Steam freezes on start

[TheOneric]

I checked recently opened and closed issues with steam beforehand, but couldn't find a solution. Apologies if I missed something and this has been reported before.

I used to run steam with firejail --ignore=private-dev steam and it worked fine. Ignore private-dev is needed for my controller to work.
However now starting steam like this will cause steam to hang up on start. A steam icon is in the tray, but cannot be interacted with, no window opens, but the programm doen't crash.
Using -alllow-debuggersas suggested in another issue did nothing. --ignore-seccomp does work. Checking journalctl I can see the blocked syscall is 349, but using --seccomp=!$349 does nothing and I would prefer to not disable seccomp completely.

journalctl output:

Mär 04 16:45:50 gamestation audit[17983]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=17983 comm="steam" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f2bb49 code=0x0
Mär 04 16:45:50 gamestation kernel: audit: type=1326 audit(1583336750.477:93): auid=1001 uid=1001 gid=60 ses=2 pid=17983 comm="steam" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_32/steam" sig=31 arch=40000003 syscall=349 compat=1 ip=0xf7f2bb49 code=0x0

I am using firejail 0.9.62 on Manjaro.

[rusty-snake]

First I was thinking that !$123 simplie does not work. So I check with firejail --noprofile '--seccomp=!$161' --audit, but It works. I tried also to get the name of the syscall with firejail --debug-syscalls | grep 349 but this does not work. Looks like there is no 349 syscall. Then I noticed that the arch differs from the one in my logs from above. After some research I used ausyscall i386 349 to resolve this i386 (x86; 32bit) syscall on a x86_64 (64bit) system, and it is kcmp.

Looks like you have a AMD GPU. see #3219.

[TheOneric]

Looks like you have a AMD GPU. see # 3219.

Thanks, I do indeed have AMDGPU and Mesa-19.3.4.
I tried firejail --ignore=private-dev '--seccomp=!kcmp' steam" and firejail --ignore=private-dev --ignore=seccomp '--seccomp=!kcmp,!chroot,!ptrace' steam" but it still doesn't work and journalctl keeps reporting 349 as being blocked.
Excerpt of output when running second version:

Private /etc installed in 64.70 ms
Post-exec seccomp protector enabled
Seccomp list in: !kcmp,!chroot,!ptrace, check list: @default-keep, prelist: unknown,unknown,unknown,
Child process initialized in 226.18 ms
Manjaro steam native configuration found!
Running Steam on manjarolinux 19.0.2 64-bit

If there's nothing wrong with the command, does Steam being a 32-bit executable perhaps affect the seccomp filters ? My system and most other applications are 64-bit (x86_64).

[polyzen]

Arch Linux
amdgpu
firejail 0.9.62

Having the same issue with steam and more/less the same issue with steam-native. The only difference that stands out is that with steam the tray icon appears. Haven't had any issues with firefox.

[rusty-snake]

@TheOneric @polyzen can (one of) you try this:

firejail '--seccomp.drop=@cpu-emulation,@debug,@obsolete,@privileged,@resources,add_key,fanotify_init,io_cancel,io_destroy,io_getevents,io_setup,io_submit,ioprio_set,keyctl,name_to_handle_at,ni_syscall,open_by_handle_at,remap_file_pages,request_key,syslog,umount,userfaultfd,vmsplice' --ignore=seccomp --ignore=private-dev steam

[TheOneric]

@rusty-snake This improves the situation, but doesn't completely work.
I can now interact with the tray icon and a window is being opened. However similar to #3049 the main content area is black, but I can interact with the Settings etc. A currently active Download is continuing and the download-site is the only one that is working in the main window. Settings etc are working.
Possibly related terminal output:

chrome_ipc_client.cpp (835) : Assertion Failed: Failed to connect to master html process, created shared memory (spawn time 60.11)
chrome_ipc_client.cpp (835) : Assertion Failed: Failed to connect to master html process, created shared memory (spawn time 60.11)
Installing breakpad exception handler for appid(steam)/version(1581460722)
ERROR: ld.so: object '/run/firejail/lib/libpostexecseccomp.so' from /etc/ld.so.preload cannot be preloaded (wrong ELF class: ELFCLASS64): ignored.
assert_20200304195853_32.dmp[327]: Uploading dump (out-of-process)
[…]
Installing breakpad exception handler for appid(steam)/version(1581460722)
ExecuteSteamURL: "steam:https://open/downloads"

[rusty-snake]

@TheOneric is anything in the journal? Has you tried to commet include disable-common.inc? (You can use ignore, you must comment)

---

@topimiettinen looks like exceptions only working for the native arch. Is that wated? cf. seccomp !kcmp broken seccomp.drop <@default without kcmp> works.

[TheOneric]

Mär 04 19:57:53 gamestation audit[28872]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=28872 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=31 arch=c000003e syscall=117 compat=0 ip=0x7f2431667e63 code=0x0
Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.027:145): auid=1001 uid=1001 gid=60 ses=2 pid=28872 comm="pulseaudio" exe="/usr/bin/pulseaudio" sig=31 arch=c000003e syscall=117 compat=0 ip=0x7f2431667e63 code=0x0
Mär 04 19:57:53 gamestation audit[29043]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7f2be6b0760b code=0x0
Mär 04 19:57:53 gamestation audit[29043]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7f2be6bfbb21 code=0x0
Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.947:149): auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7f2be6b0760b code=0x0
Mär 04 19:57:53 gamestation kernel: audit: type=1326 audit(1583348273.947:150): auid=1001 uid=1001 gid=60 ses=2 pid=29043 comm="steamwebhelper" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/steamwebhelper" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7f2be6bfbb21 code=0x0
Mär 04 19:57:54 gamestation audit[29090]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fa27876c60b code=0x0
Mär 04 19:57:54 gamestation audit[29090]: SECCOMP auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7fa278520b21 code=0x0
Mär 04 19:57:54 gamestation kernel: audit: type=1326 audit(1583348274.980:151): auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=144 compat=0 ip=0x7fa27876c60b code=0x0
Mär 04 19:57:54 gamestation kernel: audit: type=1326 audit(1583348274.980:152): auid=1001 uid=1001 gid=60 ses=2 pid=29090 comm="gldriverquery" exe="/usr/games/Games-SSD/Steam-Runtime/local-share-Steam/ubuntu12_64/gldriverquery" sig=31 arch=c000003e syscall=203 compat=0 ip=0x7fa278520b21 code=0x0

syscalls 117(setresuid), 144(sched_setscheduler), 203(sched_setaffinity) and arch=c000003e(afaik x86_64).

[topimiettinen]

Typically only one arch is ever used and then you want to block the secondary archs. Steam is indeed an exception where 64-bit and 32-bit code is mixed (are there any others?). The problem here is that currently we can only translate system call names to numbers for the native arch.

Ideally the user should be able to specify different filters for each arch, something like seccomp.64.drop=a,b,c seccomp.32.keep=x,y,z. It would be friendly to users to let them construct filters for the archs with one list of system calls, but there are subtle differences with the system calls, some exist only on one arch and the names do not always match.

Also the error about libpostexecseccomp.so means that 32 bit ld.so doesn't know how to load a 64 bit library. For this to work, we'd need a pre-compiled library for all archs.

Nothing impossible, but needs a bit thought.

[Vincent43]

Steam is indeed an exception where 64-bit and 32-bit code is mixed (are there any others?)

wine

[rusty-snake]

@TheOneric I get messed up with the seccomp groups, can you try again with this seccomp.drop.

--seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup

[TheOneric]

can you try again with this seccomp.drop.

--seccomp.drop=@clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup

This one works without any visible problems, thanks.

[rusty-snake]

suggestion

diff --git a/etc/steam.profile b/etc/steam.profile
index bc90af83..cd9bb745 100644
--- a/etc/steam.profile
+++ b/etc/steam.profile
@@ -38,8 +38,6 @@ include disable-programs.inc
 
 include whitelist-var-common.inc
 
-# allow-debuggers needed for running some games with proton
-allow-debuggers
 caps.drop all
 #ipc-namespace
 netfilter
@@ -54,9 +52,11 @@ nou2f
 # novideo should be commented for VR
 novideo
 protocol unix,inet,inet6,netlink
-# seccomp cause sometimes issues (see #2860, #2951),
+# seccomp cause sometimes issues (see #2951, #3267),
 # comment it or add 'ignore seccomp' to steam.local if so.
-seccomp
+# @default without kcmp, ptrace is needed by proton.
+# seccomp exception only work for the native architectur at the moment.
+seccomp.drop @clock,@cpu-emulation,@debug,@module,@obsolete,@raw-io,@reboot,@swap,open_by_handle_at,name_to_handle_at,ioprio_set,ni_syscall,syslog,fanotify_init,add_key,request_key,mbind,migrate_pages,move_pages,keyctl,io_setup,io_destroy,io_getevents,io_submit,io_cancel,remap_file_pages,set_mempolicyvmsplice,umount,userfaultfd,acct,bpf,chroot,mount,nfsservctl,pivot_root,setdomainname,sethostname,umount2,vhangup
 shell none
 # tracelog disabled as it breaks integrated browser
 #tracelog

[topimiettinen]

I made a draft PR #3276 for this.