github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1711] Evince does not run due to --private-lib configuration option #1154

New issue
Closed
opened 2026-05-05 07:33:10 -06:00 by gitea-mirror · 16 comments
gitea-mirror commented 2026-05-05 07:33:10 -06:00
Owner
Copy link

Originally created by @elvetemedve on GitHub (Jan 2, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1711

The problem

The Evice Document Viewer application does not start, because private-lib option in evince.profile prevents reading the file /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache.

See evince_log.txt for details.

Environment

OS: Arch Linux 4.14.9-1-ARCH
Firejail version: 0.9.52
Evince version: 3.26.0

Originally created by @elvetemedve on GitHub (Jan 2, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1711 ### The problem The **Evice Document Viewer** application does not start, because **private-lib** option in **evince.profile** prevents reading the file **/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache**. See [evince_log.txt](https://github.com/netblue30/firejail/files/1598834/evince_log.txt) for details. ### Environment OS: Arch Linux 4.14.9-1-ARCH Firejail version: 0.9.52 Evince version: 3.26.0
gitea-mirror 2026-05-05 07:33:10 -06:00
  • closed this issue
  • added the
    bug
         label
gitea-mirror commented 2026-05-05 07:33:14 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 7, 2018):

I cannot reproduce it on Arch running LXDE. Do you have /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache in your filesystem? They say in the log to create it by running

gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
<!-- gh-comment-id:355823135 --> @netblue30 commented on GitHub (Jan 7, 2018): I cannot reproduce it on Arch running LXDE. Do you have /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache in your filesystem? They say in the log to create it by running ````` gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache `````
gitea-mirror commented 2026-05-05 07:33:16 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Jan 7, 2018):

Yes, the file is present in the filesytem. But the private-lib switch makes it invisible for Evince.

<!-- gh-comment-id:355828237 --> @elvetemedve commented on GitHub (Jan 7, 2018): Yes, the file is present in the filesytem. But the private-lib switch makes it invisible for Evince.
gitea-mirror commented 2026-05-05 07:33:17 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 13, 2018):

I'll try again to reproduce it, so far no luck. What window/desktop manager are you using?

<!-- gh-comment-id:357451602 --> @netblue30 commented on GitHub (Jan 13, 2018): I'll try again to reproduce it, so far no luck. What window/desktop manager are you using?
gitea-mirror commented 2026-05-05 07:33:18 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Jan 13, 2018):

I'm using Gnome Shell (3.26.2) desktop environment. Window manager is Mutter.

<!-- gh-comment-id:357460166 --> @elvetemedve commented on GitHub (Jan 13, 2018): I'm using Gnome Shell (3.26.2) desktop environment. Window manager is Mutter.
gitea-mirror commented 2026-05-05 07:33:19 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jan 18, 2018):

I have removed private-lib from the profile until we figure out what's going on. Thanks for the bug.

<!-- gh-comment-id:358717317 --> @netblue30 commented on GitHub (Jan 18, 2018): I have removed private-lib from the profile until we figure out what's going on. Thanks for the bug.
gitea-mirror commented 2026-05-05 07:33:22 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 12, 2018):

Re-enabling private-lib temporarily in evince profile.

We found some problem with 32bit libraries being copied by private-lib instead of the regular 64bit libraries. @elvetemedve, can you give it a try please - we will take it out if it doesn't work. Thanks!

<!-- gh-comment-id:372464875 --> @netblue30 commented on GitHub (Mar 12, 2018): Re-enabling private-lib temporarily in evince profile. We found some problem with 32bit libraries being copied by private-lib instead of the regular 64bit libraries. @elvetemedve, can you give it a try please - we will take it out if it doesn't work. Thanks!
gitea-mirror commented 2026-05-05 07:33:24 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Mar 13, 2018):

I'm getting this error now when trying to open a file with evince on Fedora 27 amd64:

 firejail evince
Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10632, child pid 10633
Private /etc installed in 5.42 ms
Standard C library installed in 83.23 ms
Program libraries installed in 236.50 ms
GdkPixbuf installed in 79.83 ms
GTK3 installed in 145.03 ms
Pango installed in 0.01 ms
GIO installed in 38.40 ms
Installed 131 libraries and 5 directories
Blacklist violations are logged to syslog
Child process initialized in 640.61 ms
dbus[152]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry

dbus[152]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry


(evince:152): EvinceDocument-WARNING **: libpoppler-glib.so.8: cannot open shared object file: No such file or directory

(evince:152): EvinceDocument-WARNING **: libpoppler-glib.so.8: cannot open shared object file: No such file or directory

Evince does start, but it won't open pdfs.

<!-- gh-comment-id:372538607 --> @Fred-Barclay commented on GitHub (Mar 13, 2018): I'm getting this error now when trying to open a file with evince on Fedora 27 amd64: ``` firejail evince Reading profile /etc/firejail/evince.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 10632, child pid 10633 Private /etc installed in 5.42 ms Standard C library installed in 83.23 ms Program libraries installed in 236.50 ms GdkPixbuf installed in 79.83 ms GTK3 installed in 145.03 ms Pango installed in 0.01 ms GIO installed in 38.40 ms Installed 131 libraries and 5 directories Blacklist violations are logged to syslog Child process initialized in 640.61 ms dbus[152]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry dbus[152]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry (evince:152): EvinceDocument-WARNING **: libpoppler-glib.so.8: cannot open shared object file: No such file or directory (evince:152): EvinceDocument-WARNING **: libpoppler-glib.so.8: cannot open shared object file: No such file or directory ``` Evince does start, but it won't open pdfs.
gitea-mirror commented 2026-05-05 07:33:26 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Mar 13, 2018):

Scratch that, it was a problem with the profile not private-lib. I just needed to add libpoppler-glib.so.8 to private-lib. 😄 @elvetemedve Please try 25b9c72c8b/etc/evince.profile if plain old firejail --private-lib evince doesn't work.

I'm not all that familiar with libraries - is it safe to assume that all distros will have a library file precisely named libpoppler-glib.so.8? If not then we might need to add wildcard expansion to private-lib so we could do something more like private-lib ibpoppler-glib.so.*

<!-- gh-comment-id:372539710 --> @Fred-Barclay commented on GitHub (Mar 13, 2018): Scratch that, it was a problem with the profile not private-lib. I just needed to add `libpoppler-glib.so.8` to private-lib. :smile: @elvetemedve Please try https://github.com/netblue30/firejail/blob/25b9c72c8b557637177b2808ffcf34389b58aea1/etc/evince.profile if plain old `firejail --private-lib evince` doesn't work. I'm not all that familiar with libraries - is it safe to assume that all distros will have a library file precisely named libpoppler-glib.so.8? If not then we might need to add wildcard expansion to private-lib so we could do something more like `private-lib ibpoppler-glib.so.*`
gitea-mirror commented 2026-05-05 07:33:28 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Mar 13, 2018):

@netblue30 @Fred-Barclay Which version of Firejail do you expect me to run? I have the latest version 0.9.52.

I copied the referenced config to ~/.config/firejail/evince.profile and run firejail /usr/bin/evince. Unfortunately I still see the same error messages (firejail-evince.log).

Regarding naming of libraries, I think only the location is different from one Linux distribution to the other. There is a naming convention which tells there should be a filename without version pointing to the actual version provided by the OS level package.
In this case libpoppler-glib.so looks like:

file /usr/lib/libpoppler-glib.so
/usr/lib/libpoppler-glib.so: symbolic link to libpoppler-glib.so.8

file /usr/lib/libpoppler-glib.so.8
/usr/lib/libpoppler-glib.so.8: symbolic link to libpoppler-glib.so.8.9.0

file /usr/lib/libpoppler-glib.so.8.9.0
/usr/lib/libpoppler-glib.so.8.9.0: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4d3c61c7b210d4a7b0d15e9efbe29eceaaed0f3e, stripped

<!-- gh-comment-id:372661110 --> @elvetemedve commented on GitHub (Mar 13, 2018): @netblue30 @Fred-Barclay Which version of Firejail do you expect me to run? I have the latest version **0.9.52**. I copied the referenced config to `~/.config/firejail/evince.profile` and run `firejail /usr/bin/evince`. Unfortunately I still see the same error messages ([firejail-evince.log](https://github.com/netblue30/firejail/files/1806921/firejail-evince.log)). Regarding naming of libraries, I think only the location is different from one Linux distribution to the other. There is a naming convention which tells there should be a filename without version pointing to the actual version provided by the OS level package. In this case `libpoppler-glib.so` looks like: `file /usr/lib/libpoppler-glib.so` _/usr/lib/libpoppler-glib.so: symbolic link to libpoppler-glib.so.8_ `file /usr/lib/libpoppler-glib.so.8` _/usr/lib/libpoppler-glib.so.8: symbolic link to libpoppler-glib.so.8.9.0_ `file /usr/lib/libpoppler-glib.so.8.9.0` _/usr/lib/libpoppler-glib.so.8.9.0: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4d3c61c7b210d4a7b0d15e9efbe29eceaaed0f3e, stripped_
gitea-mirror commented 2026-05-05 07:33:29 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 13, 2018):

Can you get the version in git running?

libpoppler-glib.so.8 is in all distros, at least from Ubuntu 14.04 up to the latest Debian sid and arch. It shouldn't be a problem. Thanks for your help.

<!-- gh-comment-id:372672743 --> @netblue30 commented on GitHub (Mar 13, 2018): Can you get the version in git running? libpoppler-glib.so.8 is in all distros, at least from Ubuntu 14.04 up to the latest Debian sid and arch. It shouldn't be a problem. Thanks for your help.
gitea-mirror commented 2026-05-05 07:33:30 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Mar 14, 2018):

@netblue30 I'm sorry to tell you that it still complains about missing /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache file (I'm using the latest code from master branch, currently 0.9.53). I turned on debugging which shows libpoppler-glib.so.8 being copied to the private lib directory (firejail-evince-with-debugging.log).

Let me know if you need more info!

<!-- gh-comment-id:373066564 --> @elvetemedve commented on GitHub (Mar 14, 2018): @netblue30 I'm sorry to tell you that it still complains about missing `/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache` file (I'm using the latest code from **master** branch, currently 0.9.53). I turned on debugging which shows **libpoppler-glib.so.8** being copied to the private lib directory ([firejail-evince-with-debugging.log](https://github.com/netblue30/firejail/files/1811838/firejail-evince-with-debugging.log)). Let me know if you need more info!
gitea-mirror commented 2026-05-05 07:33:31 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Mar 14, 2018):

Thanks @elvetemedve , let's remove private-lib for the next release, we are still missing something there.

@startx2017: can you bring in support for "private-lib libpoppler-glib.so*", something similar with private-bin and all the others?

<!-- gh-comment-id:373073974 --> @netblue30 commented on GitHub (Mar 14, 2018): Thanks @elvetemedve , let's remove private-lib for the next release, we are still missing something there. @startx2017: can you bring in support for "private-lib libpoppler-glib.so*", something similar with private-bin and all the others?
gitea-mirror commented 2026-05-05 07:33:32 -06:00
Author
Owner
Copy link

@startx2017 commented on GitHub (Mar 17, 2018):

can you bring in support for "private-lib libpoppler-glib.so*", something similar with private-bin and all the others?

Sure, it will be easy.

<!-- gh-comment-id:373938977 --> @startx2017 commented on GitHub (Mar 17, 2018): > can you bring in support for "private-lib libpoppler-glib.so*", something similar with private-bin and all the others? Sure, it will be easy.
gitea-mirror commented 2026-05-05 07:33:33 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 1, 2018):

@elvetemedve Can you test from git again? We've got some more files added to private-lib in evince.
Thanks!
Fred

<!-- gh-comment-id:377803797 --> @Fred-Barclay commented on GitHub (Apr 1, 2018): @elvetemedve Can you test from git again? We've got some more files added to private-lib in evince. Thanks! Fred
gitea-mirror commented 2026-05-05 07:33:34 -06:00
Author
Owner
Copy link

@elvetemedve commented on GitHub (Apr 3, 2018):

Hi @Fred-Barclay,
I can confirm that it works well now (using the latest commit from master branch).
Thank you for the fix. :)

<!-- gh-comment-id:378275164 --> @elvetemedve commented on GitHub (Apr 3, 2018): Hi @Fred-Barclay, I can confirm that it works well now (using the [latest commit](https://github.com/netblue30/firejail/commit/a0502dc5144185b6d346e92944e3359a833d2378) from master branch). Thank you for the fix. :)
gitea-mirror commented 2026-05-05 07:33:35 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 3, 2018):

Awesome!
Credits to @glitsj16

<!-- gh-comment-id:378294880 --> @Fred-Barclay commented on GitHub (Apr 3, 2018): Awesome! Credits to @glitsj16
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1154
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?