github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3121] evince.profile issues (Gentoo) #1958

New issue

Closed

opened 2026-05-05 08:37:21 -06:00 by gitea-mirror · 6 comments

gitea-mirror commented

2026-05-05 08:37:21 -06:00

Owner

Originally created by @reagentoo on GitHub (Jan 4, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3121

@glitsj16 Hi.
I've tested again the profile after your commit (https://github.com/netblue30/firejail/pull/3120/commits/bd7394f6e5a23c6bf68b37b74c5f786ee16b4712). And as I said in our previous discussion (https://github.com/netblue30/firejail/issues/3118) libgcc_s.so.*,libstdc++.so.* does not solve.
I can view PDFs only if ,gcc used in private-lib. But It's not properly way to fix I think (not removes warnings).

Also may be it's necessary to remove nodbus due to line in log:

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.

Originally created by @reagentoo on GitHub (Jan 4, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3121 @glitsj16 Hi. I've tested again the profile after your commit (https://github.com/netblue30/firejail/pull/3120/commits/bd7394f6e5a23c6bf68b37b74c5f786ee16b4712). And as I said in our previous discussion (https://github.com/netblue30/firejail/issues/3118) `libgcc_s.so.*,libstdc++.so.*` does not solve. I can view PDFs only if `,gcc` used in `private-lib`. But It's not properly way to fix I think (not removes warnings). Also may be it's necessary to remove `nodbus` due to line in log: ``` Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. ```

gitea-mirror closed this issue

2026-05-05 08:37:22 -06:00

gitea-mirror commented

2026-05-05 08:37:24 -06:00

Author

Owner

@ghost commented on GitHub (Jan 4, 2020):

Also may be it's necessary to remove nodbus due to line in log:

Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.

@reagentoo Hi again. Let's tackle this one first. As the warning and the comment inside /etc/firejail/evince.profile states net none only has confirmed issues on Ubuntu with AppAmor. On Gentoo you can add net none to your evince.local. That should take care of the D-BUS warning. Firejail also has the --audit option to check/confirm that:
$ firejail --audit /usr/bin/evince

I can view PDFs only if ,gcc used in private-lib. But It's not properly way to fix I think (not removes warnings).

If adding gcc is the only way to get evince working on Gentoo, I'll happily add it. IMHO it shouldn't impact the strength of the profile. Besides that it doesn't remove the warnings, does evince work for you with all its functionalities if you add gcc to private-lib?

@ghost commented on GitHub (Jan 4, 2020): > Also may be it's necessary to remove nodbus due to line in log: > > Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. > @reagentoo Hi again. Let's tackle this one first. As the warning and the comment inside /etc/firejail/evince.profile states `net none` only has confirmed issues on Ubuntu with AppAmor. On Gentoo you can add `net none` to your evince.local. That should take care of the D-BUS warning. Firejail also has the `--audit` option to check/confirm that: ` $ firejail --audit /usr/bin/evince ` > I can view PDFs only if `,gcc` used in private-lib. But It's not properly way to fix I think (not removes warnings). If adding `gcc` is the only way to get evince working on Gentoo, I'll happily add it. IMHO it shouldn't impact the strength of the profile. Besides that it doesn't remove the warnings, does evince work for you with all its functionalities if you add gcc to private-lib?

gitea-mirror commented

2026-05-05 08:37:25 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jan 4, 2020):

IIRC you can do private-lib gcc/something/libstdc++.so which will add /usr/lib/libstdc++.so in the sandbox.

@rusty-snake commented on GitHub (Jan 4, 2020): IIRC you can do `private-lib gcc/something/libstdc++.so` which will add `/usr/lib/libstdc++.so` in the sandbox.

gitea-mirror commented

2026-05-05 08:37:26 -06:00

Author

Owner

@reagentoo commented on GitHub (Jan 4, 2020):

@glitsj16

As the warning and the comment inside /etc/firejail/evince.profile states net none only has confirmed issues on Ubuntu with AppAmor.

Actually I have both enabled sandboxes AppArmor and Firejail on Gentoo.

On Gentoo you can add net none to your evince.local. That should take care of the D-BUS warning.

I've gotten log without DBus warning after adding this.

Besides that it doesn't remove the warnings, does evince work for you with all its functionalities if you add gcc to private-lib?

Right.

@reagentoo commented on GitHub (Jan 4, 2020): @glitsj16 > As the warning and the comment inside /etc/firejail/evince.profile states net none only has confirmed issues on Ubuntu with AppAmor. Actually I have both enabled sandboxes AppArmor and Firejail on Gentoo. > On Gentoo you can add net none to your evince.local. That should take care of the D-BUS warning. I've gotten log without DBus warning after adding this. > Besides that it doesn't remove the warnings, does evince work for you with all its functionalities if you add gcc to private-lib? Right.

gitea-mirror commented

2026-05-05 08:37:27 -06:00

Author

Owner

@ghost commented on GitHub (Jan 4, 2020):

@reagentoo OK, that leaves fixing private-lib as tight as possible. Did you test @rusty-snake's suggestion if it works when you add libstdc++.so.* and libgcc_s.so.* using the full sub-path under /usr/lib/gcc yet?

@ghost commented on GitHub (Jan 4, 2020): @reagentoo OK, that leaves fixing `private-lib` as tight as possible. Did you test @rusty-snake's suggestion if it works when you add libstdc++.so.* and libgcc_s.so.* using the full sub-path under /usr/lib/gcc yet?

gitea-mirror commented

2026-05-05 08:37:28 -06:00

Author

Owner

@reagentoo commented on GitHub (Jan 4, 2020):

I've tested this lines:

gcc/x86_64-pc-linux-gnu/8.3.0/libstdc++.so.*,gcc/x86_64-pc-linux-gnu/8.3.0/libgcc_s.so.*

gcc/x86_64-pc-linux-gnu/*/libstdc++.so.*,gcc/x86_64-pc-linux-gnu/*/libgcc_s.so.*

gcc/*/*/libstdc++.so.*,gcc/*/*/libgcc_s.so.*

gcc

All of this is works for me. You need to decide which way is more acceptable.

@reagentoo commented on GitHub (Jan 4, 2020): I've tested this lines: ``` gcc/x86_64-pc-linux-gnu/8.3.0/libstdc++.so.*,gcc/x86_64-pc-linux-gnu/8.3.0/libgcc_s.so.* gcc/x86_64-pc-linux-gnu/*/libstdc++.so.*,gcc/x86_64-pc-linux-gnu/*/libgcc_s.so.* gcc/*/*/libstdc++.so.*,gcc/*/*/libgcc_s.so.* gcc ``` All of this is works for me. You need to decide which way is more acceptable.

gitea-mirror commented

2026-05-05 08:37:29 -06:00

Author

Owner

@ghost commented on GitHub (Jan 4, 2020):

@reagentoo The gcc/*/*/libstdc++.so.*,gcc/*/*/libgcc_s.so.* syntax should be the best one to future-proof the evince profile on Gentoo. Thanks again for your cooperation!

@ghost commented on GitHub (Jan 4, 2020): @reagentoo The `gcc/*/*/libstdc++.so.*,gcc/*/*/libgcc_s.so.*` syntax should be the best one to future-proof the evince profile on Gentoo. Thanks again for your cooperation!

gitea-mirror referenced this issue

2026-05-05 10:14:29 -06:00

[PR #1958] [CLOSED] travis: update to bionic #4139

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1958

No description provided.

Rows
Columns