obs: program does not start

[energrizer-9032]

I replaced my desktop shortcut of obs studio by running command firecfg . obs studio is not even showing up.(it shows in htop ) Please help me

[rusty-snake]

Which firejail version do you use? What distro are you on? Are there any errors in the terminal or in the syslog if you run firejail /usr/bin/obs? Does firejail --noprofile /usr/bin/obs work? Has you made any custom overrides in ~/.config/firejail?

[energrizer-9032]

Firejail 0.9.64-2. I am on Manjaro. As far as I know there are no errors. yes firejail --noprofile /usr/bin/obs does work. No custom overrides in config file

[rusty-snake]

That's good and bad. Bad: no error message means we have no hint what could go wrong. Good: because --noprofile works, this can be solved by adopting obs.profile.

Can you copy obs.profile to your home and the use firejail --profile=./ob.profile /usr/bin/obs to start. Then you comment ~/.obs.profile and start uncommenting it line for line.

[X6B]

Add: seccomp !kcmp to your local profile.

[kmk3]

Add: seccomp !kcmp to your local profile.

In that case, the cause is likely the same as #3219.

What's the gpu vendor/driver?

glxinfo | grep '^OpenGL vendor'
glxinfo | grep '^OpenGL version'

[X6B]

In my case: Archlinux & AMD OpenGL version string: 4.6 (Compatibility Profile) Mesa 20.3.2.

[kmk3]

In my case: Archlinux & AMD OpenGL version string: 4.6 (Compatibility Profile) Mesa 20.3.2.

Then it's probably #3219 indeed.

@energrizer-9032 Does https://github.com/netblue30/firejail/issues/3865#issuecomment-754582919 solve it for you?

If not, does https://github.com/netblue30/firejail/blob/6d952144bd5049a95ea1799648ed4a3ee5ad1e76/etc/templates/syscalls.txt#L89 give any results?

[rusty-snake]

Since firejail 0.9.64 you need to use firejail --seccomp-error-action=kill … to get audit events.

[kmk3]

Since firejail 0.9.64 you need to use firejail --seccomp-error-action=kill … to get audit events.

It has always appeared on /var/log/kernel.log on Artix for me, using the default firejail.config (which seems to use EPERM).

I just tested it again on 0.9.64 to confirm, by forcing the keepassxc violation from #3760.

The way I understand it is that whenever there's a seccomp violation, the kernel itself writes directly to the kernel log, regardless of the options.

[rusty-snake]

Fedora 32; Firejail 0.9.65 (d5824f1); Linux 5.9.16-100.fc32.x86_64

#include <unistd.h>
#include <string.h>

int main() {
        char hello[] = "Hello";
        write(1, &hello, strlen(hello));
}

gcc -o w w.c journalctl --boot --pager-end --follow

$ firejail --noprofile --shell=none ./w
Parent pid 139271, child pid 139272
Child process initialized in 32.74 ms
Hello
Parent is shutting down, bye...
$ firejail --noprofile --shell=none --seccomp.drop=write ./w
Seccomp list in: write, check list: @default-keep, prelist: write,
Parent pid 139282, child pid 139283
Seccomp list in: write, check list: @default-keep, prelist: write,
Child process initialized in 39.68 ms

Parent is shutting down, bye...
* no audit in syslog
$ firejail --noprofile --shell=none --seccomp.drop=write --seccomp-error-action=kill ./w
Seccomp list in: write, check list: @default-keep, prelist: write,
Parent pid 139332, child pid 139333
Seccomp list in: write, check list: @default-keep, prelist: write,
Child process initialized in 42.45 ms

Parent is shutting down, bye...
zsh: exit 255   firejail --noprofile --shell=none --seccomp.drop=write  ./w
* new audit in syslog

[X6B]

What is not working is the virtual camera feature added some releases ago: https://github.com/obsproject/obs-studio/issues/3845

Even firejail --noprofile obs does not work on Archlinux. That feature only works deleting the obs symlink created by firecfg.

[kmk3]

@rusty-snake Alright, same results here.

Well, the only times I remember having seccomp issues were with keepassxc and steam.

And strangely enough, these do not log:

$ firejail --seccomp.drop=@basic-io keepassxc; echo $?
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/keepassxc.local
Reading profile /etc/firejail/disable-dbus.inc.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Seccomp list in: @basic-io, check list: @default-keep, prelist: close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev,
Parent pid 2177, child pid 2178
3 programs installed in 54.39 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 9.12 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.15 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Seccomp list in: @basic-io, check list: @default-keep, prelist: close,dup,dup2,dup3,lseek,pread64,preadv,preadv2,pwrite64,pwritev,pwritev2,read,readv,write,writev,
Child process initialized in 222.41 ms

Parent is shutting down, bye...
127

(this works; not sure what to do to force it to fail)

$ firejail --seccomp.drop=@basic-io steam; echo $?
[...]

Parent is shutting down, bye...
0

But these always do:

$ firejail --ignore='seccomp !name_to_handle_at' keepassxc; echo $?
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/keepassxc.local
Reading profile /etc/firejail/disable-dbus.inc.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 13423, child pid 13424
3 programs installed in 54.51 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 9.15 ms
Warning: skipping alternatives for private /usr/etc
Warning: skipping fonts for private /usr/etc
Warning: skipping ld.so.cache for private /usr/etc
Warning: skipping machine-id for private /usr/etc
Private /usr/etc installed in 0.22 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Child process initialized in 230.26 ms
# (hangs)
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...
2

$ firejail --ignore='seccomp.drop' steam; echo $?
[...]
# (hangs)
^C
Parent received signal 2, shutting down the child process...

Child received signal 2, shutting down the sandbox...

Parent is shutting down, bye...
2

The seccomp.drop line is this (from https://github.com/netblue30/firejail/issues/3267#issuecomment-596184708):

seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup

Maybe it only happens with GUI programs or with specific syscalls?

[rusty-snake]

Best (for debugging): firejail --noprofile --shell=none --seccomp.drop=write --seccomp-error-action=log ./w

[rusty-snake]

I'm closing here due to inactivity, please fell free to request to reopen if you still have this issue.