Seccomp is blocking Steam from launching a child container

[swimik]

System is running on debian testing(currently bookworm). Thanks all for any help here.

I am trying to run some games with steam and proton. I am running into a seccomp problem that is producing no logs in kern.log or syslog for apparmor, firejail, seccomp, or anything really of note. I believe what is happening is SteamRuntimeLinux is trying to launch its own container and this is being blocked by firejail. Perhaps because it is launching in a containerized processes that is why it does not appear in the main system logs.

This is the error that is coming up when a game tries to launch. Nothing extra shows up when I run firejail --debug steam either. Although I wont attest I didnt miss something with all the extra debug output noise.

pressure-vessel-wrap[737]: E: Cannot run /home/****/.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/bin/pv-bwrap: wait status 256 pressure-vessel-wrap[737]: E: Diagnostic output: bwrap: Failed to make / slave: Operation not permitted

setting ignore seccomp in the profile works to fix this problem but that kind of seems pointless for the sake of the sandbox. I tried whitelisting the folder but that also had no effect.

Here is the strace output I am kind of hoping someone could chime in on what to exclude here because doing this line by line would take quite a while. Currently my steam.local profile setup is seccomp !kcmp,!ptrace and seccomp32 !kcmp,!ptrace. kcmp had to be excluded for a gpu related comparability issue.

Uploaded AppInterfaceStats to Steam No cached sticky mapping in ActivateActionSet.pid 173524 != 173521, skipping destruction (fork without exec?) ^C% time seconds usecs/call calls errors syscall

---

45.20 47.541714 27998 1698 206 wait4 35.09 36.906188 193 190308 25241 futex 4.07 4.280838 313 13674 8 poll 2.92 3.072064 3 930346 89581 read 2.47 2.599863 5 452443 1 epoll_wait 1.45 1.522314 1194 1274 99 select 1.13 1.184684 2 552709 3 write 0.89 0.935469 2 391604 81951 openat 0.88 0.927524 2 461640 23577 lstat 0.68 0.714185 3 229468 36170 readv 0.64 0.671154 1 529765 rt_sigprocmask 0.55 0.583714 1 384056 40 close 0.39 0.411959 9 41362 4 unlinkat 0.34 0.357141 2 159996 writev 0.29 0.306010 1 192464 185584 readlinkat 0.29 0.303370 1 175904 32305 stat 0.27 0.288599 1 176102 625 newfstatat 0.22 0.230870 6 36232 linkat 0.17 0.177465 2 62794 1 clock_nanosleep 0.16 0.166434 2 79771 mmap 0.15 0.157285 1 104780 fstat 0.15 0.155864 9 16141 getdents64 0.14 0.150591 4 32728 munmap 0.14 0.146836 2 67642 34187 recvmsg 0.13 0.134712 1 112135 7902 fcntl 0.09 0.095979 1 84109 50 kill 0.09 0.092208 2 34284 mprotect 0.09 0.090795 55 1639 clone 0.09 0.089744 13 6632 mkdirat 0.08 0.085679 2 42820 fchmod 0.08 0.085637 2 41771 1029 readlink 0.08 0.082009 2 30872 1 sendto 0.07 0.073439 7 9455 symlinkat 0.06 0.065898 1 36420 73 utimensat 0.05 0.051688 16 3045 59 unlink 0.05 0.047915 3 14572 sendmsg 0.04 0.046282 4 9305 madvise 0.04 0.041447 30 1366 282 execve 0.03 0.036769 2 15920 2029 access 0.03 0.028398 1 15776 43 pread64 0.02 0.025035 12 2042 symlink 0.02 0.023097 1 17497 getpid 0.02 0.020931 44 473 fallocate 0.02 0.017727 2 7570 4795 ioctl 0.02 0.016731 3 4519 brk 0.01 0.014140 1 9444 fstatfs 0.01 0.012196 9 1234 ftruncate 0.01 0.011032 1 9789 2104 lseek 0.01 0.009230 2 3383 dup 0.01 0.008375 4 2065 pipe 0.01 0.007754 2 3760 tgkill 0.01 0.005305 7 683 pipe2 0.00 0.005036 1 2722 epoll_ctl 0.00 0.004918 0 12619 3 rt_sigaction 0.00 0.004065 1 2068 gettid 0.00 0.003864 6 643 290 mkdir 0.00 0.003373 4 758 mount 0.00 0.003239 2 1101 getuid 0.00 0.002998 1 1914 251 rt_sigreturn 0.00 0.002892 3 730 725 accept 0.00 0.002734 6 416 link 0.00 0.002337 6 338 pwrite64 0.00 0.002235 4 494 256 recvfrom 0.00 0.001833 0 1870 set_robust_list 0.00 0.001772 8 210 sched_yield 0.00 0.001702 1 1278 getrandom 0.00 0.001568 16 98 rename 0.00 0.001496 2 603 sched_setaffinity 0.00 0.001462 1 798 52 prctl 0.00 0.001308 3 435 socket 0.00 0.001185 74 16 pivot_root 0.00 0.001134 0 1161 arch_prctl 0.00 0.000921 5 175 6 setpriority 0.00 0.000772 0 911 9 prlimit64 0.00 0.000767 12 62 16 rmdir 0.00 0.000761 5 145 79 connect 0.00 0.000724 2 252 32 chmod 0.00 0.000714 4 168 setsockopt 0.00 0.000684 7 90 socketpair 0.00 0.000647 1 567 fchdir 0.00 0.000642 1 508 getegid 0.00 0.000611 1 469 13 fadvise64 0.00 0.000581 48 12 seccomp 0.00 0.000571 0 690 clock_gettime 0.00 0.000559 2 244 setpgid 0.00 0.000515 2 215 sysinfo 0.00 0.000509 1 258 sigaltstack 0.00 0.000475 3 158 creat 0.00 0.000471 6 72 flock 0.00 0.000461 0 803 geteuid 0.00 0.000379 10 37 7 inotify_add_watch 0.00 0.000357 1 217 uname 0.00 0.000353 0 2261 dup2 0.00 0.000334 0 516 getgid 0.00 0.000322 1 244 244 rt_sigsuspend 0.00 0.000318 1 244 timer_create 0.00 0.000314 2 144 87 statfs 0.00 0.000297 0 499 set_tid_address 0.00 0.000257 1 244 timer_settime 0.00 0.000210 6 32 bind 0.00 0.000201 0 220 faccessat 0.00 0.000169 10 16 umount2 0.00 0.000125 4 27 6 ppoll 0.00 0.000123 1 93 getsockname 0.00 0.000114 1 92 getsockopt 0.00 0.000112 8 14 eventfd2 0.00 0.000103 3 33 memfd_create 0.00 0.000098 4 23 epoll_create 0.00 0.000092 7 12 fdatasync 0.00 0.000086 3 22 sched_setscheduler 0.00 0.000080 2 30 getpriority 0.00 0.000078 1 78 open 0.00 0.000078 6 12 setsid 0.00 0.000077 1 64 chdir 0.00 0.000067 0 124 umask 0.00 0.000066 6 11 vfork 0.00 0.000059 11 5 inotify_init 0.00 0.000055 1 46 sched_getaffinity 0.00 0.000053 0 95 getppid 0.00 0.000039 1 27 getpeername 0.00 0.000031 2 12 inotify_init1 0.00 0.000029 7 4 renameat 0.00 0.000027 1 22 capset 0.00 0.000026 1 20 get_robust_list 0.00 0.000019 1 12 getresuid 0.00 0.000018 2 8 signalfd4 0.00 0.000016 0 18 7 shutdown 0.00 0.000015 1 9 getcwd 0.00 0.000015 0 19 getpgrp 0.00 0.000013 1 8 name_to_handle_at 0.00 0.000012 1 12 getresgid 0.00 0.000012 1 8 capget 0.00 0.000012 2 6 sched_getparam 0.00 0.000008 0 16 msync 0.00 0.000008 2 4 timerfd_create 0.00 0.000006 0 9 fsync 0.00 0.000006 1 6 sched_getscheduler 0.00 0.000004 4 1 mremap 0.00 0.000002 2 1 sched_setattr 0.00 0.000001 0 5 listen 0.00 0.000001 1 1 sched_getattr 0.00 0.000000 0 2 inotify_rm_watch 0.00 0.000000 0 1 epoll_create1

---

100.00 105.180120 17 5849238 530033 total System call usage summary for 32 bit mode: % time seconds usecs/call calls errors syscall

---

74.56 492.676962 5887 83687 5273 futex 8.83 58.354434 596 97845 poll 6.67 44.045692 7066 6233 epoll_wait 4.83 31.895221 14610 2183 1 clock_nanosleep_time64 3.07 20.319471 6784 2995 3 wait4 0.85 5.587329 60 92229 9 readv 0.79 5.248077 36 142257 5712 read 0.08 0.525650 1 345568 rt_sigprocmask 0.04 0.278847 2 117126 write 0.03 0.207057 1 126559 6980 stat64 0.03 0.185621 1 99268 6496 lstat64 0.03 0.173589 1 117869 gettid 0.03 0.171600 2 72789 writev 0.02 0.117791 2 52063 37003 recvmsg 0.02 0.099588 1 57373 21265 openat 0.01 0.092945 1 47777 4186 mmap2 0.01 0.076903 3 22469 munmap 0.01 0.074283 10 7134 1 getdents64 0.01 0.065856 1 45176 2 close 0.01 0.062314 7 7848 9 pread64 0.01 0.061639 7704 8 _newselect 0.01 0.059699 2 22006 3141 access 0.01 0.053548 3 15759 mprotect 0.01 0.053071 1 41790 215 kill 0.01 0.053028 1 47888 getpid 0.01 0.048539 0 50981 fstat64 0.00 0.019271 1 11646 5211 readlink 0.00 0.018839 0 27096 1918 fcntl64 0.00 0.017072 4 4245 901 ioctl 0.00 0.016137 192 84 fdatasync 0.00 0.015660 48 322 clone 0.00 0.011388 1 7768 fstatfs64 0.00 0.008272 17 471 138 unlink 0.00 0.008249 1 5910 708 _llseek 0.00 0.008194 31 257 24 sendto 0.00 0.008042 4 1727 socket 0.00 0.007055 4 1467 11 recv 0.00 0.006993 1 4771 getcwd 0.00 0.006733 1 3815 930 fstatat64 0.00 0.006546 119 55 execve 0.00 0.005728 2 2273 rt_sigreturn 0.00 0.005622 1 2921 sched_yield 0.00 0.005008 5 934 2 send 0.00 0.004981 29 170 madvise 0.00 0.004646 28 161 ftruncate64 0.00 0.004636 8 563 1 sendmsg 0.00 0.002883 1 1586 1498 semtimedop 0.00 0.002610 7 334 symlinkat 0.00 0.002529 13 187 rename 0.00 0.002317 3 712 epoll_ctl 0.00 0.001951 1 1600 brk 0.00 0.001924 8 225 mremap 0.00 0.001295 1 806 598 readlinkat 0.00 0.001210 201 6 fsync 0.00 0.001196 4 271 58 connect 0.00 0.001194 2 534 tgkill 0.00 0.001172 5 216 pipe2 0.00 0.001081 1 568 getrandom 0.00 0.000923 4 185 setsockopt 0.00 0.000858 8 103 dup 0.00 0.000819 3 229 pwrite64 0.00 0.000803 0 3786 rt_sigaction 0.00 0.000720 2 293 getsockname 0.00 0.000706 3 229 getuid32 0.00 0.000527 3 155 127 mkdir 0.00 0.000511 3 148 1 bind 0.00 0.000501 1 261 prctl 0.00 0.000472 1 373 fchdir 0.00 0.000467 1 380 set_robust_list 0.00 0.000368 2 138 flock 0.00 0.000368 1 315 set_thread_area 0.00 0.000322 8 39 6 rmdir 0.00 0.000321 3 93 shutdown 0.00 0.000306 0 307 uname 0.00 0.000304 3 85 memfd_create 0.00 0.000269 2 121 eventfd2 0.00 0.000250 1 206 sched_setaffinity 0.00 0.000244 3 72 sigaltstack 0.00 0.000239 1 120 link 0.00 0.000235 0 241 240 chmod 0.00 0.000225 1 119 ftruncate 0.00 0.000213 1 148 72 utimensat_time64 0.00 0.000166 3 55 sysinfo 0.00 0.000147 0 159 fadvise64_64 0.00 0.000120 1 100 1 getpeername 0.00 0.000116 7 16 socketpair 0.00 0.000110 2 52 2 setpriority 0.00 0.000094 1 48 sched_setscheduler 0.00 0.000092 1 77 geteuid32 0.00 0.000085 9 9 pipe 0.00 0.000085 0 129 ugetrlimit 0.00 0.000077 1 69 2 prlimit64 0.00 0.000066 2 31 getsockopt 0.00 0.000059 0 86 set_tid_address 0.00 0.000059 3 19 recvfrom 0.00 0.000052 1 44 semctl 0.00 0.000044 3 14 2 statfs 0.00 0.000040 1 37 getgid32 0.00 0.000035 1 18 open 0.00 0.000035 3 11 clock_getres_time64 0.00 0.000031 1 17 5 semget 0.00 0.000030 0 35 getegid32 0.00 0.000029 2 12 get_robust_list 0.00 0.000021 1 18 umask 0.00 0.000019 1 10 chdir 0.00 0.000014 3 4 inotify_rm_watch 0.00 0.000012 0 14 getcpu 0.00 0.000011 0 18 epoll_create 0.00 0.000011 3 3 accept 0.00 0.000008 4 2 shmget 0.00 0.000007 1 4 sched_getscheduler 0.00 0.000007 3 2 listen 0.00 0.000007 3 2 shmat 0.00 0.000006 0 45 dup2 0.00 0.000006 1 4 sched_getparam 0.00 0.000004 1 3 getresuid32 0.00 0.000004 2 2 1 statfs64 0.00 0.000003 3 1 msync 0.00 0.000002 0 3 getresgid32 0.00 0.000002 0 5 inotify_add_watch 0.00 0.000002 0 3 kcmp 0.00 0.000002 1 2 shmctl 0.00 0.000001 1 1 timerfd_create 0.00 0.000001 1 1 inotify_init1 0.00 0.000000 0 1 1 mknod 0.00 0.000000 0 1 setsid 0.00 0.000000 0 4 sched_getaffinity 0.00 0.000000 0 2 inotify_init

---

100.00 660.811881 363 1817920 102754 total

[SkewedZeppelin]

https://github.com/netblue30/firejail/issues/4366

[swimik]

Sorry I saw that post when I was looking for similar issues but for some reason I thought it was a forum for flatpak not firejail. I wouldn't have duplicate posted especially since it was first reported a few days ago.

I had tried the trick with viewing journalctl --grep=SECCOMP --follow and was able to see a bunch of syscalls but none seemed to be blocked. It kind of seems like the running firejail --seccomp-error-action=log /path/to/program runs similar to ignore seccomp

these are the syscalls that came up and their translation 64 bit / 32 bit 303 name_to_handle_at / 303 linkat 166 umount / vm86 165 mount / getresuid 155 pivot_root / sched_getparam

303 was for winedevice.exe, the rest were for SteamLinuxRuntime_soldier. Excluding each of these out for seccomp and seccomp.32 did not change the issue though, and nothing changed from the journalctl output with these commented out.

[rusty-snake]

Excluding each of these out for seccomp and seccomp.32 did not change the issue though, and nothing changed from the journalctl output with these commented out.

How did you excluded/commented them?

64 bit / 32 bit

There's an arch= field in you syslog.

It kind of seems like the running firejail --seccomp-error-action=log /path/to/program runs similar to ignore seccomp

SECCOMP_RET_KILL_THREAD (or SECCOMP_RET_KILL) This value results in immediate termination of the thread that made the system call. The system call is not exe‐cuted. Other threads in the same thread group will continue to execute. SECCOMP_RET_ERRNO This value results in the SECCOMP_RET_DATA portion of the filter's return value being passed to user space as the errno value without executing the system call. SECCOMP_RET_LOG (since Linux 4.14) This value results in the system call being executed after the filter return action is logged.

[swimik]

This is how I commented out the syscalls after I looked them up using firejail

seccomp !ptrace,!kcmp,!name_to_handle_at,!umount,!mount,!pivot_root
secomp.32 !getresuid32,!vm86,!linkat,!sched_getparam

these are the unique syscalls logged from journalctl

Nov 14 11:54:13 audit[192973]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj==unconfined pid=192973 comm="pv-bwrap" exe="/home//.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/bin/pv-bwrap" sig=0 arch=c000003e syscall=165 compat=0 ip=0x7f3f94a906ba code=0x7ffc0000

Nov 14 11:54:13 audit[192973]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj==unconfined pid=192973 comm="pv-bwrap" exe="/home//.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/bin/pv-bwrap" sig=0 arch=c000003e syscall=155 compat=0 ip=0x7f3f94a8a5e9 code=0x7ffc0000

Nov 14 11:54:13 audit[192973]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj==unconfined pid=192973 comm="pv-bwrap" exe="/home//.local/share/Steam/steamapps/common/SteamLinuxRuntime_soldier/pressure-vessel/bin/pv-bwrap" sig=0 arch=c000003e syscall=166 compat=0 ip=0x7f3f94a8fa97 code=0x7ffc0000

Nov 14 11:54:14 **** audit[193021]: SECCOMP auid=1000 uid=1000 gid=1000 ses=3 subj==unconfined pid=193021 comm="winedevice.exe" exe=2F686F6D652F636F75726965722F2E6C6F63616C2F73686172652F537465616D2F737465616D617070732F636F6D6D6F6E2F50726F746F6E202D204578706572696D656E74616C2F66696C65732F62696E2F77696E6536342D7072656C6F61646572 sig=0 arch=c000003e syscall=303 compat=0 ip=0x7f2aad6bb8ca code=0x7ffc0000

For syslog there is nothing being logged when this error occurs that is related to steam or firejail

[swimik]

So versions of proton below 5.13 will at least load the game launcher(with just the standard seccomp !pstate, !kcmp exclusions), it wont run the actual game but I did not look into why yet.

I remember reading that steam started launching programs in their own containers in recent versions of proton. Perhaps I can review Protons code later in the week and see what it is trying to do.

If what I think is happening is true, that firejail is launching a chroot jail with least privilege (1000 i think?) and steam is also trying to launch a jail with least privilege then if I understand the process correctly steam wont be able to do this because it is already least privilege? If that is the case can I set the privilege level in the steam firejail to 999 or something to give steam one less privilege tier to create a process?

[remyabel2]

Disregard, I commented on the wrong issue.