` This can be fixed (or rather worked around) with `--noblacklist=/sys/module`. Shouldn't GPU driver paths be accessible by default, unless `--no3d` is set?

gitea-mirror commented

2026-05-05 09:54:11 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 14, 2024):

There are a lot if fixes since the last release, an you test with firejail-git.

@rusty-snake commented on GitHub (Dec 14, 2024): There are a lot if fixes since the last release, an you test with firejail-git.

gitea-mirror commented

2026-05-05 09:54:11 -06:00

Author

Owner

@Jacajack commented on GitHub (Dec 14, 2024):

Just tried firejail 0.9.73 from firejail-git. Both vkcube and vulkaninfo work fine with and without --noprofile. No additional flags needed. I guess this can be closed now.

Thanks for your quick response. Do you know when we can expect the new official release?

@Jacajack commented on GitHub (Dec 14, 2024): Just tried firejail 0.9.73 from `firejail-git`. Both `vkcube` and `vulkaninfo` work fine with and without `--noprofile`. No additional flags needed. I guess this can be closed now. Thanks for your quick response. Do you know when we can expect the new official release?

gitea-mirror commented

2026-05-05 09:54:12 -06:00

Author

Owner

@rusty-snake commented on GitHub (Dec 14, 2024):

Do you know when we can expect the new official release?

Either before the next debian freeze or, if this does not happen, probably never.

@rusty-snake commented on GitHub (Dec 14, 2024): > Do you know when we can expect the new official release? Either before the next debian freeze or, if this does not happen, probably never.

gitea-mirror commented

2026-05-05 09:54:12 -06:00

Author

Owner

@kmk3 commented on GitHub (Dec 15, 2024):

Duplicate of #6372

@kmk3 commented on GitHub (Dec 15, 2024): Duplicate of #6372

gitea-mirror referenced this issue

2026-05-05 10:25:16 -06:00

[PR #3305] [MERGED] Mention --seccomp.32 etc in usage #4716

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3305

No description provided.

Rows
Columns

[GH-ISSUE #6566] Vulkan applications don't work even with --noprofile (nvidia) #3305

Description

Steps to Reproduce

Expected behavior

Actual behavior

Behavior without a profile

Additional context

Environment

Checklist

Log

[GH-ISSUE #6566] Vulkan applications don't work even with `--noprofile` (nvidia) #3305