gamemoderun doesn't work with firejail

[ademlabs]

With reference to the firejail and gamemoderun discussion, I tried running gamemoderun on glxgears instead of supertuxkart for testing.

I'm on EndeavourOS (Arch-based) running firejail version 0.9.68

In my ~/.config/firejail/supertuxcart.local file I have added glxgears to the private-bin:

# Required by gamemoderun
noblacklist ${PATH}/bash
private-bin gamemoderun,bash,env,glxgears
ignore dbus-user none
dbus-user filter
dbus-user.talk com.feralinteractive.GameMode

Then I ran the command

firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears

Which produced the following output:

Reading profile /etc/firejail/supertuxkart.profile
Reading profile /home/ademlabs/.config/firejail/supertuxkart.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 381125, child pid 381128
Warning: skipping none for private /opt
Private /opt installed in 0.11 ms
Warning: skipping none for private /srv
Private /srv installed in 0.07 ms
4 programs installed in 4.89 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping drirc for private /etc
Warning: skipping openal for private /etc
Warning: skipping pki for private /etc
Private /etc installed in 21.53 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 157.85 ms
gamemodeauto:
Running synchronized to the vertical refresh.  The framerate should be
approximately the same as the monitor refresh rate.
316 frames in 5.0 seconds = 63.038 FPS
300 frames in 5.0 seconds = 59.996 FPS
300 frames in 5.0 seconds = 59.996 FPS
300 frames in 5.0 seconds = 59.996 FPS

In a separate terminal window I checked gamemoded -s but it always gives me

gamemode is inactive

Running gamemoderun /usr/bin/glxgears will work as expected though and I'll see gamemode is active.
I'm not sure what next to check it seems this should just work with those config. Maybe dbus communication is not working as expected?

[rusty-snake]

~/.config/firejail/supertuxcart.local

Typo in comment or in real filename?

[ademlabs]

~/.config/firejail/supertux_c_art.local

Typo in comment or in real filename?

Yes, sorry there is a typo in comment, the file on disk is properly named supertuxkart.local. In the output from firejail, it does load the correct file:

...
Reading profile /home/ademlabs/.config/firejail/supertuxkart.local
...

[rusty-snake]

Does it work if you comment

dbus-user filter
dbus-user.talk com.feralinteractive.GameMode

[ademlabs]

No, I have the same result when commenting those lines.

I tried looking at the running processes. glxgears is currently running with PID 422074:

$ ps aux | grep -i glxgears
ademlabs    422052  0.0  0.0   4596  2732 pts/3    S+   21:17   0:00 firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears
ademlabs    422057  0.1  0.0   4608  2016 pts/3    S+   21:17   0:00 firejail --profile=supertuxkart gamemoderun /usr/bin/glxgears
ademlabs    422074  1.0  0.3 1309524 102236 pts/3  Sl+  21:17   0:00 /usr/bin/glxgears

I also checked for any gamemoded logs with journalctl -n 5 _COMM=gamemoded:

Mar 11 21:15:52 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 420625: Permission denied
Mar 11 21:15:52 valkyrja gamemoded[37205]: ERROR: Failed to register client [420625]: Permission denied
Mar 11 21:17:12 valkyrja gamemoded[37205]: ERROR: Removal requested for unknown process [420625].
Mar 11 21:17:47 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 422074: Permission denied
Mar 11 21:17:47 valkyrja gamemoded[37205]: ERROR: Failed to register client [422074]: Permission denied

Seems gamemoded is not able to register the PID process, so I tried with a manual request as well:

$ gamemoded -r422074
gamemode not active for client, requesting start for 422074...
ERROR: gamemode_request_start_for(422074) failed:

And journalctl shows the same error again:

Mar 11 21:23:52 valkyrja gamemoded[37205]: ERROR: Unable to find executable for PID 422074: Permission denied
Mar 11 21:23:52 valkyrja gamemoded[37205]: ERROR: Failed to register client [422074]: Permission denied

I'm not sure where the permission error is coming from, I'm running everything with the same user here.

[rusty-snake]

If this is caused by the pid namespace, you can give up.

Does firejail --noprofile gamemoderun … work?

[ademlabs]

Yes, it works with the --noprofile option.

[rusty-snake]

Can you confirm that ignore noroot works.

[ademlabs]

Indeed, passing the --ignore=noroot option allows gamemode to run

firejail --ignore=noroot --profile=supertuxkart gamemoderun /usr/bin/glxgears

Also, I noticed that whenever gamemode works correctly (with or without firejail), I have this line in my system logs for the gamemoded service:

Mar 11 22:28:39 valkyrja pkexec[473366]: pam_unix(polkit-1:session): session opened for user root(uid=0) by (uid=1000)

Not sure if this is related.

[ademlabs]

Is there a way to debug this? I'm trying to understand why it doesn't work then noroot is specified.

[rusty-snake]

Does unshare --map-current-user gamemoderun /usr/bin/glxgears work?

[ademlabs]

Yes it works, gamemode is active when running unshare --map-current-user ...

[rusty-snake]

Ok, so it's not caused by userns in general but instead by firejail's implementation. When I run firejail --noprofile [--noroot] sleep 1m and compare ls -l /proc/<PID of sleep> the difference is that the targets of the cwd, exe and root symlinks are only accessible for root but not for a regular user.

Is this something we can change? @smitsohu

That's also the cause for flatpak/xdg-desktop-portal#737.

[smitsohu]

Related: #3727 and possibly more.

What could be done on our end is creating the user namespace with user privileges where possible, falling back to root only if that fails.

[smitsohu]

diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 96407d08..3d8e3330 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1220,8 +1220,10 @@ int sandbox(void* sandbox_arg) {
        //****************************************
        save_nogroups();
        if (arg_noroot) {
+               EUID_USER();
                int rv = unshare(CLONE_NEWUSER);
-               if (rv == -1) {
+               EUID_ROOT();
+               if (rv && unshare(CLONE_NEWUSER)) {
                        fwarning("cannot create a new user namespace, going forward without it...\n");
                        arg_noroot = 0;
                }

EDIT: This is broken because

In a user namespace where the uid_map file has not been written, the system calls that change user IDs will fail.

[smitsohu]

Also related: #4623

[Hydranet]

I'm also running into this, except I am having this with the Steam profile. Once a solution has been made for this, will this also be applicable for using firejail with steam and gamemoderun, so that when you launch a game through Steam gamemode will be active when being used with firejail?

[glitsj16]

@Hydranet
Hard to answer what will happen in the future. For now - almost two years later - the referenced issues haven't seen any progress. Have you tested/tried the suggested workaround yet? If not, here's an updated example for gamemoderun and steam with Firejail 0.9.72:

$ cat ~/.config/firejail/steam.local
# Required by gamemoderun
# steam.profile doesn't 'include disable-shell.inc'
#include allow-bin-sh.inc
ignore noroot
# steam.profile doesn't enable 'private-bin' by default
#private-bin bash,env,gamemoderun
# steam.profile doesn't enable D-Bus filtering
#ignore dbus-user none
#dbus-user filter
#dbus-user.talk com.feralinteractive.GameMode

After creating the above file, try running firejail --profile=steam gamemoderun /usr/bin/steam.

HTH

[Hydranet]

@glitsj16 Thanks for your response!
I did try that when I do that I get the following error message.
Steam on Linux now requires the ability to create new user namespaces.

steam-runtime-check-requirements[149]: E: Diagnostic output:
dbus[152]: arguments to dbus_pending_call_block() were incorrect, assertion "pending != NULL" failed in file dbus-pending-call.c line 766.
This is normally a bug in some application using the D-Bus library.

  D-Bus not built with -rdynamic so unable to print a backtrace

steam.sh[32]: Error: Steam on Linux now requires the ability to create new user namespaces.

If the file /proc/sys/kernel/unprivileged_userns_clone exists, check that
it contains value 1.

If the file /proc/sys/user/max_user_namespaces exists, check that its
value is high enough.

This requirement is the same as for Flatpak, which has more detailed
information available:
https://github.com/flatpak/flatpak/wiki/User-namespace-requirements

When I check those values on my system I get these.

cat /proc/sys/kernel/unprivileged_userns_clone
1

cat /proc/sys/user/max_user_namespaces
125114

[glitsj16]

Steam on Linux now requires the ability to create new user namespaces.

Not sure if that's really a 'new' requirement. I'd try to pin-point the offending line(s) in the steam profile to see what else it needs. Some 'possible candidates' are noroot, nonewprivs and seccomp. The latter has a somewhat cryptic comment in the profile:

firejail/etc/profile-m-z/steam.profile

Lines 165 to 169 in 3f4d6df

	# seccomp sometimes causes issues (see #2951, #3267).
	# Add 'ignore seccomp' to your steam.local if you experience this.
	# mount, name_to_handle_at, pivot_root and umount2 are used by Proton >= 5.13
	# (see #4366).
	seccomp !chroot,!mount,!name_to_handle_at,!pivot_root,!process_vm_readv,!ptrace,!umount2

You'll have to experiment a bit here.

[Hydranet]

Thanks, I'll try experimenting with that and report back here if I get it to work.

[Hydranet]

@glitsj16 I got it to work with ignore noroot. I still hard the same errors when running this.
firejail --profile=steam gamemoderun /usr/bin/steam
However I figured this doesn't make sense because firejail launches Steam and then when Steam is started and you launch a game, Steam launch options launch gamemoderun. Then I tried noroot, nonewprivs and seccomp. Seems only the first one is needed to get gamemoderun to work when launching a game from Steam. Thanks for your help! I'll remember to read the comments in the profiles if I run into something again and use and try overriding different settings with ignore in my local file if I run into something again. Thanks for your help!

Just one question, since ignore noroot fixes it what does noroot actually do with the sandbox so that I can maybe undestand why ignore that allows gamemoderun to be used by Steam when launching a game?

[glitsj16]

@Hydranet

I got it to work with 'ignore noroot'.

Nice!

Just one question, since 'ignore noroot' fixes it what does noroot actually do with the sandbox so that I can maybe undestand why ignore that allows gamemoderun to be used by Steam when launching a game?

The noroot option creates a user namespace containing only your current (unprivileged) user, so without the 'root' user. Most of the time that doesn't create any problems for the application being sandboxed and therefore is considered a 'plus' to enable in firejail profiles. In your Steam and gamemoderun combo though, the 'root' user needs to exist so Steam can actually handle the namespace switching. Now that might sound bad - root historically has 'danger' attached to it all over. But steam.profile still protects the sandbox via options like nogroups and especially nonewprivs + seccomp filtering. The end result being an 'acceptable' balance between security and usability... Hope this helps clearing up some of the cryptics of the interaction between all the possible sandbox options firejail offers.

In general it's a good thing to look at the content of the profiles. Agreed, it can take some time and effort to familiarize oneself with their syntax, structure etc. But after a while you'll be in a much better position to make the kind of informed decisions on how to protect the system. Your comments suggest you're on the right track :-)

Happy sandboxing!

[Hydranet]

@glitsj16

The noroot option creates a user namespace containing only your current (unprivileged) user, so without the 'root' user.

Thanks for the explanation!

In general it's a good thing to look at the content of the profiles. Agreed, it can take some time and effort to familiarize oneself with their syntax, structure etc. But after a while you'll be in a much better position to make the kind of informed decisions on how to protect the system. Your comments suggest you're on the right track :-)

Happy sandboxing!

Thanks again for your help and thanks for Firejail!