gimp: failure due to seccomp (needs mbind syscall)

[carloabelli]

Gimp 2.10.10 fails to load (hangs without any output).

Firejail version 0.9.58.2 on Arch Linux. Runs fine with --noprofile. Disabling seccomp in gimp.profile fixes the issue.

[SkewedZeppelin]

I cannot reproduce this.
Are you using the proprietary NVIDIA drivers? or AppArmor?

[carloabelli]

@SkewedZeppelin Using AppArmor

[smitsohu]

Does sudo journalctl | grep syscall return something? Or do you see other messages related to gimp in your syslog?

Thanks.

[carloabelli]

@smitsohu Yup:

May 08 21:42:31 arch audit[16327]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0
May 08 21:42:31 arch kernel: audit: type=1326 audit(1557366151.446:165): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0
                                              #4  0x00006a42015c897d syscall (libc.so.6)
                                              #0  0x00006a42015c897d syscall (libc.so.6)
                                              #0  0x00006a42015c897d syscall (libc.so.6)

[smitsohu]

syscall=237

Ok, then firejail --debug-syscalls | grep 237 will return the syscall that was used by gimp although it was forbidden by seccomp.

[carloabelli]

@smitsohu mbind

[smitsohu]

@carloabelli Cool, thanks!

Now the question is why it is failing for you. As this is not caused by AppArmor and there are no proprietary video drivers, another wild guess would be OpenCL... do you have OpenCL enabled on your system?

It seems there is an evironment variable to turn OpenCL off in Gimp, could you please try firejail --env=GEGL_USE_OPENCL=no gimp? There should be also a toggle somewhere in the preferences, not sure if that would work as well.

[carloabelli]

@smitsohu I don't believe I have OpenCL enabled. Running with that env variable did not resolve the issue.

[smitsohu]

Ok. How does the output of firejail gimp --verbose look when it is not responding any more (probably only the last couple of lines are interesting)?

[smitsohu]

seccomp.drop @cpu-emulation,@debug,@obsolete,@privileged,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,kcmp,keyctl,migrate_pages,move_pages,name_to_handle_at,ni_syscall,open_by_handle_at,personality,process_vm_readv,ptrace,remap_file_pages,request_key,set_mempolicy,syslog,umount,userfaultfd,vmsplice

is the default seccomp filter just without mbind. If you want you can add it to /etc/firejail/gimp.local along with ignore seccomp to keep going with the filter.

[carloabelli]

@smitsohu

Unfortunately there is no output before it stops responding with the verbose flag.

Adding gimp.local with those contents does allow gimp to run.

[rusty-snake]

Closing for now, since there is a workaround.

[glitsj16]

I don't have anything against this per se, but my gimp runs just fine on Arch/Ubuntu with seccomp and doesn't need this at all. #2681 had a workaround, so I wonder why we merged this for everybody while the OP can use 'seccomp !mbind' in gimp.local. Or am I missing something here?

[Fred-Barclay]

@glitsj16 I was wondering that too...

[carloabelli]

@glitsj16 @Fred-Barclay I wasn't sure how wide ranging the issue is, so if it's too isolated I'd be happy to revert this (perhaps a comment should be added about allowing mbind in some cases). Also happy to help figure out exactly what it is about my setup that causes this.

[glitsj16]

@carloabelli No worries. If we can reproduce, we already have a fix. If we cannot, we can reverse later on. But indeed, let's try to determine why your firejailed gimp hangs exactly. I assume both have been updated since your original report. Can you provide details on the environment in which this occurs please? Desktop environment, using Xorg or Wayland, content of gimp.local if you have that etcetera. For example, a memory-deny-write-execute in gimp.local could make it hang.

May 08 21:42:31 arch audit[16327]: SECCOMP auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0
May 08 21:42:31 arch kernel: audit: type=1326 audit(1557366151.446:165): auid=1000 uid=1000 gid=1000 ses=1 subj==unconfined pid=16327 comm="gimp" exe="/usr/bin/gimp-2.10" sig=31 arch=c000003e syscall=237 compat=0 ip=0x6a42015c897d code=0x0

Those look like AppArmor. Have you tried --ignore=apparmor yet (using the original full seccomp obviously)?

[carloabelli]

@glitsj16 Sounds good. I'm currently running Arch Linux with sway as my window manager (so wayland). GIMP version 2.10.14 and firejail version 0.9.62. Currently my gimp.local just contains seccomp !mbind. Removing that line causes GIMP to hang. Using ignore apparmor also has no effect (still hangs). Disabling apparmor system wide also does not help, so it seems that its not apparmor related.

[glitsj16]

@carloabelli Thanks for the update. I assume you still get the same syscall 237. Sway has Xwayland support correct? It's just a shot in the dark, but do you get the same issue/syscall when running GIMP under X11? I run the same GIMP version on Arch under GNOME Wayland and nothing indicates it needs access to kernel memory or NUMA settings, which is what mbind does if I'm not mistaken. Under X11 just the same, a rather exceptionally clean, silent run. Do you run the stock Arch kernel? Default factory settings for GIMP? As you notice, at the moment I'm clueless as to what might cause this for you. No need to respond to all these questions if they don't trigger any change (for the better). We'll just keep tracking this and see if other collaborators/users chime in. Regards!

[carloabelli]

@glitsj16 Yup looks to be the same issue. Sway does have Xwayland support. I am running the hardened arch kernel so maybe that could be it. Stock GIMP. Also pretty stumped what this could be. When I have more time I'll try running with the stock kernel and also X11 to see if that helps and report back. Thanks for your suggestions!

[carloabelli]

Tried with stock kernel and i3 (X11) and still no luck with mbind disabled.

[glitsj16]

@carloabelli Thanks for the feedback. Still stumped on what might cause this for you. I've retested GIMP on all machines I have access to and the full seccomp filter works just fine. So I'm going to revert #3178 for now. You can add the 'seccomp !mbind' to your gimp.local to keep it going. If you ever find out what exactly causes this for you, please keep us informed.

[carloabelli]

@glitsj16 Sounds good to me. I will update this if anything changes.