keepassxc: cannot open without no3d (mesa regression)

[marek22k]

Description

KeePassXC no longer starts.

Steps to Reproduce

1. Be on a amd computer
2. Run in bash LC_ALL=C firejail PROGRAM

Expected behavior

KeePassXC starts.

Actual behavior

$LC_ALL=C firejail --profile=keepassxc /usr/bin/keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 8116, child pid 8120
3 programs installed in 11.99 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 5.92 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/marek/.ssh/config
Warning: not remounting /run/user/1000/doc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 98.67 ms
Qt: Session management error: Could not open network socket
amdgpu_device_initialize: amdgpu_get_auth (1) failed (-1)
amdgpu: amdgpu_device_initialize failed.
glx: failed to create dri3 screen
failed to load driver: radeonsi
failed to open /dev/dri/card0: No such file or directory
failed to load driver: radeonsi

Parent is shutting down, bye...

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /path/to/program in a
terminal?

$LC_ALL=C firejail --noprofile /usr/bin/keepassxc
Parent pid 8150, child pid 8151
Child process initialized in 4.98 ms

Parent is shutting down, bye...

KeePassXC starts.

Additional context

$lspci -k | grep -A 3 -E "(VGA|3D)"
pcilib: Error reading /sys/bus/pci/devices/0000:00:08.3/label: Operation not permitted
64:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Phoenix1 (rev dd)
	Subsystem: Lenovo Phoenix1
	Kernel driver in use: amdgpu
	Kernel modules: amdgpu

Environment

• Linux distribution and version: Arch Linux
• Firejail version (firejail --version).

$firejail --version
firejail version 0.9.72

Compile time support:
	- always force nonewprivs support is disabled
	- AppArmor support is enabled
	- AppImage support is enabled
	- chroot support is enabled
	- D-BUS proxy support is enabled
	- file transfer support is enabled
	- firetunnel support is disabled
	- IDS support is disabled
	- networking support is enabled
	- output logging is enabled
	- overlayfs support is disabled
	- private-home support is enabled
	- private-cache and tmpfs as user enabled
	- SELinux support is disabled
	- user namespace support is enabled
	- X11 sandboxing support is enabled

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail /path/to/program

$LC_ALL=C firejail /usr/bin/keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 9516, child pid 9520
3 programs installed in 11.01 ms
Warning: skipping alternatives for private /etc
Private /etc installed in 4.93 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/marek/.ssh/config
Warning: not remounting /run/user/1000/doc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 102.41 ms
Qt: Session management error: Could not open network socket
amdgpu_device_initialize: amdgpu_get_auth (1) failed (-1)
amdgpu: amdgpu_device_initialize failed.
glx: failed to create dri3 screen
failed to load driver: radeonsi
failed to open /dev/dri/card0: No such file or directory
failed to load driver: radeonsi

Parent is shutting down, bye...

Output of LC_ALL=C firejail --debug /path/to/program

https://gist.github.com/marek22k/3e81a432d66fc3a519f2ad66141f60fe

[Absolutely-Free]

I am having the exact same problem with an intel Arc A380.

$ LC_ALL=C firejail --profile=keepassxc /usr/bin/keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-run-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Parent pid 7019, child pid 7023
3 programs installed in 20.43 ms
Warning: skipping alternatives for private /etc
Warning: skipping ld.so.preload for private /etc
Private /etc installed in 7.63 ms
Private /usr/etc installed in 0.00 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /home/s/.ssh/config
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown,
Warning: cleaning all supplementary groups
Child process initialized in 172.75 ms
MESA: error: Failed to query drm device.
glx: failed to create dri3 screen
failed to load driver: iris
failed to open /dev/dri/card1: No such file or directory
failed to load driver: iris

Parent is shutting down, bye...

Keepassxc does start when running LC_ALL=C firejail --noprofile /usr/bin/keepassxc, as well as when running /usr/bin/keepassxc

$ lspci -k | grep -A 3 -E "(VGA|3D)"
03:00.0 VGA compatible controller: Intel Corporation DG2 [Arc A380] (rev 05)
        Subsystem: ASRock Incorporation DG2 [Arc A380]
        Kernel driver in use: i915
        Kernel modules: i915

Also running fully up to date Arch Linux. This started occurring after a recent update to Mesa.

$ firejail --version
firejail version 0.9.72

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

[glitsj16]

Also running fully up to date Arch Linux. This started occurring after a recent update to Mesa.

Any improvement when adding ignore no3d in ~/.config/firejail/keepassxc.local?

[Absolutely-Free]

Any improvement when adding ignore no3d in ~/.config/firejail/keepassxc.local?

That fixes it!

[glitsj16]

@Absolutely-Free Thanks for testing. This might be a Mesa bug, so I guess we'll better wait a bit and check the Arch bugtracker. Glad to read there's a workaround for now though!

[glitsj16]

Possibly related Arch Linux forum thread:
https://bbs.archlinux.org/viewtopic.php?id=291519.

[glitsj16]

UPDATE

Arch Linux Mesa package manager reverted a commit to fix https://gitlab.archlinux.org/archlinux/packaging/packages/mesa/-/issues/5 in mesa 1:23.3.2-2. Personally I don't use keepassxc, so I'm asking @marek22k and @Absolutely-Free to check if the proposed workaround is still needed with the latest mesa on Arch Linux.

[Absolutely-Free]

I updated my system, deleted ~/.config/firejail/keepassxc.local, and was able to start keepassxc as normal. All seems to be well on my end.

[glitsj16]

I updated my system, deleted ~/.config/firejail/keepassxc.local, and was able to start keepassxc as normal. All seems to be well on my end.

@Absolutely-Free That's promising, thanks for testing and reporting back!

[marek22k]

Works for me again.