keepassxc: cannot open without no3d (mesa regression)

marek22k commented 10 months ago

Description

KeePassXC no longer starts.

Steps to Reproduce

Be on a amd computer
Run in bash LC_ALL=C firejail PROGRAM

Expected behavior

KeePassXC starts.

Actual behavior

$LC_ALL=C firejail --profile=keepassxc /usr/bin/keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 8116, child pid 8120
3 programs installed in 11.99 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 5.92 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/marek/.ssh/config
Warning: not remounting /run/user/1000/doc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 98.67 ms
Qt: Session management error: Could not open network socket
amdgpu_device_initialize: amdgpu_get_auth (1) failed (-1)
amdgpu: amdgpu_device_initialize failed.
glx: failed to create dri3 screen
failed to load driver: radeonsi
failed to open /dev/dri/card0: No such file or directory
failed to load driver: radeonsi

Parent is shutting down, bye...

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

$LC_ALL=C firejail --noprofile /usr/bin/keepassxc
Parent pid 8150, child pid 8151
Child process initialized in 4.98 ms

Parent is shutting down, bye...

KeePassXC starts.

Additional context

$lspci -k | grep -A 3 -E "(VGA|3D)"
pcilib: Error reading /sys/bus/pci/devices/0000:00:08.3/label: Operation not permitted
64:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Phoenix1 (rev dd)
    Subsystem: Lenovo Phoenix1
    Kernel driver in use: amdgpu
    Kernel modules: amdgpu

Environment

Linux distribution and version: Arch Linux
Firejail version (firejail --version).

$firejail --version
firejail version 0.9.72

Compile time support:
    - always force nonewprivs support is disabled
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - D-BUS proxy support is enabled
    - file transfer support is enabled
    - firetunnel support is disabled
    - IDS support is disabled
    - networking support is enabled
    - output logging is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - private-cache and tmpfs as user enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Checklist

[X] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[X] I can reproduce the issue without custom modifications (e.g. globals.local).
[X] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[X] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[X] I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail /path/to/program

``` $LC_ALL=C firejail /usr/bin/keepassxc Reading profile /etc/firejail/keepassxc.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, Parent pid 9516, child pid 9520 3 programs installed in 11.01 ms Warning: skipping alternatives for private /etc Private /etc installed in 4.93 ms Private /usr/etc installed in 0.00 ms Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Warning: not remounting /home/marek/.ssh/config Warning: not remounting /run/user/1000/doc Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, Warning: cleaning all supplementary groups Child process initialized in 102.41 ms Qt: Session management error: Could not open network socket amdgpu_device_initialize: amdgpu_get_auth (1) failed (-1) amdgpu: amdgpu_device_initialize failed. glx: failed to create dri3 screen failed to load driver: radeonsi failed to open /dev/dri/card0: No such file or directory failed to load driver: radeonsi Parent is shutting down, bye... ```

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/marek22k/3e81a432d66fc3a519f2ad66141f60fe

Absolutely-Free commented 10 months ago

I am having the exact same problem with an intel Arc A380.

$ LC_ALL=C firejail --profile=keepassxc /usr/bin/keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 7019, child pid 7023
3 programs installed in 20.43 ms
Warning: skipping alternatives for private /etc
Warning: skipping ld.so.preload for private /etc
Private /etc installed in 7.63 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/s/.ssh/config
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 172.75 ms
MESA: error: Failed to query drm device.
glx: failed to create dri3 screen
failed to load driver: iris
failed to open /dev/dri/card1: No such file or directory
failed to load driver: iris

Parent is shutting down, bye...

Keepassxc does start when running LC_ALL=C firejail --noprofile /usr/bin/keepassxc, as well as when running /usr/bin/keepassxc

$ lspci -k | grep -A 3 -E "(VGA|3D)"
03:00.0 VGA compatible controller: Intel Corporation DG2 [Arc A380] (rev 05)
        Subsystem: ASRock Incorporation DG2 [Arc A380]
        Kernel driver in use: i915
        Kernel modules: i915

Also running fully up to date Arch Linux. This started occurring after a recent update to Mesa.

$ firejail --version
firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled