Description

The default profile for hashcat uses, private-bin, and private-dev, which break hashcat.
I have a AMD RX 7900 XT GPU.

Steps to Reproduce

1. Run in bash LC_ALL=C firejail hashcat -b -m 1000

Expected behavior

hashcat starts working.

Actual behavior

• With private-bin hashcat: hashcat throws an error, and quits: /usr/local/bin/OpenCL/: No such file or directory
• With private-dev: hashcat throws an error, and quits: No devices found/left.

Behavior without a profile

hashcat works as expected.

Additional context

I think /dev/kfd is required to make private-dev work, but if I pass --whitelist=/dev/kfd, the /dev/ directory is empty.

Environment

• Arch Linux, kernel 6.9.3-arch1-1
• firejail version 0.9.72
  Compile time support:
  • always force nonewprivs support is disabled
  • AppArmor support is enabled
  • AppImage support is enabled
  • chroot support is enabled
  • D-BUS proxy support is enabled
  • file transfer support is enabled
  • firetunnel support is disabled
  • IDS support is disabled
  • networking support is enabled- output logging is enabled
  • overlayfs support is disabled
  • private-home support is enabled
  • private-cache and tmpfs as user enabled
  • SELinux support is disabled
  • user namespace support is enabled
  • X11 sandboxing support is enabled

Checklist

• The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• I can reproduce the issue without custom modifications (e.g. globals.local).
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• I have performed a short search for similar issues (to avoid opening a duplicate).
  • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)