github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6634] zoom: program does not start (nvidia) #3317

New issue

Closed

opened 2026-05-05 09:54:28 -06:00 by gitea-mirror · 2 comments

gitea-mirror commented

2026-05-05 09:54:28 -06:00

Owner

Originally created by @WPettersson on GitHub (Jan 27, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6634

Description

Zoom won't launch under firejail with Nvidia drivers, but launches fine without firejail. Zoom output suggests issues with OpenGL initialisation but I could be wrong.

Steps to Reproduce

Steps to reproduce the behavior

Have Nvidia drivers 565.77 installed (not sure if this is required, cannot test without).
Run either firejail --noprofile /opt/zoom/ZoomLauncher or firejail --profile=/etc/firejail/zoom.profile /opt/zoom/ZoomLauncher.

Expected behavior

Zoom launches

Actual behavior

A zoom window briefly appears, then disappears.

Behavior without a profile

Even with "--noprofile" the zoom window only briefly appears and then disappears.

Additional context

The last lines from the logs from zoom when run within firejail are:

Graphics Card Info:: 05:00.0 VGA compatible controller: NVIDIA Corporation TU104 [GeForce RTX 2060] (rev a1)
Zoom package arch is 64bit, runing OS arch is x86_64, snap package 0
QQmlEngine::setContextForObject(): Object already has a QQmlContext
QQmlEngine::setContextForObject(): Object already has a QQmlContext
Failed to create OpenGL context for format QSurfaceFormat(version 2.0, options QFlags<QSurfaceFormat::FormatOption>(), depthBufferSize 24, redBufferSize -1, greenBufferSize -1, blueBufferSize -1, alphaBufferSize 8, stencilBufferSize 8, samples -1, swapBehavior QSurfaceFormat::DoubleBuffer, swapInterval 1, colorSpace QSurfaceFormat::DefaultColorSpace, profile  QSurfaceFormat::NoProfile) 
zoom was exited due to a handled signal: 6 
ZoomLauncher exit.

If I run zoom without firejail, instead I see

Graphics Card Info:: 05:00.0 VGA compatible controller: NVIDIA Corporation TU104 [GeForce RTX 2060] (rev a1)
Zoom package arch is 64bit, runing OS arch is x86_64, snap package 0
QQmlEngine::setContextForObject(): Object already has a QQmlContext
QQmlEngine::setContextForObject(): Object already has a QQmlContext
qt.scenegraph.general: Using sg animation driver
qt.scenegraph.general: Animation Driver: using vsync: 16.67 ms
qt.scenegraph.general: opengl texture atlas dimensions: 512x512
qt.scenegraph.general: R/G/B/A Buffers:   8 8 8 8
qt.scenegraph.general: Depth Buffer:      24
qt.scenegraph.general: Stencil Buffer:    8
qt.scenegraph.general: Samples:           -1
qt.scenegraph.general: GL_VENDOR:         NVIDIA Corporation
qt.scenegraph.general: GL_RENDERER:       NVIDIA GeForce RTX 2060/PCIe/SSE2
qt.scenegraph.general: GL_VERSION:        4.6.0 NVIDIA 565.77
...

The log file does continue past these qt.scenegraph lines, the next one lists GL_EXTENSIONS and is a very long line so I just trimmed it here. This feels like somehow zoom within firejail cannot quite access OpenGL things but I could be wrong. It could be related to #6175 since the errors are almost identical, except that in that issue, the application in question (linphone) starts if the users uses --noprofile but the same is not true for Zoom.

Environment

Linux 6.6.67-gentoo-x86_64 x86_64
Gentoo (mostly stable OS, but my nvidia-drivers version is marked as ~amd64 which roughly translates as "testing", as are all Zoom versions)
Zoom 6.3.6.6315
nvidia-drivers 565.77
firejail version 0.9.72

Compile time support:
- always force nonewprivs support is disabled
- AppArmor support is disabled
- AppImage support is enabled
- chroot support is enabled
- D-BUS proxy support is enabled
- file transfer support is enabled
- firetunnel support is disabled
- IDS support is disabled
- networking support is enabled
- output logging is enabled
- overlayfs support is disabled
- private-home support is enabled
- private-cache and tmpfs as user enabled
- SELinux support is disabled
- user namespace support is enabled
- X11 sandboxing support is enabled

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

% firejail --noprofile  /opt/zoom/ZoomLauncher                                                                                                                                                  [12:03:06]
Parent pid 74159, child pid 74160
Child process initialized in 6.94 ms

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

Building quoted command line: '/opt/zoom/ZoomLauncher' 
Command name #ZoomLauncher#
DISPLAY=:0.0 parsed as 0
Using the local network stack
Parent pid 76906, child pid 76907
Initializing child process
Host network configured
PID namespace installed
Mounting tmpfs on /run/firejail/mnt directory
Creating empty /run/firejail/mnt/seccomp directory
Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file
Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file
Mounting /proc filesystem representing the PID namespace
Basic read-only filesystem:
Mounting read-only /etc
641 553 259:3 /etc /etc ro,noatime master:1 - ext4 /dev/nvme0n1p3 rw
mountid=641 fsname=/etc dir=/etc fstype=ext4
Mounting noexec /etc
642 641 259:3 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/nvme0n1p3 rw
mountid=642 fsname=/etc dir=/etc fstype=ext4
Mounting read-only /var
643 553 259:3 /var /var ro,noatime master:1 - ext4 /dev/nvme0n1p3 rw
mountid=643 fsname=/var dir=/var fstype=ext4
Mounting noexec /var
644 643 259:3 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/nvme0n1p3 rw
mountid=644 fsname=/var dir=/var fstype=ext4
Mounting read-only /usr
645 553 259:3 /usr /usr ro,noatime master:1 - ext4 /dev/nvme0n1p3 rw
mountid=645 fsname=/usr dir=/usr fstype=ext4
Mounting tmpfs on /var/lock
Mounting tmpfs on /var/tmp
Mounting tmpfs on /var/log
Mounting tmpfs on /var/lib/dhcp
Mounting tmpfs on /var/lib/nginx
Create the new utmp file
Mount the new utmp file
Cleaning /home directory
Cleaning /run/user directory
Sanitizing /etc/passwd, UID_MIN 1000
Sanitizing /etc/group, GID_MIN 1000
Disable /home/enigma/.config/firejail
Disable /run/firejail/sandbox
Disable /run/firejail/network
Disable /run/firejail/bandwidth
Disable /run/firejail/name
Disable /run/firejail/profile
Disable /run/firejail/x11
blacklist /run/firejail/dbus
Mounting read-only /proc/sys
Remounting /sys directory
Disable /sys/firmware
Disable /sys/power
Disable /sys/kernel/debug
Disable /sys/kernel/vmcoreinfo
Disable /sys/kernel/uevent_helper
Disable /proc/sys/fs/binfmt_misc
Disable /proc/sys/kernel/core_pattern
Disable /proc/sys/kernel/modprobe
Disable /proc/sysrq-trigger
Disable /proc/sys/kernel/hotplug
Disable /proc/sys/vm/panic_on_oom
Disable /proc/irq
Disable /proc/bus
Disable /proc/timer_list
Disable /proc/kcore
Disable /proc/kallsyms
Disable /usr/src/linux-6.6.67-gentoo (requested /usr/src/linux)
Disable /usr/lib/modules (requested /lib/modules)
Disable /usr/lib/debug
Disable /boot
Disable /dev/port
Disable /run/user/1000/gnupg
Disable /run/user/1000/systemd
Disable /dev/kmsg
Disable /proc/kmsg
Disable /sys/fs
Disable /sys/module
Current directory: /opt/zoom
DISPLAY=:0.0 parsed as 0
Mounting read-only /run/firejail/mnt/seccomp
691 638 0:77 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755
mountid=691 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs
Seccomp directory:
ls /run/firejail/mnt/seccomp
drwxr-xr-x root     root             120 .
drwxr-xr-x root     root             160 ..
-rw-r--r-- enigma   wheel            640 seccomp
-rw-r--r-- enigma   wheel            432 seccomp.32
-rw-r--r-- enigma   wheel              0 seccomp.postexec
-rw-r--r-- enigma   wheel              0 seccomp.postexec32
No active seccomp files
Drop privileges: pid 1, uid 1000, gid 10, force_nogroups 0
Closing non-standard file descriptors
Starting application
LD_PRELOAD=(null)
execvp argument 0: /opt/zoom/ZoomLauncher
Child process initialized in 10.72 ms
monitoring pid 2

Sandbox monitor: waitpid 2 retval 2 status 0

Parent is shutting down, bye...

Originally created by @WPettersson on GitHub (Jan 27, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6634  ### Description Zoom won't launch under firejail with Nvidia drivers, but launches fine without firejail. Zoom output suggests issues with OpenGL initialisation but I could be wrong. ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Have Nvidia drivers 565.77 installed (not sure if this is required, cannot test without). 1. Run either `firejail --noprofile /opt/zoom/ZoomLauncher` or `firejail --profile=/etc/firejail/zoom.profile /opt/zoom/ZoomLauncher`. ### Expected behavior Zoom launches ### Actual behavior A zoom window briefly appears, then disappears. ### Behavior without a profile Even with "--noprofile" the zoom window only briefly appears and then disappears. ### Additional context The last lines from the logs from zoom when run within firejail are: ``` Graphics Card Info:: 05:00.0 VGA compatible controller: NVIDIA Corporation TU104 [GeForce RTX 2060] (rev a1) Zoom package arch is 64bit, runing OS arch is x86_64, snap package 0 QQmlEngine::setContextForObject(): Object already has a QQmlContext QQmlEngine::setContextForObject(): Object already has a QQmlContext Failed to create OpenGL context for format QSurfaceFormat(version 2.0, options QFlags<QSurfaceFormat::FormatOption>(), depthBufferSize 24, redBufferSize -1, greenBufferSize -1, blueBufferSize -1, alphaBufferSize 8, stencilBufferSize 8, samples -1, swapBehavior QSurfaceFormat::DoubleBuffer, swapInterval 1, colorSpace QSurfaceFormat::DefaultColorSpace, profile QSurfaceFormat::NoProfile) zoom was exited due to a handled signal: 6 ZoomLauncher exit. ``` If I run zoom without firejail, instead I see ``` Graphics Card Info:: 05:00.0 VGA compatible controller: NVIDIA Corporation TU104 [GeForce RTX 2060] (rev a1) Zoom package arch is 64bit, runing OS arch is x86_64, snap package 0 QQmlEngine::setContextForObject(): Object already has a QQmlContext QQmlEngine::setContextForObject(): Object already has a QQmlContext qt.scenegraph.general: Using sg animation driver qt.scenegraph.general: Animation Driver: using vsync: 16.67 ms qt.scenegraph.general: opengl texture atlas dimensions: 512x512 qt.scenegraph.general: R/G/B/A Buffers: 8 8 8 8 qt.scenegraph.general: Depth Buffer: 24 qt.scenegraph.general: Stencil Buffer: 8 qt.scenegraph.general: Samples: -1 qt.scenegraph.general: GL_VENDOR: NVIDIA Corporation qt.scenegraph.general: GL_RENDERER: NVIDIA GeForce RTX 2060/PCIe/SSE2 qt.scenegraph.general: GL_VERSION: 4.6.0 NVIDIA 565.77 ... ``` The log file does continue past these `qt.scenegraph` lines, the next one lists GL_EXTENSIONS and is a very long line so I just trimmed it here. This feels like somehow zoom within firejail cannot quite access OpenGL things but I could be wrong. It could be related to #6175 since the errors are almost identical, except that in that issue, the application in question (linphone) starts if the users uses `--noprofile` but the same is not true for Zoom. ### Environment - Linux 6.6.67-gentoo-x86_64 x86_64 - Gentoo (mostly stable OS, but my nvidia-drivers version is marked as `~amd64` which roughly translates as "testing", as are all Zoom versions) - Zoom 6.3.6.6315 - nvidia-drivers 565.77 - firejail version 0.9.72 Compile time support: - always force nonewprivs support is disabled - AppArmor support is disabled - AppImage support is enabled - chroot support is enabled - D-BUS proxy support is enabled - file transfer support is enabled - firetunnel support is disabled - IDS support is disabled - networking support is enabled - output logging is enabled - overlayfs support is disabled - private-home support is enabled - private-cache and tmpfs as user enabled - SELinux support is disabled - user namespace support is enabled - X11 sandboxing support is enabled ### Checklist  - [X] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [X] I can reproduce the issue without custom modifications (e.g. globals.local). - [X] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [X] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [X] I have performed a short search for similar issues (to avoid opening a duplicate). - [X] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [X] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` % firejail --noprofile /opt/zoom/ZoomLauncher [12:03:06] Parent pid 74159, child pid 74160 Child process initialized in 6.94 ms Parent is shutting down, bye... ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` Building quoted command line: '/opt/zoom/ZoomLauncher' Command name #ZoomLauncher# DISPLAY=:0.0 parsed as 0 Using the local network stack Parent pid 76906, child pid 76907 Initializing child process Host network configured PID namespace installed Mounting tmpfs on /run/firejail/mnt directory Creating empty /run/firejail/mnt/seccomp directory Creating empty /run/firejail/mnt/seccomp/seccomp.protocol file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec file Creating empty /run/firejail/mnt/seccomp/seccomp.postexec32 file Mounting /proc filesystem representing the PID namespace Basic read-only filesystem: Mounting read-only /etc 641 553 259:3 /etc /etc ro,noatime master:1 - ext4 /dev/nvme0n1p3 rw mountid=641 fsname=/etc dir=/etc fstype=ext4 Mounting noexec /etc 642 641 259:3 /etc /etc ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/nvme0n1p3 rw mountid=642 fsname=/etc dir=/etc fstype=ext4 Mounting read-only /var 643 553 259:3 /var /var ro,noatime master:1 - ext4 /dev/nvme0n1p3 rw mountid=643 fsname=/var dir=/var fstype=ext4 Mounting noexec /var 644 643 259:3 /var /var ro,nosuid,nodev,noexec,noatime master:1 - ext4 /dev/nvme0n1p3 rw mountid=644 fsname=/var dir=/var fstype=ext4 Mounting read-only /usr 645 553 259:3 /usr /usr ro,noatime master:1 - ext4 /dev/nvme0n1p3 rw mountid=645 fsname=/usr dir=/usr fstype=ext4 Mounting tmpfs on /var/lock Mounting tmpfs on /var/tmp Mounting tmpfs on /var/log Mounting tmpfs on /var/lib/dhcp Mounting tmpfs on /var/lib/nginx Create the new utmp file Mount the new utmp file Cleaning /home directory Cleaning /run/user directory Sanitizing /etc/passwd, UID_MIN 1000 Sanitizing /etc/group, GID_MIN 1000 Disable /home/enigma/.config/firejail Disable /run/firejail/sandbox Disable /run/firejail/network Disable /run/firejail/bandwidth Disable /run/firejail/name Disable /run/firejail/profile Disable /run/firejail/x11 blacklist /run/firejail/dbus Mounting read-only /proc/sys Remounting /sys directory Disable /sys/firmware Disable /sys/power Disable /sys/kernel/debug Disable /sys/kernel/vmcoreinfo Disable /sys/kernel/uevent_helper Disable /proc/sys/fs/binfmt_misc Disable /proc/sys/kernel/core_pattern Disable /proc/sys/kernel/modprobe Disable /proc/sysrq-trigger Disable /proc/sys/kernel/hotplug Disable /proc/sys/vm/panic_on_oom Disable /proc/irq Disable /proc/bus Disable /proc/timer_list Disable /proc/kcore Disable /proc/kallsyms Disable /usr/src/linux-6.6.67-gentoo (requested /usr/src/linux) Disable /usr/lib/modules (requested /lib/modules) Disable /usr/lib/debug Disable /boot Disable /dev/port Disable /run/user/1000/gnupg Disable /run/user/1000/systemd Disable /dev/kmsg Disable /proc/kmsg Disable /sys/fs Disable /sys/module Current directory: /opt/zoom DISPLAY=:0.0 parsed as 0 Mounting read-only /run/firejail/mnt/seccomp 691 638 0:77 /seccomp /run/firejail/mnt/seccomp ro,nosuid - tmpfs tmpfs rw,mode=755 mountid=691 fsname=/seccomp dir=/run/firejail/mnt/seccomp fstype=tmpfs Seccomp directory: ls /run/firejail/mnt/seccomp drwxr-xr-x root root 120 . drwxr-xr-x root root 160 .. -rw-r--r-- enigma wheel 640 seccomp -rw-r--r-- enigma wheel 432 seccomp.32 -rw-r--r-- enigma wheel 0 seccomp.postexec -rw-r--r-- enigma wheel 0 seccomp.postexec32 No active seccomp files Drop privileges: pid 1, uid 1000, gid 10, force_nogroups 0 Closing non-standard file descriptors Starting application LD_PRELOAD=(null) execvp argument 0: /opt/zoom/ZoomLauncher Child process initialized in 10.72 ms monitoring pid 2 Sandbox monitor: waitpid 2 retval 2 status 0 Parent is shutting down, bye... ``` </p> </details>

gitea-mirror

2026-05-05 09:54:28 -06:00

closed this issue
added the
graphics

duplicate
labels

gitea-mirror commented

2026-05-05 09:54:30 -06:00

Author

Owner

@kmk3 commented on GitHub (Jan 28, 2025):

Might be a duplicate of:

#6372

Does it work with firejail-git?

@kmk3 commented on GitHub (Jan 28, 2025): Might be a duplicate of: * #6372 Does it work with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building)?

gitea-mirror commented

2026-05-05 09:54:31 -06:00

Author

Owner

@WPettersson commented on GitHub (Jan 28, 2025):

Can confirm that the fix in #6372 works for me, as does the default zoom profile with firejail-git. Thanks :)

@WPettersson commented on GitHub (Jan 28, 2025): Can confirm that the fix in #6372 works for me, as does the default zoom profile with firejail-git. Thanks :)

gitea-mirror referenced this issue

2026-05-05 10:25:19 -06:00

[PR #3317] [MERGED] Speedup the buildsystem #4717

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3317

No description provided.

Rows
Columns