github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #396] AppArmor'd evince fails to open X display with firejail --net=none #284

New issue

Closed

opened 2026-05-05 05:31:29 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 05:31:29 -06:00

Owner

Originally created by @boite on GitHub (Mar 31, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/396

Evince works fine with firejail, except when I try to restrict network access with:-

$ firejail --net=none evince ~/Downloads/Document.PDF
Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Parent pid 8315, child pid 8317

Child process initialized

** (evince:2): WARNING **: Could not open X display
Cannot parse arguments: Cannot open display:

parent is shutting down, bye...

The kernel reports a pair of AppArmor denials:-

kernel: [14157.702352] type=1400 audit(1459434825.496:75): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=8320 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
kernel: [14157.703145] type=1400 audit(1459434825.500:76): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=8320 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

This is on Trisquel 7 (based on Ubuntu 14.04 LTS).

$ uname -mrv
3.13.0-83-generic #127+7.0trisquel2 SMP Mon Mar 14 18:19:05 UTC 2016 x86_64

Originally created by @boite on GitHub (Mar 31, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/396 Evince works fine with firejail, except when I try to restrict network access with:- ``` $ firejail --net=none evince ~/Downloads/Document.PDF Reading profile /etc/firejail/evince.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Parent pid 8315, child pid 8317 Child process initialized ** (evince:2): WARNING **: Could not open X display Cannot parse arguments: Cannot open display: parent is shutting down, bye... ``` The kernel reports a pair of AppArmor denials:- ``` kernel: [14157.702352] type=1400 audit(1459434825.496:75): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=8320 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 kernel: [14157.703145] type=1400 audit(1459434825.500:76): apparmor="DENIED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=8320 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 ``` This is on Trisquel 7 (based on Ubuntu 14.04 LTS). ``` $ uname -mrv 3.13.0-83-generic #127+7.0trisquel2 SMP Mon Mar 14 18:19:05 UTC 2016 x86_64 ```

gitea-mirror

2026-05-05 05:31:29 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 05:31:34 -06:00

Author

Owner

@netblue30 commented on GitHub (Mar 31, 2016):

Looks like evince needs to go on the network to do some DNS transactions. This will fail since you have --net=none, and apparmor kills it. Try to put evince in complain mode, this way apparmor will only put a message in your log, and try again:

$ sudo aa-complain /etc/apparmor.d/usr.bin.evince

To put it back in enforce mode:

$ sudo aa-enforce /etc/apparmor.d/usr.bin.evince

@netblue30 commented on GitHub (Mar 31, 2016): Looks like evince needs to go on the network to do some DNS transactions. This will fail since you have --net=none, and apparmor kills it. Try to put evince in complain mode, this way apparmor will only put a message in your log, and try again: ``` $ sudo aa-complain /etc/apparmor.d/usr.bin.evince ``` To put it back in enforce mode: ``` $ sudo aa-enforce /etc/apparmor.d/usr.bin.evince ```

gitea-mirror commented

2026-05-05 05:31:36 -06:00

Author

Owner

@boite commented on GitHub (Mar 31, 2016):

Thanks for the hint. Evince still isn't allowed to start in complain mode and the apparmor messages still contained the "Failed name lookup" info and error -13 :-

apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=9040 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=9040 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

There's a related issue 1373070 in Ubuntu which gives some clue to the problem: disconnected paths. A recent comment from that issue mentions that:-

The proper fix for this is delegating access to the object that would not normally be accessible, however delegation is not available in the current releases of apparmor and the HACK of attach disconnected is being used to work around this.

The hack is to use the apparmor attach_disconnected flag and looks like this (for the evince profile):-

  #include <tunables/global>

- /usr/bin/evince {
+ /usr/bin/evince flags=(attach_disconnected) {
  #include <abstractions/audio>
  #include <abstractions/bash>

Evince, in enforce mode and with this flag, doesn't start, but the apparmor messages no longer contain the info and error data:-

apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10819 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10819 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Evince does start, in complain mode and with the flag:-

Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc

** (evince:2): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-5O0xyAUEEV: Connection refused

** (evince:2): CRITICAL **: ev_bookmarks_get_bookmarks: assertion 'EV_IS_BOOKMARKS (bookmarks)' failed
Syntax Warning: Invalid Font Weight
... [snipped many "Syntax Warning: Invalid Font Weight"] ...
Parent pid 10939, child pid 10941

That output is almost the same as produced without --net=none and with the standard apparmor profile, except for the extra CRITCAL message about bookmarks. The apparmor messages:-

apparmor="ALLOWED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10944 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
apparmor="ALLOWED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10944 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

So it seems that:-

the apparmor attach_disconnected flag affects the requested_mask by not requesting permission to write and it prevents the "Failed name lookup - disconnected path" error, probably because the path being connected to is given a leading slash
firejail --net=none triggers a connect operation which apparmor denies

@boite commented on GitHub (Mar 31, 2016): Thanks for the hint. Evince still isn't allowed to start in complain mode and the apparmor messages still contained the "Failed name lookup" info and error -13 :- ``` apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=9040 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/bin/evince" name="tmp/.X11-unix/X0" pid=9040 comm="evince" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0 ``` There's a related issue [1373070](https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1373070) in Ubuntu which gives some clue to the problem: disconnected paths. A recent comment from that issue mentions that:- > The proper fix for this is delegating access to the object that would not normally be accessible, however delegation is not available in the current releases of apparmor and the HACK of attach disconnected is being used to work around this. The hack is to use the apparmor `attach_disconnected` flag and looks like this (for the evince profile):- ``` #include <tunables/global> - /usr/bin/evince { + /usr/bin/evince flags=(attach_disconnected) { #include <abstractions/audio> #include <abstractions/bash> ``` Evince, in enforce mode and with this flag, doesn't start, but the apparmor messages no longer contain the info and error data:- ``` apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10819 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="DENIED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10819 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` Evince does start, in complain mode and with the flag:- ``` Reading profile /etc/firejail/evince.profile Reading profile /etc/firejail/disable-mgmt.inc Reading profile /etc/firejail/disable-secret.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc ** (evince:2): WARNING **: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-5O0xyAUEEV: Connection refused ** (evince:2): CRITICAL **: ev_bookmarks_get_bookmarks: assertion 'EV_IS_BOOKMARKS (bookmarks)' failed Syntax Warning: Invalid Font Weight ... [snipped many "Syntax Warning: Invalid Font Weight"] ... Parent pid 10939, child pid 10941 ``` That output is almost the same as produced without `--net=none` and with the standard apparmor profile, except for the extra CRITCAL message about bookmarks. The apparmor messages:- ``` apparmor="ALLOWED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10944 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 apparmor="ALLOWED" operation="connect" profile="/usr/bin/evince" name="/tmp/.X11-unix/X0" pid=10944 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 ``` So it seems that:- - the apparmor `attach_disconnected` flag affects the `requested_mask` by not requesting permission to write and it prevents the "Failed name lookup - disconnected path" error, probably because the path being connected to is given a leading slash - `firejail --net=none` triggers a connect operation which apparmor denies

gitea-mirror commented

2026-05-05 05:31:37 -06:00

Author

Owner

@netblue30 commented on GitHub (Apr 1, 2016):

Let's wait for Ubuntu 16.04 and see if they fix anything. I'll keep this open as a bug in order to track it. Thanks.

@netblue30 commented on GitHub (Apr 1, 2016): Let's wait for Ubuntu 16.04 and see if they fix anything. I'll keep this open as a bug in order to track it. Thanks.

gitea-mirror commented

2026-05-05 05:31:38 -06:00

Author

Owner

@netblue30 commented on GitHub (Jun 1, 2016):

The problem is still there in Ubuntu 16.04. I have documented it on the project webpage:

https://firejail.wordpress.com/support/known-problems/#apparmor

@netblue30 commented on GitHub (Jun 1, 2016): The problem is still there in Ubuntu 16.04. I have documented it on the project webpage: https://firejail.wordpress.com/support/known-problems/#apparmor

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#284

No description provided.

Rows
Columns