[SOLVED] firejail fails with "X Error of failed request"

chang-zhao · 2024-06-11 13:07:04

After the last software upgrade firejail doesn't work with some program though that program runs fine outside of firejail. "--noprofile" doesn't help:

Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 3250, child pid 3251
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 89.22 ms
X Error of failed request:  BadValue (integer parameter out of range for operation)
  Major opcode of failed request:  152 (GLX)
  Minor opcode of failed request:  3 (X_GLXCreateContext)
  Value in failed request:  0x0
  Serial number of failed request:  107
  Current serial number in output stream:  108

Parent is shutting down, bye...

The upgrade was (XFCE, NVidia proprietary drivers):

grep -iE 'installed|upgraded|removed' /var/log/pacman.log | tail -20

[2024-06-10T19:54:03-0700] [ALPM] upgraded fakeroot (1.34-1 -> 1.35-1)
[2024-06-10T19:54:05-0700] [ALPM] upgraded nvidia-utils (550.78-1 -> 550.90.07-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kconfig (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kguiaddons (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded ki18n (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kcolorscheme (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kcoreaddons (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kcrash (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kdbusaddons (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded kwindowsystem (6.2.0-1 -> 6.3.0-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded lib32-nvidia-utils (550.78-2 -> 550.90.07-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded nvidia-dkms (550.78-1 -> 550.90.07-1)
[2024-06-10T19:54:06-0700] [ALPM] upgraded xfce4-session (4.18.3-1 -> 4.18.4-1)

After that, I reinstalled obs-studio-tytan652 (30.1.2-4) from AUR but that didn't help either.

Last edited by chang-zhao (2024-06-14 20:04:28)

V1del · 2024-06-11 13:17:23

You got a new nvidia driver version, did you reboot yet? nvidia's kernel driver and userspace versions need to match, you are still on the "old" kernel module if you haven't rebooted yet, and you won't be able to access GL contexts of the new version with the old kernel driver.

Last edited by V1del (2024-06-11 13:17:58)

chang-zhao · 2024-06-11 13:30:45

V1del wrote:

You got a new nvidia driver version, did you reboot yet? nvidia's kernel driver and userspace versions need to match, you are still on the "old" kernel module if you haven't rebooted yet, and you won't be able to access GL contexts of the new version with the old kernel driver.

Yes, I rebooted a few times.

chang-zhao · 2024-06-11 13:40:31

Kernel
Linux 6.6.32-1-lts x86_64

V1del · 2024-06-11 16:22:06

Is linux-lts-headers installed?

pacman -Qs kernel
dkms status
glxinfo -B

chang-zhao · 2024-06-11 16:55:07

V1del wrote:

Is linux-lts-headers installed?
pacman -Qs kernel
dkms status
glxinfo -B

Yes, linux-lts-headers is installed:

$ pacman -Qs kernel
local/dkms 3.0.12-1
    Dynamic Kernel Modules System
local/embree 4.3.1-1
    Collection of high-performance ray tracing kernels
local/fuse3 3.16.2-1
    Interface for userspace programs to export a filesystem to the Linux kernel
local/iptables 1:1.8.10-1
    Linux kernel packet control tool (using legacy interface)
local/kmod 32-1
    Linux kernel module management tools and library
local/lib32-libdrm 2.4.120-1
    Userspace interface to kernel DRM services (32-bit)
local/libdrm 2.4.121-1
    Userspace interface to kernel DRM services
local/libnetfilter_conntrack 1.0.9-2
    Library providing an API to the in-kernel connection tracking state table
local/libnfnetlink 1.0.2-2
    Low-level library for netfilter related kernel/userspace communication
local/libsysprof-capture 46.0-3
    Kernel based performance profiler - capture library
local/libtraceevent 1:1.8.2-2
    Linux kernel trace event library
local/libtracefs 1.8.0-1
    Linux kernel trace file system library
local/linux-api-headers 6.8-1
    Kernel headers sanitized for use in userspace
local/linux-lts 6.6.32-1
    The LTS Linux kernel and modules
local/linux-lts-headers 6.6.32-1
    Headers and scripts for building modules for the LTS Linux kernel
local/mtdev 1.1.6-2
    A stand-alone library which transforms all variants of kernel MT events to the
    slotted type B protocol
local/ndctl 78-2
    Utility library for managing the libnvdimm (non-volatile memory device) sub-system in
    the Linux kernel
local/python-comm 0.2.2-2
    Python Comm implementation for the Jupyter kernel protocol
local/python-ipykernel 6.29.4-2
    The ipython kernel for Jupyter
local/texlive-latex 2024.2-2 (texlive)
    TeX Live - LaTeX fundamental packages

dkms status:

nvidia/550.90.07, 6.6.32-1-lts, x86_64: installed

glxinfo -B

name of display: :0
display: :0  screen: 0
direct rendering: Yes
Memory info (GL_NVX_gpu_memory_info):
    Dedicated video memory: 3072 MB
    Total available memory: 3072 MB
    Currently available dedicated video memory: 2529 MB
OpenGL vendor string: NVIDIA Corporation
OpenGL renderer string: NVIDIA GeForce GTX 1050/PCIe/SSE2
OpenGL core profile version string: 4.6.0 NVIDIA 550.90.07
OpenGL core profile shading language version string: 4.60 NVIDIA
OpenGL core profile context flags: (none)
OpenGL core profile profile mask: core profile

OpenGL version string: 4.6.0 NVIDIA 550.90.07
OpenGL shading language version string: 4.60 NVIDIA
OpenGL context flags: (none)
OpenGL profile mask: (none)

OpenGL ES profile version string: OpenGL ES 3.2 NVIDIA 550.90.07
OpenGL ES profile shading language version string: OpenGL ES GLSL ES 3.20

marko154 · 2024-06-13 17:00:45

I have the same issue running steam in firejail. Running outside firejail works fine.

orzogc · 2024-06-14 19:39:51

There is the firejail issue: https://github.com/netblue30/firejail/issues/6372

Adding "noblacklist /sys/module" to the profile can fix it.

chang-zhao · 2024-06-14 20:05:18

orzogc wrote:

There is the firejail issue: https://github.com/netblue30/firejail/issues/6372
Adding "noblacklist /sys/module" to the profile can fix it.

Thank you. SOLVED.

glitsj16 · 2024-06-14 21:41:02

The more restrictive fix is to add noblacklist /sys/module/nvidia/initstate.

chang-zhao · 2024-06-15 10:58:46

For some reason the more restrictive fixes don't work for me. I tried

noblacklist /sys/module/nvidia/initstate
noblacklist /sys/module/nvidia_drm/initstate
noblacklist /sys/module/nvidia_uvm/initstate
noblacklist /sys/module/nvidia_modeset/initstate

and even

noblacklist /sys/module/nvidia
noblacklist /sys/module/nvidia_drm
noblacklist /sys/module/nvidia_uvm
noblacklist /sys/module/nvidia_modeset

but it gives the same error. "firejail --trace" says:

...skip...
19:nvidia-modprobe:exec /usr/bin/nvidia-modprobe:0
19:nvidia-modprobe:access /sys/module/nvidia/initstate:-1
19:nvidia-modprobe:opendir /sys/bus/pci/devices:0x7e0ad0
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:03:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:08.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:0a:00.6/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.3/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:09:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:02:00.2/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:01.2/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:0a:00.4/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.1/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:02:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:01.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:0b:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:03:06.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:0a:00.2/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:14.3/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:01:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:0a:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:00.2/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.6/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:00.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:03:05.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:08.1/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.4/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.2/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:02:00.1/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:01.1/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:0a:00.3/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:03:01.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:01:00.1/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:03:04.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.7/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:03:07.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:14.0/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:08.2/config:7
19:nvidia-modprobe:open /sys/bus/pci/devices/0000:00:18.5/config:7
6:renpy:open /usr/share/X11/XErrorDB:18
X Error of failed request:  BadValue (integer parameter out of range for operation)
  Major opcode of failed request:  152 (GLX)
  Minor opcode of failed request:  3 (X_GLXCreateContext)
  Value in failed request:  0x0
  Serial number of failed request:  107
  Current serial number in output stream:  108

Parent is shutting down, bye...

I wonder why there's

19:nvidia-modprobe:access /sys/module/nvidia/initstate:-1

Does that mean access denied? But didn't I allow access to "/sys/module/nvidia/initstate"?

glitsj16 · 2024-06-15 11:20:59

@chang-zao

> 19:nvidia-modprobe:access /sys/module/nvidia/initstate:-1

I don't have NVIDIA hardware to properly test this myself. You could ask the person on the firejail issue thread about this though.

Based on the blender profile you might try:

noblacklist /sys/module
whitelist /sys/module/nvidia*
read-only /sys/module/nvidia*

chang-zhao · 2024-06-15 14:08:02

glitsj16 wrote:

Based on the blender profile you might try:
noblacklist /sys/module
whitelist /sys/module/nvidia*
read-only /sys/module/nvidia*

It works. Thank you!

glitsj16 · 2024-06-15 14:18:33

@chang-zao

Great! I'll add this to the firejail issue and propose a fix before the upcoming 0.9.74 comes out. Thanks for confirming.

Arch Linux

#1 2024-06-11 13:07:04

[SOLVED] firejail fails with "X Error of failed request"

#2 2024-06-11 13:17:23

Re: [SOLVED] firejail fails with "X Error of failed request"

#3 2024-06-11 13:30:45

Re: [SOLVED] firejail fails with "X Error of failed request"

#4 2024-06-11 13:40:31

Re: [SOLVED] firejail fails with "X Error of failed request"

#5 2024-06-11 16:22:06

Re: [SOLVED] firejail fails with "X Error of failed request"

#6 2024-06-11 16:55:07

Re: [SOLVED] firejail fails with "X Error of failed request"

#7 2024-06-13 17:00:45

Re: [SOLVED] firejail fails with "X Error of failed request"

#8 2024-06-14 19:39:51

Re: [SOLVED] firejail fails with "X Error of failed request"

#9 2024-06-14 20:05:18

Re: [SOLVED] firejail fails with "X Error of failed request"

#10 2024-06-14 21:41:02

Re: [SOLVED] firejail fails with "X Error of failed request"

#11 2024-06-15 10:58:46

Re: [SOLVED] firejail fails with "X Error of failed request"

#12 2024-06-15 11:20:59

Re: [SOLVED] firejail fails with "X Error of failed request"

#13 2024-06-15 14:08:02

Re: [SOLVED] firejail fails with "X Error of failed request"

#14 2024-06-15 14:18:33

Re: [SOLVED] firejail fails with "X Error of failed request"

Board footer