github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #6731] Add a profile for LM-Studio #3351

New issue

Closed

opened 2026-05-05 09:56:07 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 09:56:07 -06:00

Owner

Originally created by @saltiniroberto on GitHub (May 2, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6731

Description

Executing the LMStudio AppImage raises an error about the chrome-sandbox helper not being configured correctly

Steps to Reproduce

Download https://installers.lmstudio.ai/linux/x64/0.3.15-11/LM-Studio-0.3.15-11-x64.AppImage
Run in bash LC_ALL=C firejail --appimage LM-Studio-0.3.15-11-x64.AppImage

Expected behavior

No error is given, and the LMStudio application starts.

Actual behavior

The following error is output

[4:0502/113606.996661:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /run/firejail/appimage/chrome-sandbox is owned by root and has mode 4755.

Additional context

The following command works.

LC_ALL=C firejail --appimage LM-Studio-0.3.15-11-x64.AppImage --no-sandbox

Environment

Name/version/arch of the Linux kernel (uname -srm): Linux 5.15.0-92-generic x86_64
Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): 22.04
Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1,
mesa 1:24.3.3-2"): LM-Studio-0.3.15-11-x64.AppImage
Version of Firejail (firejail --version): 0.9.75
If you use a development version of firejail, also the commit from which it
was compiled (git rev-parse HEAD): e2f372fd70

Checklist

The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
I can reproduce the issue without custom modifications (e.g. globals.local).
The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
The profile (and redirect profile if exists) hasn't already been fixed upstream.
I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

output goes here

Output of LC_ALL=C firejail --debug /path/to/program

output goes here

Originally created by @saltiniroberto on GitHub (May 2, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6731  ### Description Executing the LMStudio AppImage raises an error about the chrome-sandbox helper not being configured correctly ### Steps to Reproduce 1. Download https://installers.lmstudio.ai/linux/x64/0.3.15-11/LM-Studio-0.3.15-11-x64.AppImage 2. Run in bash `LC_ALL=C firejail --appimage LM-Studio-0.3.15-11-x64.AppImage` ### Expected behavior No error is given, and the LMStudio application starts. ### Actual behavior The following error is output ``` [4:0502/113606.996661:FATAL:setuid_sandbox_host.cc(163)] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /run/firejail/appimage/chrome-sandbox is owned by root and has mode 4755. ``` ### Additional context The following command works. `LC_ALL=C firejail --appimage LM-Studio-0.3.15-11-x64.AppImage --no-sandbox` ### Environment - Name/version/arch of the Linux kernel (`uname -srm`): Linux 5.15.0-92-generic x86_64 - Name/version of the Linux distribution (e.g. "Ubuntu 20.04" or "Arch Linux"): 22.04 - Name/version of the relevant program(s)/package(s) (e.g. "firefox 134.0-1, mesa 1:24.3.3-2"): LM-Studio-0.3.15-11-x64.AppImage - Version of Firejail (`firejail --version`): 0.9.75 - If you use a development version of firejail, also the commit from which it was compiled (`git rev-parse HEAD`): e2f372fd7009b975834e512e4bc62638f36f7dbf ### Checklist  - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [ ] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [ ] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` output goes here ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p>  ``` output goes here ``` </p> </details>

gitea-mirror

2026-05-05 09:56:07 -06:00

closed this issue
added the
profile-request
label

gitea-mirror commented

2026-05-05 09:56:09 -06:00

Author

Owner

@Lonniebiz commented on GitHub (May 5, 2025):

I get that same error when I run LM Studio without firejail.

LM Studio provides a --no-sandbox flag that I'm using successfully with and without firejail.

Without firejail (after you've made the file executable):
./LM-Studio-0.3.15-11-x64.AppImage --no-sandbox

With firejail:
firejail --appimage LM-Studio-0.3.15-11-x64.AppImage --no-sandbox

With firejail (no internet access):
firejail --net=none --appimage LM-Studio-0.3.15-11-x64.AppImage --no-sandbox

I could be wrong, but I don't think LM-Studio's --no-sandbox flag can bust out of firejail's sandbox. I think that flag just means LM-Studio isn't attempting to sandboxing itself (but I'm not sure).

Either way, I'd love to see a formal firejail profile for both LM-Studio and for Jan.ai too. Jan.ai provides a huge selection of models to choose from and setup without even leaving the application. I like LM-Studio's dark theme better than Jan.ai's light theme, but LM-Studio only seems to aid you in setting up your first model (that LM-Studio chooses, which is Llama 3.2 1B).

@Lonniebiz commented on GitHub (May 5, 2025): I get that same error when I run LM Studio **without** firejail. LM Studio provides a `--no-sandbox` flag that I'm using successfully with and without firejail. **Without firejail (after you've made the file executable):** `./LM-Studio-0.3.15-11-x64.AppImage --no-sandbox` **With firejail:** `firejail --appimage LM-Studio-0.3.15-11-x64.AppImage --no-sandbox` **With firejail (no internet access):** `firejail --net=none --appimage LM-Studio-0.3.15-11-x64.AppImage --no-sandbox` I could be wrong, but I don't think LM-Studio's `--no-sandbox` flag can bust out of firejail's sandbox. I think that flag just means LM-Studio isn't attempting to sandboxing itself (but I'm not sure). Either way, I'd love to see a formal firejail profile for both LM-Studio and for [Jan.ai](https://jan.ai/) too. Jan.ai provides a huge selection of models to choose from and setup without even leaving the application. I like LM-Studio's dark theme better than Jan.ai's light theme, but LM-Studio only seems to aid you in setting up your first model (that LM-Studio chooses, which is Llama 3.2 1B).

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3351

No description provided.

Rows
Columns