[GH-ISSUE #6645] steam-session & firejail (steamos, other distros)

gitea-mirror commented

2026-05-05 09:54:37 -06:00

Owner

Originally created by @slynobody on GitHub (Feb 9, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6645

Description

problems when using firejail with steam through gamescope-session ("Steam gaming-mode / ControllerUI / BigPicture"):

steam-deck's steam-controller is not recognized anymore
screen-brightness is not supported anymore (touchscreen & external)
(mangohud-errors can throw errors if you dont have mangoapp-cfg in $User whitelisted)

Steps to Reproduce

Steps to reproduce the behavior

install gamescope-session-steam
firecfg
start steam as session (sddm)

Expected behavior

steam-controller recognized and actived
screen-brightness supported

Actual behavior

effect: steam controller is not recognized anymore
effect: screen-brightness is not supported anymore

Behavior without a profile

steam-controller recognized and actived
screen-brightness supported

Additional context

debian / gamescope / gamescope-session

Environment

6.13.2
debian sid
Version of Firejail (firejail --version): 0.9.72

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Originally created by @slynobody on GitHub (Feb 9, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6645 ### Description problems when using firejail with steam through gamescope-session ("Steam gaming-mode / ControllerUI / BigPicture"): - steam-deck's steam-controller is not recognized anymore - screen-brightness is not supported anymore (touchscreen & external) - (mangohud-errors can throw errors if you dont have mangoapp-cfg in $User whitelisted) ### Steps to Reproduce _Steps to reproduce the behavior_ 1. install gamescope-session-steam 2. firecfg 3. start steam as session (sddm) ### Expected behavior steam-controller recognized and actived screen-brightness supported ### Actual behavior 1. effect: steam controller is not recognized anymore 2. effect: screen-brightness is not supported anymore ### Behavior without a profile steam-controller recognized and actived screen-brightness supported ### Additional context debian / gamescope / gamescope-session ### Environment - 6.13.2 - debian sid - Version of Firejail (`firejail --version`): 0.9.72 ### Checklist - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [x] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [x] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages)

gitea-mirror

2026-05-05 09:54:37 -06:00

closed this issue
added the
stale

needinfo
labels

gitea-mirror commented

2026-05-05 09:54:41 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 10, 2025):

There have been many changes since 0.9.72.

Does it work with firejail-git?

@kmk3 commented on GitHub (Feb 10, 2025): There have been many changes since 0.9.72. Does it work with [firejail-git](https://github.com/netblue30/firejail?tab=readme-ov-file#building)?

gitea-mirror commented

2026-05-05 09:54:41 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 10, 2025):

Is the entire session running under firejail under sddm?

Do these issues occur with firejailed steam under a normal desktop session?

Also, please post the logs of running firejail.

@kmk3 commented on GitHub (Feb 10, 2025): Is the entire session running under firejail under sddm? Do these issues occur with firejailed steam under a normal desktop session? Also, please post the logs of running firejail.

gitea-mirror commented

2026-05-05 09:54:42 -06:00

Author

Owner

@slynobody commented on GitHub (Feb 10, 2025):

Thank you very much for your fast response!

could you please point me to an option to see logs? i dont see any in standard output yet, only gamescope-/mangoapp-/steam- related

as far as i can see only the steam-part of the session is (and should be) running under firejail.
The described issues occur also with a firejailed steam, yes (incl. mangohud + gamescope in the loop) under a normal kde-desktop session (runnig gamescope-session-script from konsole).

i tried compiling the latest firejail from git (now /usr/local/ (incl. /usr/local/etc) is used while the distro is using /usr/bin and /etc)

with the default steam.profile when starting the steam-session i now get an early error that user-namespaces need to be enabled. i enabled them already in /usr/local/etc/firejail/firejail.config by explicitly unmarking 'userns yes'?

if i use --noprofile, i dont see this error-message?

@slynobody commented on GitHub (Feb 10, 2025): Thank you very much for your fast response! could you please point me to an option to see logs? i dont see any in standard output yet, only gamescope-/mangoapp-/steam- related as far as i can see only the steam-part of the session is (and should be) running under firejail. The described issues occur also with a firejailed steam, yes (incl. mangohud + gamescope in the loop) under a normal kde-desktop session (runnig gamescope-session-script from konsole). i tried compiling the latest firejail from git (now /usr/local/ (incl. /usr/local/etc) is used while the distro is using /usr/bin and /etc) with the default steam.profile when starting the steam-session i now get an early error that user-namespaces need to be enabled. i enabled them already in /usr/local/etc/firejail/firejail.config by explicitly unmarking 'userns yes'? if i use --noprofile, i dont see this error-message?

gitea-mirror commented

2026-05-05 09:54:43 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 10, 2025):

Thank you very much for your fast response!

No problem.

could you please point me to an option to see logs? i dont see any in
standard output yet, only gamescope-/mangoapp-/steam- related

I don't know, you'd have to check in the sddm configuration to see where the
logs are written to (if any).

If it's hard to find, you could try to tell sddm to execute a script as the
session and do something like the following in the script:

#!/bin/sh

firejail --profile=steam /path/to/steam-session >/path/to/log.txt 2>&1

Then check log.txt.

as far as i can see only the steam-part of the session is (and should be)
running under firejail. The described issues occur also with a firejailed
steam, yes (incl. mangohud + gamescope in the loop) under a normal
kde-desktop session (runnig gamescope-session-script from konsole).

So let's try just using steam under a normal session first, as it's the more
common scenario and easier to debug.

i tried compiling the latest firejail from git (now /usr/local/ (incl.
/usr/local/etc) is used while the distro is using /usr/bin and /etc)

with the default steam.profile when starting the steam-session i now get an
early error that user-namespaces need to be enabled. i enabled them already
in /usr/local/etc/firejail/firejail.config by explicitly unmarking 'userns
yes'?

Unprivileged user namespaces also need to be enabled system-wide.

Temporarily:

sysctl -w kernel.unprivileged_userns_clone=1

Persistently:

echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf

You can check if it's enabled with:

$ unshare -U echo enabled
enabled

if i use --noprofile, i dont see this error-message?

--noprofile disables most security features; it is mostly equivalent to not
using firejail and is intended to see if an issue is due to the profile or
firejail itself.

@kmk3 commented on GitHub (Feb 10, 2025): > Thank you very much for your fast response! No problem. > could you please point me to an option to see logs? i dont see any in > standard output yet, only gamescope-/mangoapp-/steam- related I don't know, you'd have to check in the sddm configuration to see where the logs are written to (if any). If it's hard to find, you could try to tell sddm to execute a script as the session and do something like the following in the script: ```sh #!/bin/sh firejail --profile=steam /path/to/steam-session >/path/to/log.txt 2>&1 ``` Then check log.txt. > as far as i can see only the steam-part of the session is (and should be) > running under firejail. The described issues occur also with a firejailed > steam, yes (incl. mangohud + gamescope in the loop) under a normal > kde-desktop session (runnig gamescope-session-script from konsole). So let's try just using steam under a normal session first, as it's the more common scenario and easier to debug. > i tried compiling the latest firejail from git (now /usr/local/ (incl. > /usr/local/etc) is used while the distro is using /usr/bin and /etc) > > with the default steam.profile when starting the steam-session i now get an > early error that user-namespaces need to be enabled. i enabled them already > in /usr/local/etc/firejail/firejail.config by explicitly unmarking 'userns > yes'? Unprivileged user namespaces also need to be enabled system-wide. Temporarily: ```sh sysctl -w kernel.unprivileged_userns_clone=1 ``` Persistently: ```sh echo "kernel.unprivileged_userns_clone=1" >> /etc/sysctl.conf ``` You can check if it's enabled with: ```console $ unshare -U echo enabled enabled ``` > if i use --noprofile, i dont see this error-message? `--noprofile` disables most security features; it is mostly equivalent to not using firejail and is intended to see if an issue is due to the profile or firejail itself.

gitea-mirror commented

2026-05-05 09:54:44 -06:00

Author

Owner

@slynobody commented on GitHub (Feb 11, 2025):

Thank you! But kernel.unprivileged_userns_clone=1 does not change anything.

It seems to be related to:

steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied

I tried putting noblacklist /usr/bin/bwrap in steam.profile (and steam-runtime.profile)
also putting bwrap to private-bin
seccomp is !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
nonewprivs is off

Output is the same:

steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied

steam.sh[173]: Error: Steam now requires user namespaces to be enabled.

This requirement is the same as for Flatpak, which has more detailed
information available:
https://github.com/flatpak/flatpak/wiki/User-namespace-requirements

EDIT:

You can work around this when commenting the private-bin part of the .profile.

In my perspective (and with my configuration) it is nearly impossible to get a gamescoped and mangohudded steam-gamingmode-session to work with the .profile provided: (steam seems to have changed a whole bunch of things in the last half year when started as session. Also there are differences in starting steam in deskop-mode what directly triggers the profile, the session-scripts are nasty, sometimes I had the impression they started with firejail installed because steam got started without firejail through them somehow)

Some impressions:

noroot seems to now hinder a variety of games of even starting (incl. the last of us)
private-tmp in conjuction with caps.drop all do kill the mangohud overlays
nou2f kills steam-controller-support
nogroups seems to be at the top of options hindering changing screen-brightness (does not work even if you just use --noprofile without anything else). I have the main user here in the video group and he has access to /sys/class/backlight which seems to be killed as default. Would be great to know something to enable at last this with firejail installed in a gamescoped steam-session.

@slynobody commented on GitHub (Feb 11, 2025): Thank you! But `kernel.unprivileged_userns_clone=1` does not change anything. It seems to be related to: ``` steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied ``` I tried putting `noblacklist /usr/bin/bwrap` in `steam.profile` (and `steam-runtime.profile`) also putting `bwrap` to `private-bin` `seccomp` is `!chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2` `nonewprivs` is off Output is the same: ``` steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied steam.sh[173]: Error: Steam now requires user namespaces to be enabled. This requirement is the same as for Flatpak, which has more detailed information available: https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ``` EDIT: You can work around this when commenting the `private-bin` part of the .profile. In my perspective (and with my configuration) it is nearly impossible to get a gamescoped and mangohudded steam-gamingmode-session to work with the .profile provided: (steam seems to have changed a whole bunch of things in the last half year when started as session. Also there are differences in starting steam in deskop-mode what directly triggers the profile, the session-scripts are nasty, sometimes I had the impression they started with firejail installed because steam got started without firejail through them somehow) Some impressions: - `noroot` seems to now hinder a variety of games of even starting (incl. the last of us) - `private-tmp` in conjuction with `caps.drop all` do kill the mangohud overlays - `nou2f` kills steam-controller-support - `nogroups` seems to be at the top of options hindering changing screen-brightness (does not work even if you just use `--noprofile` without anything else). I have the main user here in the video group and he has access to /sys/class/backlight which seems to be killed as default. Would be great to know something to enable at last this with firejail installed in a gamescoped steam-session.

gitea-mirror commented

2026-05-05 09:54:44 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 12, 2025):

Overall, there are multiple complicating factors here:

SteamOS, which may change relevant details compared to Arch
Trying to firejail the entire user session with steam session (likely a big
complication due to it potentially needing to perform privileged actions)
Steam Deck, which is an unusual form factor with custom controls (it may need
access to paths that are not commonly used on PC)

Can you test steam under a KDE Plasma session (and specify whether it's X11 or
wayland) on a desktop/laptop to see which problems are with the steam program
itself and which problems are due to SteamOS/steam-session/steam-deck?

Ideally under Arch if possible, as it's the basis for SteamOS.

@kmk3 commented on GitHub (Feb 12, 2025): Overall, there are multiple complicating factors here: * SteamOS, which may change relevant details compared to Arch * Trying to firejail the entire user session with steam session (likely a big complication due to it potentially needing to perform privileged actions) * Steam Deck, which is an unusual form factor with custom controls (it may need access to paths that are not commonly used on PC) Can you test steam under a KDE Plasma session (and specify whether it's X11 or wayland) on a desktop/laptop to see which problems are with the steam program itself and which problems are due to SteamOS/steam-session/steam-deck? Ideally under Arch if possible, as it's the basis for SteamOS.

gitea-mirror commented

2026-05-05 09:54:45 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 12, 2025):

Thank you! But kernel.unprivileged_userns_clone=1 does not change anything.

It seems to be related to:
steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied
I tried putting noblacklist /usr/bin/bwrap in steam.profile (and
steam-runtime.profile) also putting bwrap to private-bin seccomp is
!chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2
nonewprivs is off

Output is the same:
steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied

steam.sh[173]: Error: Steam now requires user namespaces to be enabled.

This requirement is the same as for Flatpak, which has more detailed
information available:
https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
EDIT:

You can work around this when commenting the private-bin part of the
.profile.

private-bin is not enabled in steam.profile.

Are you sure that you're using an unmodified /etc/firejail/steam.profile from
firejail-git?

That is, other than putting the profile modifications that you mention in
~/.config/firejail/steam.local.

Possibly related:

#3647

noroot seems to now hinder a variety of games of even starting (incl. the
last of us)

noroot removes most groups, so maybe the user would need to be in additional
groups.

private-tmp in conjuction with caps.drop all do kill the mangohud
overlays

Interesting, any idea what is used from /tmp?

You can check which paths it accesses with --trace=.

Example:

firejail --trace=log.txt /usr/bin/steam

nou2f kills steam-controller-support

This is more or less expected if the controller needs access to /dev/hidrawX.
Feel free to disable.

nogroups seems to be at the top of options hindering changing
screen-brightness (does not work even if you just use --noprofile without
anything else). I have the main user here in the video group and he has
access to /sys/class/backlight which seems to be killed as default. Would
be great to know something to enable at last this with firejail installed
in a gamescoped steam-session.

This is probably due to /sys paths being blocked by default (with a few
exceptions).

@kmk3 commented on GitHub (Feb 12, 2025): > Thank you! But `kernel.unprivileged_userns_clone=1` does not change anything. > > It seems to be related to: > > ``` > steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied > ``` > > I tried putting `noblacklist /usr/bin/bwrap` in `steam.profile` (and > `steam-runtime.profile`) also putting `bwrap` to `private-bin` `seccomp` is > `!chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2` > `nonewprivs` is off > > Output is the same: > > ``` > steam-runtime-check-requirements[267]: W: Child process exited with code 1: bwrap: execvp true: Permission denied > > steam.sh[173]: Error: Steam now requires user namespaces to be enabled. > > This requirement is the same as for Flatpak, which has more detailed > information available: > https://github.com/flatpak/flatpak/wiki/User-namespace-requirements > ``` > > EDIT: > > You can work around this when commenting the `private-bin` part of the > .profile. `private-bin` is not enabled in steam.profile. Are you sure that you're using an unmodified /etc/firejail/steam.profile from firejail-git? That is, other than putting the profile modifications that you mention in ~/.config/firejail/steam.local. Possibly related: * #3647 > * `noroot` seems to now hinder a variety of games of even starting (incl. the > last of us) `noroot` removes most groups, so maybe the user would need to be in additional groups. > * `private-tmp` in conjuction with `caps.drop all` do kill the mangohud > overlays Interesting, any idea what is used from /tmp? You can check which paths it accesses with `--trace=`. Example: ```sh firejail --trace=log.txt /usr/bin/steam ``` > * `nou2f` kills steam-controller-support This is more or less expected if the controller needs access to `/dev/hidrawX`. Feel free to disable. > * `nogroups` seems to be at the top of options hindering changing > screen-brightness (does not work even if you just use `--noprofile` without > anything else). I have the main user here in the video group and he has > access to /sys/class/backlight which seems to be killed as default. Would > be great to know something to enable at last this with firejail installed > in a gamescoped steam-session. This is probably due to /sys paths being blocked by default (with a few exceptions).

gitea-mirror commented

2026-05-05 09:54:45 -06:00

Author

Owner

@slynobody commented on GitHub (Feb 12, 2025):

thank you for your help!
Generic steam.profile (as well as steam.local) in the current state needed to be adapted to the specific config (steam/mangoapp/gs-session -- while underlying base: simply not steamos or arch). i got it working that way again, not perfect but workable (while not as locked as plain desktop-steam) though adapted steam.profile / steam.local (a whole bunch of entries needed to be commented out and some new lines added).

would be great to know how to:

unblock /sys through some firejail-option(s) though (as well as raising the rest again, esp. the part of
using noroot through groups and / or putting caps.drop all back

if someone has some insight / examples on this would be great.

@slynobody commented on GitHub (Feb 12, 2025): thank you for your help! Generic steam.profile (as well as steam.local) in the current state needed to be adapted to the specific config (steam/mangoapp/gs-session -- while underlying base: simply not steamos or arch). i got it working that way again, not perfect but workable (while not as locked as plain desktop-steam) though adapted steam.profile / steam.local (a whole bunch of entries needed to be commented out and some new lines added). would be great to know how to: - unblock `/sys `through some firejail-option(s) though (as well as raising the rest again, esp. the part of - using `noroot` through groups and / or putting `caps.drop all` back if someone has some insight / examples on this would be great.

gitea-mirror commented

2026-05-05 09:54:46 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 16, 2025):

(Re-closing as "not planned" since nothing was changed in firejail)

@kmk3 commented on GitHub (Feb 16, 2025): (Re-closing as "not planned" since nothing was changed in firejail)

gitea-mirror commented

2026-05-05 09:54:46 -06:00

Author

Owner

@kolAflash commented on GitHub (Feb 17, 2025):

https://github.com/netblue30/firejail/issues/6645#issuecomment-2650165839

* `noroot` seems to now hinder a variety of games of even starting (incl. the last of us)

noroot also breaks the Add a Non-Steam game button (tested on Debian-12, KDE).

@kolAflash commented on GitHub (Feb 17, 2025): https://github.com/netblue30/firejail/issues/6645#issuecomment-2650165839 > * `noroot` seems to now hinder a variety of games of even starting (incl. the last of us) `noroot` also breaks the `Add a Non-Steam game` button _(tested on Debian-12, KDE)_.

gitea-mirror commented

2026-05-05 09:54:47 -06:00

Author

Owner

@kmk3 commented on GitHub (Feb 19, 2025):

#6645 (comment)
* `noroot` seems to now hinder a variety of games of even starting (incl. the last of us)
noroot also breaks the Add a Non-Steam game button (tested on Debian-12, KDE).

Hello, please open a new bug report:

https://github.com/netblue30/firejail/issues/new?assignees=&labels=&projects=&template=bug_report.md&title=

This issue mentions multiple problems and is mostly about the Steam Deck.

@kmk3 commented on GitHub (Feb 19, 2025): > [#6645 (comment)](https://github.com/netblue30/firejail/issues/6645#issuecomment-2650165839) > > > ``` > > * `noroot` seems to now hinder a variety of games of even starting (incl. the last of us) > > ``` > > `noroot` also breaks the `Add a Non-Steam game` button _(tested on Debian-12, KDE)_. Hello, please open a new bug report: * <https://github.com/netblue30/firejail/issues/new?assignees=&labels=&projects=&template=bug_report.md&title=> This issue mentions multiple problems and is mostly about the Steam Deck.

gitea-mirror commented

2026-05-05 09:54:47 -06:00

Author

Owner

@slynobody commented on GitHub (Feb 25, 2025):

This issue mentions multiple problems and is mostly about the Steam Deck.

not completely true. The situation and solution i am elaborating on is tested on the steamdeck (working) but should be workable on other machines as well (gamescope-session to steam incl. mangoapp & hopefully support for generic screen-brightness-support)

@slynobody commented on GitHub (Feb 25, 2025): > This issue mentions multiple problems and is mostly about the Steam Deck. not completely true. The situation and solution i am elaborating on is tested on the steamdeck (working) but should be workable on other machines as well (gamescope-session to steam incl. mangoapp & hopefully support for generic screen-brightness-support)

gitea-mirror commented

2026-05-05 09:54:48 -06:00

Author

Owner

@slynobody commented on GitHub (Mar 16, 2025):

btw: after using firejail on stock steamos (stable) i have reasonable doubts that the sum of all steam-connected profiles in the current form are really able to 'catch' also steamos-session-scripts or 'kick-in' when Steam is started in gaming-mode on steamos.

in other words: does firejail even work when it is installed on steamos when steam is started through gaming-mode (session)?

f.e. beside all specific tasks the stock steamos-steam-session is doing -- are you able to get steam to work with firejail with even the most simple commands a steamos-session would use (on steamos)?

/usr/bin/gamescope \
--mangoapp \
-- firejail \
-- /usr/games/steam -steamos3 -steamdeck -gamepadui

@slynobody commented on GitHub (Mar 16, 2025): btw: after using firejail on stock steamos (stable) i have reasonable doubts that the sum of all steam-connected profiles in the current form are really able to 'catch' also steamos-session-scripts or 'kick-in' when Steam is started in gaming-mode on steamos. in other words: **_**does firejail even work when it is installed on steamos**_** when steam is started through gaming-mode (session)? f.e. beside all specific tasks the stock steamos-steam-session is doing -- are you able to get steam to work with firejail with even the most simple commands a steamos-session would use (on steamos)? ``` /usr/bin/gamescope \ --mangoapp \ -- firejail \ -- /usr/games/steam -steamos3 -steamdeck -gamepadui ```

gitea-mirror referenced this issue

2026-05-05 10:25:21 -06:00

[PR #3322] [MERGED] Filter environment variables #4721