LD_PRELOAD and Firejail

[ghost]

I'm trying to run Steam with a custom command and with Firejail, but I'm unable to do so.

Because Steam can't properly detect/load the Radeon libraries, you either need to delete a few libraries from Steam's runtime, or start it with the following command:

LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} steam

However, I can't do that with Firejail.

I tried editing Steam's profile:

noblacklist /usr/$LIB/libstdc++.so.6 noblacklist /usr/$LIB/libgcc_s.so.1 noblacklist /usr/$LIB/libxcb.so.1 noblacklist /usr/$LIB/libasound.so.2

Also, I tried:

[amarildo@amarildo ~]$ LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} firejail steam

With no luck:

[amarildo@amarildo ~]$ LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libasound.so.2 '${LD_PRELOAD} firejail steam Reading profile /etc/firejail/steam.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Warning: user namespaces not available in the current kernel. Parent pid 4609, child pid 4610 Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Child process initialized /home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable /home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable Running Steam on arch 64-bit /home/amarildo/.local/share/Steam/steam.sh: line 161: VERSION_ID: unbound variable STEAM_RUNTIME is enabled automatically Installing breakpad exception handler for appid(steam)/version(0) libGL error: unable to load driver: radeonsi_dri.so libGL error: driver pointer missing libGL error: failed to load driver: radeonsi libGL error: unable to load driver: radeonsi_dri.so libGL error: driver pointer missing libGL error: failed to load driver: radeonsi libGL error: unable to load driver: swrast_dri.so libGL error: failed to load driver: swrast

Does anyone have any idea how to do this?

[ruany]

This should work: firejail sh -c "LD_PRELOAD='...' steam"

It would be a security risk if users could run SUID binaries with LD_PRELOAD, since they can inject whatever code they want into the (dynamically linked) binary which runs as root.

Though it would be possible for Firejail to pass on its own environment variable as LD_PRELOAD (e.g. $FIREJAIL_LD_PRELOAD), this is already possible by setting the variables in a subshell.

[alexbakker]

I use the following script that I put it /usr/local/bin/:

#!/bin/bash

firejail --env=LD_PRELOAD='/usr/$LIB/libstdc++.so.6 /usr/$LIB/libgcc_s.so.1 /usr/$LIB/libxcb.so.1 /usr/$LIB/libgpg-error.so.0' /usr/bin/steam

[netblue30]

@Impyy: does it work with ---env=LD_PRELOAD[...]?

[alexbakker]

@netblue30 It does for me.

[netblue30]

thanks!

[ghost]

@netblue30 Would you consider using LD_PRELOAD an actually security risk?

[ruany]

@amarildojr It's not a security risk, it's just prevented on SUID binaries because it would be a security risk in that case. Very few binaries are setuid root (including firejail), and regular users cannot use LD_PRELOAD on setuid binaries because it would allow them to execute arbitrary code as root. I'd suggest using the --env option, didn't know it existed, looks cleaner than my solution.

[netblue30]

If you start as a regular user, LD_PRELOAD is disabled automatically by the kernel on SUID binaries, so firejail runs without LD_PRELOAD. It will install LD_PRELOAD inside the sandbox as requested, and monitor it with a seccomp filter. The level of risk is higher, hopefully seccomp does its job to mitigate it - that's the theory. Don't use LD_PRELOAD unless you have a good reason to do it.

[ghost]

Thanks, I'm not using LD_PRELOAD anymore, I simply decided to delete some libraries from Steam's runtime, this way it will load these libraries from the OS.

[netblue30]

Cool!