[Teamspeak 3] crashes on opening options window if seccomp is enabled

[corecontingency]

Am using Arch Linux with KDE. Problem persists on both Xwayland and Xorg.

It is interesting that the symptoms are very similar to those reported here: https://github.com/netblue30/firejail/issues/1695

Teamspeak will open fine, and everything will work, but the second you open the options menu, it crashes. This occurs whether I am connected to a voice channel on a server or not.

I manually started disabling options in the default profile, and found that if I put ignore seccomp into teamspeak3.local, then everything works fine.

[glitsj16]

@corecontingency Thanks for reporting this. If indeed it is seccomp that is the cause of your issue we'll have to edit teamspeak3.profile accordingly. As seccomp is one of the more prominent security features firejail uses, it would be interesting if you could run a few additional tests. Instead of dropping its security features entirely via ignore seccomp, can you find a working profile using seccomp.drop? There are some pointers on how to create the latter here.

[SkewedZeppelin]

wild guess: ts3 is trying to ptrace all processes

[corecontingency]

Went through it all, and it looks like the problem is chroot.

If you exclude chroot, it will run perfectly with @default-nodebuggers, which blocks the maximum amount of things. For reference, this is what I tested (@default-nodebuggers without chroot), after manually deleting seccomp from /etc/firejail/teamspeak3.profile:

firejail --seccomp.drop=@cpu-emulation,@debug,@obsolete,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice,@clock,@module,@raw-io,@reboot,@swap,acct,bpf,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup,personality,process_vm_readv,ptrace teamspeak3

wild guess: ts3 is trying to ptrace all processes

Close, but no cigar. :)

[glitsj16]

@corecontingency Great, thanks for presenting your findings. I'm inclined to include/edit the profile according to your findings, but let's give other contributors some time to respond. Much appreciated!

[Vincent43]

So it seems same issue as in firefox and electron apps. Maybe we should consider dropping chroot from default seccomp list as its usage is growing among various apps.

[Vincent43]

We have another app broken in same way. We really should remove chroot.

[glitsj16]

@corecontingency As you can read in the comments above the issue you so kindly reported and helped to debug will be fixed shortly. Awaiting a decision on how to do it exactly. Please bare with us on this on.

[rusty-snake]

ts3 use electron? if so it should be removed. (see #2912, #2854 and #2821)

[glitsj16]

@Vincent43 I went ahead and dropped chroot in the profile only. Maybe you should open a new issue to drop chroot from seccomp alltogether...

[rusty-snake]

to drop chroot from seccomp alltogether.

@glitsj16 NO, @Vincent43 has talk about the idea to add a +/-SYSCALL syntax to seccomp. Whats IMHO one of the best solutions.

BTW: seccomp need also some other rework, I will open a issue in the next days.