github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #1841] gnome-calculator's private-lib looks broken #1249

New issue
Closed
opened 2026-05-05 07:43:37 -06:00 by gitea-mirror · 2 comments
gitea-mirror commented 2026-05-05 07:43:37 -06:00
Owner
Copy link

Originally created by @ghost on GitHub (Mar 26, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1841

On Arch Linux gnome-calculator's private-lib condition is broken:

$ firejail /usr/bin/gnome-calculator
Reading profile /etc/firejail/gnome-calculator.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-passwdmgr.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 25675, child pid 25676
Standard C library installed in 80.68 ms
Program libraries installed in 631.68 ms
GdkPixbuf installed in 0.02 ms
GTK3 installed in 0.02 ms
Pango installed in 0.01 ms
GIO installed in 0.01 ms
Installed 97 libraries and 1 directories
Child process initialized in 1098.79 ms

(gnome-calculator:116): GdkPixbuf-WARNING **: 20:33:37.718: Cannot open pixbuf loader module file '/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory

This likely means that your installation is broken.
Try running the command
  gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
to make things work again for the time being.
GLib-GIO-Message: 20:33:37.962: Using the 'memory' GSettings backend.  Your settings will not be saved or shared with other applications.

(gnome-calculator:116): GdkPixbuf-WARNING **: 20:33:38.282: Cannot open pixbuf loader module file '/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory

This likely means that your installation is broken.
Try running the command
  gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
to make things work again for the time being.

(gnome-calculator:116): Gtk-WARNING **: 20:33:38.282: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.

(gnome-calculator:116): GdkPixbuf-WARNING **: 20:33:38.283: Cannot open pixbuf loader module file '/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory

This likely means that your installation is broken.
Try running the command
  gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache
to make things work again for the time being.
**
Gtk:ERROR:gtkiconhelper.c:494:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/evopop.16/16x16/status/image-missing.png: Unrecognized image file format (gdk-pixbuf-error-quark, 3)

Parent is shutting down, bye...

This can be fixed by adding gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 to private-lib

$ firejail /usr/bin/gnome-calculator
Reading profile /etc/firejail/gnome-calculator.profile
Reading profile /etc/firejail/globals.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-passwdmgr.local
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31958, child pid 31959
Standard C library installed in 66.56 ms
Program libraries installed in 740.33 ms
GdkPixbuf installed in 0.02 ms
GTK3 installed in 0.05 ms
Pango installed in 0.01 ms
GIO installed in 0.01 ms
Installed 109 libraries and 5 directories
Child process initialized in 1146.50 ms

So far so good, ready to do a PR or so I thought. On a whim, I wanted to confirm everything was working as expected by taking a quick glance from the app's perspective:

$firejail --join=gnome-calculator
Switching to pid 31959, the first child process inside the sandbox
Child process initialized in 17.64 ms
execvp: No such file or directory

Brrr... Adding another few libs (libacl.so.1,libcap.so.2,libmpfr.so.6,libprocps.so.6,libreadline.so.7) seems to solve the join issue, but only when ignoring private-bin. Rather messy, but in a complex universe that's ofthen how the cookie crumbles... Now for my real question. Are there any documented guidelines on how long a private-lib string can be before it gets unworkable? I'll better hold off any short-term ('hey look what I found'-like) PR's on private-lib issues before seeking advice from the experts.

Regards, I truly appreciate all the work being done in firejail. Including the very supportive athmosphere. No rush.

Originally created by @ghost on GitHub (Mar 26, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1841 On Arch Linux **gnome-calculator**'s `private-lib` condition is broken: ``` $ firejail /usr/bin/gnome-calculator Reading profile /etc/firejail/gnome-calculator.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-passwdmgr.local Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 25675, child pid 25676 Standard C library installed in 80.68 ms Program libraries installed in 631.68 ms GdkPixbuf installed in 0.02 ms GTK3 installed in 0.02 ms Pango installed in 0.01 ms GIO installed in 0.01 ms Installed 97 libraries and 1 directories Child process initialized in 1098.79 ms (gnome-calculator:116): GdkPixbuf-WARNING **: 20:33:37.718: Cannot open pixbuf loader module file '/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory This likely means that your installation is broken. Try running the command gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache to make things work again for the time being. GLib-GIO-Message: 20:33:37.962: Using the 'memory' GSettings backend. Your settings will not be saved or shared with other applications. (gnome-calculator:116): GdkPixbuf-WARNING **: 20:33:38.282: Cannot open pixbuf loader module file '/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory This likely means that your installation is broken. Try running the command gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache to make things work again for the time being. (gnome-calculator:116): Gtk-WARNING **: 20:33:38.282: Could not load a pixbuf from icon theme. This may indicate that pixbuf loaders or the mime database could not be found. (gnome-calculator:116): GdkPixbuf-WARNING **: 20:33:38.283: Cannot open pixbuf loader module file '/usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache': No such file or directory This likely means that your installation is broken. Try running the command gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache to make things work again for the time being. ** Gtk:ERROR:gtkiconhelper.c:494:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/evopop.16/16x16/status/image-missing.png: Unrecognized image file format (gdk-pixbuf-error-quark, 3) Parent is shutting down, bye... ``` This can be fixed by adding `gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2` to `private-lib` ``` $ firejail /usr/bin/gnome-calculator Reading profile /etc/firejail/gnome-calculator.profile Reading profile /etc/firejail/globals.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-passwdmgr.local Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 31958, child pid 31959 Standard C library installed in 66.56 ms Program libraries installed in 740.33 ms GdkPixbuf installed in 0.02 ms GTK3 installed in 0.05 ms Pango installed in 0.01 ms GIO installed in 0.01 ms Installed 109 libraries and 5 directories Child process initialized in 1146.50 ms ``` So far so good, ready to do a PR or so I *thought*. On a whim, I wanted to confirm everything was working as expected by taking a quick glance from the app's perspective: ``` $firejail --join=gnome-calculator Switching to pid 31959, the first child process inside the sandbox Child process initialized in 17.64 ms execvp: No such file or directory ``` Brrr... Adding another few libs (libacl.so.1,libcap.so.2,libmpfr.so.6,libprocps.so.6,libreadline.so.7) seems to solve the `join` issue, but *only* when ignoring `private-bin`. Rather messy, but in a complex universe that's ofthen how the cookie crumbles... Now for my **real** question. Are there any documented guidelines on how long a `private-lib` string can be before it gets unworkable? I'll better hold off any short-term ('hey look what I found'-like) PR's on private-lib issues before seeking advice from the experts. Regards, I truly appreciate all the work being done in firejail. Including the very supportive athmosphere. No rush.
gitea-mirror commented 2026-05-05 07:43:40 -06:00
Author
Owner
Copy link

@Fred-Barclay commented on GitHub (Apr 1, 2018):

Hey @glitsj16 ! Sorry for the late reply.
Just to make sure I understand correctly, gnome-calculator works when you've added the
gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2 line - but --join doesn't work unless you add some additional libs, right?

If so, that's alright and you don't have to worry about adding the extra libs to private-lib. Generally speaking, our private- options are only for running the particular program, not doing extra stuff like joining the sandbox. The reason being is that, as you saw, we'd have to add extra stuff to the private filters which decreases the overall sandbox tightness. private-bin in particular would have to be modified beyond what's reasonable.

If the above is correct, please send in a PR! I'll merge it unless someone else beats me to it. 😄

As far as I'm aware we don't have any guidelines for the maximum length of a line. As long as everything is actually needed in that line, then it's okay! But of course, for things like comments it's best to split them about the 80-character mark if feasible (just a personal preference).

<!-- gh-comment-id:377758750 --> @Fred-Barclay commented on GitHub (Apr 1, 2018): Hey @glitsj16 ! Sorry for the late reply. Just to make sure I understand correctly, `gnome-calculator` works when you've added the `gdk-pixbuf-2.0,gio,girepository-1.0,gvfs,libgconf-2.so.4,libgnutls.so.30,libproxy.so.1,librsvg-2.so.2,libxml2.so.2` line - but `--join` doesn't work unless you add some additional libs, right? If so, that's alright and you don't have to worry about adding the extra libs to `private-lib`. Generally speaking, our `private-` options are only for running the particular program, not doing extra stuff like joining the sandbox. The reason being is that, as you saw, we'd have to add extra stuff to the private filters which decreases the overall sandbox tightness. `private-bin` in particular would have to be modified beyond what's reasonable. If the above is correct, please send in a PR! I'll merge it unless someone else beats me to it. :smile: As far as I'm aware we don't have any guidelines for the maximum length of a line. As long as everything is actually **needed** in that line, then it's okay! But of course, for things like comments it's best to split them about the 80-character mark if feasible (just a personal preference).
gitea-mirror commented 2026-05-05 07:43:42 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Apr 1, 2018):

Hi @Fred-Barclay , no worries about your reply. Your understanding was fully correct, better than my own re-reading of the issue. 😄 Fixing private-lib for gnome-calculator is quite straightforward now I've got a few more clues as to how GTK apps work in that department. Filing a PR asap.

And thanks for explaining the rationale behind the private- options. It all makes more sense now. Happy to read there's a common-sensical approach regarding max length etc., that's about the only sense I've got (on a good day). Enjoy the weekend, regards.

<!-- gh-comment-id:377769891 --> @ghost commented on GitHub (Apr 1, 2018): Hi @Fred-Barclay , no worries about your reply. Your understanding was fully correct, better than my own re-reading of the issue. :smile: Fixing private-lib for gnome-calculator is quite straightforward now I've got a few more clues as to how GTK apps work in that department. Filing a PR asap. And thanks for explaining the rationale behind the `private-` options. It all makes more sense now. Happy to read there's a common-sensical approach regarding max length etc., that's about the only sense I've got (on a good day). Enjoy the weekend, regards.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1249
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?