github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #4982] geary: fails to fully start and burns CPU #2842

New issue
Open
opened 2026-05-05 09:29:50 -06:00 by gitea-mirror · 11 comments
gitea-mirror commented 2026-05-05 09:29:50 -06:00
Owner
Copy link

Originally created by @spantaleev on GitHub (Feb 25, 2022).
Original GitHub issue: https://github.com/netblue30/firejail/issues/4982

Description

geary (1:40.0-6 on Archlinux) starts, but the UI is frozen.

Steps to Reproduce

I'm using the default geary profile. The one deployed by the Archlinux firejail package seems to be up to date with current master.

Steps to reproduce the behavior

  1. LC_ALL=C firejail geary
  2. Observe geary's frozen / empty UI and 100% CPU usage

Geary's dialog window still remains running after that, but nothing is clickable.

See the log below for some errors.

Behavior without a profile

What changed calling LC_ALL=C firejail --noprofile /usr/bin/geary in a terminal?

Geary starts up normally.

Additional context

Any other detail that may help to understand/debug the problem

Environment

  • Archlinux
  • Firejail version (firejail --version): 0.9.68

Checklist

  • The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
  • I can reproduce the issue without custom modifications (e.g. globals.local).
  • The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
  • The profile (and redirect profile if exists) hasn't already been fixed upstream.
  • I have performed a short search for similar issues (to avoid opening a duplicate).
    • I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
  • I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program 

Reading profile /etc/firejail/geary.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 465344, child pid 465347
1 program installed in 1.31 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode
Private /etc installed in 38.06 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 143.87 ms
*[wrn] 15:54:06.0147 dbind:AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown
*[wrn] 15:54:06.0158 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 15:54:06.0166 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable
*[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable
*[wrn] 15:54:06.0263 GLib:getpwuid_r(): failed due to unknown user id (1000)
Failed to create secure directory (/run/user/1000/pulse): Permission denied

Output of LC_ALL=C firejail --debug /path/to/program 

Parent pid 465462, child pid 465463
Child process initialized in 8.49 ms
*[wrn] 17:54:38.0771 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 17:54:38.0778 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 17:54:38.0788 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable
*[wrn] 17:54:38.0788 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable

Originally created by @spantaleev on GitHub (Feb 25, 2022). Original GitHub issue: https://github.com/netblue30/firejail/issues/4982 <!-- See the following links for help with formatting: https://guides.github.com/features/mastering-markdown/ https://docs.github.com/en/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax --> ### Description geary (`1:40.0-6` on Archlinux) starts, but the UI is frozen. ### Steps to Reproduce I'm using the default geary profile. The one deployed by the Archlinux `firejail` package seems to be up to date with current `master`. _Steps to reproduce the behavior_ 1. `LC_ALL=C firejail geary` 2. Observe geary's frozen / empty UI and 100% CPU usage Geary's dialog window still remains running after that, but nothing is clickable. See the log below for some errors. ### Behavior without a profile _What changed calling `LC_ALL=C firejail --noprofile /usr/bin/geary` in a terminal?_ Geary starts up normally. ### Additional context _Any other detail that may help to understand/debug the problem_ ### Environment - Archlinux - Firejail version (`firejail --version`): 0.9.68 ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is caused by firejail (i.e. running the program by path (e.g. `/usr/bin/vlc`) "fixes" it). - [x] I can reproduce the issue without custom modifications (e.g. globals.local). - [x] The program has a profile. (If not, request one in `https://github.com/netblue30/firejail/issues/1139`) - [x] The profile (and redirect profile if exists) hasn't already been fixed [upstream](https://github.com/netblue30/firejail/tree/master/etc). - [x] I have performed a short search for similar issues (to avoid opening a duplicate). - [ ] I'm aware of `browser-allow-drm yes`/`browser-disable-u2f no` in `firejail.config` to allow DRM/U2F in browsers. - [ ] I used `--profile=PROFILENAME` to set the right profile. (Only relevant for AppImages) ### Log <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/geary.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 465344, child pid 465347 1 program installed in 1.31 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 38.06 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 143.87 ms *[wrn] 15:54:06.0147 dbind:AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown *[wrn] 15:54:06.0158 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 15:54:06.0166 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable *[wrn] 15:54:06.0263 GLib:getpwuid_r(): failed due to unknown user id (1000) Failed to create secure directory (/run/user/1000/pulse): Permission denied ``` </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail --debug /path/to/program</code></summary> <p> ``` Parent pid 465462, child pid 465463 Child process initialized in 8.49 ms *[wrn] 17:54:38.0771 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:54:38.0778 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:54:38.0788 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 17:54:38.0788 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable ``` </p> </details>
gitea-mirror added the
bug
 label 2026-05-05 09:29:50 -06:00
gitea-mirror commented 2026-05-05 09:29:52 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 26, 2022):

*[wrn] 15:54:06.0147 dbind:AT-SPI: Error retrieving accessibility bus address: [...]

This is due to dbus-user filter and not allowing the app to talk to 'org.a11y.Bus' (I think). None of our profiles allow D-Bus accessibility features. Don't recall any explicit discussion on this option, but can always be added in geary.local if needed. [UNRELATED]

*[wrn] 15:54:06.0158 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

Might be due to the very restrictive private-bin (which only allows the geary executable). [RELATED]

*[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable
*[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable

I'm not familiar with Geary's certificate-management. But here private-bin might also be blocking something. [RELATED]

*[wrn] 15:54:06.0263 GLib:getpwuid_r(): failed due to unknown user id (1000)

Add private-etc group,login.defs,passwd in geary.local should fix this. [PROFILE BUG]

Failed to create secure directory (/run/user/1000/pulse): Permission denied

Due to machine-id/nosound in the profile, so to be expected. Again, if you need/want Geary to provide audible notifications, you can override these in geary.local. [UNRELATED]

To sum up, these are some things you can try to see if they help fixing your Geary by creating ~/.config/firejail/geary.local with the below content:

ignore private-bin
private-etc group,login.defs,passwd
#+ temporarily allow all dbus-user traffic while debugging
ignore dbus-user filter
<!-- gh-comment-id:1052118508 --> @ghost commented on GitHub (Feb 26, 2022): > *[wrn] 15:54:06.0147 dbind:AT-SPI: Error retrieving accessibility bus address: [...] This is due to `dbus-user filter` and not allowing the app to talk to 'org.a11y.Bus' (I think). None of our profiles allow D-Bus [accessibility](https://wikiless.org/wiki/Computer_accessibility?lang=en) features. Don't recall any explicit discussion on this option, but can always be added in geary.local if needed. [UNRELATED] > *[wrn] 15:54:06.0158 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory Might be due to the very restrictive `private-bin` (which only allows the geary executable). [RELATED] > *[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable I'm not familiar with Geary's certificate-management. But here `private-bin` might also be blocking something. [RELATED] > *[wrn] 15:54:06.0263 GLib:getpwuid_r(): failed due to unknown user id (1000) Add `private-etc group,login.defs,passwd` in geary.local should fix this. [PROFILE BUG] > Failed to create secure directory (/run/user/1000/pulse): Permission denied Due to `machine-id`/`nosound` in the profile, so to be expected. Again, if you need/want Geary to provide audible notifications, you can override these in geary.local. [UNRELATED] To sum up, these are some things you can try to see if they help fixing your Geary by creating `~/.config/firejail/geary.local` with the below content: ``` ignore private-bin private-etc group,login.defs,passwd #+ temporarily allow all dbus-user traffic while debugging ignore dbus-user filter ```
gitea-mirror commented 2026-05-05 09:29:53 -06:00
Author
Owner
Copy link

@spantaleev commented on GitHub (Feb 27, 2022):

Wow, thank you for that very detailed analysis and proposed profile changes!

I've tried with your proposed geary.local and the output is like this now:

Output of LC_ALL=C firejail /path/to/program 

Reading profile /etc/firejail/geary.profile
Reading profile /home/USER/.config/firejail/geary.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Ignoring "dbus-user.own org.gnome.Geary" and 6 other dbus-user filter rules.
Parent pid 850934, child pid 850935
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode
Private /etc installed in 30.94 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 158.82 ms
Warning: an existing sandbox was detected. /usr/bin/geary will run without any additional sandboxing features
*[wrn] 09:28:32.0680 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WTUR9G4M0H: No such file or directory
*[wrn] 09:28:32.0691 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 09:28:32.0699 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 09:28:32.0709 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable
*[wrn] 09:28:32.0709 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable
Failed to create secure directory (/run/user/1000/pulse): Permission denied
W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted

The UI is still frozen and Geary still burns CPU just the same.

<!-- gh-comment-id:1053422656 --> @spantaleev commented on GitHub (Feb 27, 2022): Wow, thank you for that very detailed analysis and proposed profile changes! I've tried with your proposed `geary.local` and the output is like this now: <details> <summary>Output of <code>LC_ALL=C firejail /path/to/program</code></summary> <p> ``` Reading profile /etc/firejail/geary.profile Reading profile /home/USER/.config/firejail/geary.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Ignoring "dbus-user.own org.gnome.Geary" and 6 other dbus-user filter rules. Parent pid 850934, child pid 850935 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 30.94 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 158.82 ms Warning: an existing sandbox was detected. /usr/bin/geary will run without any additional sandboxing features *[wrn] 09:28:32.0680 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WTUR9G4M0H: No such file or directory *[wrn] 09:28:32.0691 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 09:28:32.0699 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 09:28:32.0709 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 09:28:32.0709 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable Failed to create secure directory (/run/user/1000/pulse): Permission denied W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted ``` </p> </details> The UI is still frozen and Geary still burns CPU just the same.
gitea-mirror commented 2026-05-05 09:29:54 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Feb 27, 2022):

W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted

seccomp !personality
<!-- gh-comment-id:1053425890 --> @rusty-snake commented on GitHub (Feb 27, 2022): > W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted ``` seccomp !personality ```
gitea-mirror commented 2026-05-05 09:29:55 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 28, 2022):

Output of LC_ALL=C firejail /path/to/program
[...]
Warning: an existing sandbox was detected. /usr/bin/geary will run without any additional sandboxing features
[...]

Hmm, that message indicates firejail is trying to sandbox geary twice. If you used firecfg to generate symlinks in /usr/local/bin (or your package manager did in a post-install hook) the correct call to start a firejailed geary process from a script or from the command line is

$ geary <-- because /usr/local/bin preceeds /usr/bin in PATH and /usr/local/bin/geary is a symlink to /usr/bin/firejail
OR
$ /usr/local/bin/geary <-- calling the symlink directly with full path
OR
$ firejail /usr/bin/geary <-- calling firejail with the full path to the geary executable

Which one did you use?

<!-- gh-comment-id:1053730257 --> @ghost commented on GitHub (Feb 28, 2022): > Output of LC_ALL=C firejail /path/to/program [...] Warning: an existing sandbox was detected. /usr/bin/geary will run without any additional sandboxing features [...] Hmm, that message indicates firejail is trying to sandbox geary twice. If you used `firecfg` to generate symlinks in /usr/local/bin (or your package manager did in a post-install hook) the correct call to start a firejailed geary process from a script or from the command line is $ geary <-- because /usr/local/bin preceeds /usr/bin in PATH and /usr/local/bin/geary is a symlink to /usr/bin/firejail OR $ /usr/local/bin/geary <-- calling the symlink directly with full path OR $ firejail /usr/bin/geary <-- calling firejail with the full path to the geary executable Which one did you use?
gitea-mirror commented 2026-05-05 09:29:55 -06:00
Author
Owner
Copy link

@spantaleev commented on GitHub (Feb 28, 2022):

Oh, silly me! You're right, I've been using LC_ALL=C firejail geary lately (for making these reports) and I do have symlinks installed.

Nevertheless, ~/.config/firejail/geary.local is like this now:

ignore private-bin
private-etc group,login.defs,passwd
#+ temporarily allow all dbus-user traffic while debugging
ignore dbus-user filter
seccomp !personality

and

Output of LC_ALL=C firejail /usr/bin/geary 

Reading profile /etc/firejail/geary.profile
Reading profile /home/USER/.config/firejail/geary.local
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Seccomp list in: !personality, check list: @default-keep, prelist: unknown,
Ignoring "dbus-user.own org.gnome.Geary" and 6 other dbus-user filter rules.
Parent pid 885332, child pid 885333
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode
Private /etc installed in 30.58 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Seccomp list in: !personality, check list: @default-keep, prelist: unknown,
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 159.43 ms
*[wrn] 06:37:43.0443 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WTUR9G4M0H: No such file or directory
*[wrn] 06:37:43.0456 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 06:37:43.0464 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 06:37:43.0475 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable
*[wrn] 06:37:43.0475 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable
Failed to create secure directory (/run/user/1000/pulse): Permission denied

<!-- gh-comment-id:1053938347 --> @spantaleev commented on GitHub (Feb 28, 2022): Oh, silly me! You're right, I've been using `LC_ALL=C firejail geary` lately (for making these reports) and I do have symlinks installed. Nevertheless, `~/.config/firejail/geary.local` is like this now: ``` ignore private-bin private-etc group,login.defs,passwd #+ temporarily allow all dbus-user traffic while debugging ignore dbus-user filter seccomp !personality ``` and <details> <summary>Output of <code>LC_ALL=C firejail /usr/bin/geary</code></summary> <p> ``` Reading profile /etc/firejail/geary.profile Reading profile /home/USER/.config/firejail/geary.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !personality, check list: @default-keep, prelist: unknown, Ignoring "dbus-user.own org.gnome.Geary" and 6 other dbus-user filter rules. Parent pid 885332, child pid 885333 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 30.58 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !personality, check list: @default-keep, prelist: unknown, Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 159.43 ms *[wrn] 06:37:43.0443 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WTUR9G4M0H: No such file or directory *[wrn] 06:37:43.0456 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 06:37:43.0464 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 06:37:43.0475 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 06:37:43.0475 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable Failed to create secure directory (/run/user/1000/pulse): Permission denied ``` </p> </details>
gitea-mirror commented 2026-05-05 09:29:56 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 28, 2022):

Let me provide some context. I personally don't like the newer Geary UI and use a custom Arch Linux PKGBUILD to install geary 3.34.2. Obviously that doesn't help when trying to debug the reported issues here. So I temporarily moved aside my custom stuff and installed the current geary repo package.

After some testing I created a new geary.profile, which works fine for me here. If you'd like to try that, download the linked gist, place it in ~/.config/firejail/geary.profile (so it overrides /etc/firejail/geary.profile) and (temporarily) remove the ~/.config/firejail/geary.local to avoid confusion. As you can see I integrated above suggestions in the refactored one.

I didn't have to use the seccomp !personality option mentioned above and can use the full seccomp option. We can worry later on what the current geary.profile needs to fix this. Let's try to get it going first on your setup.

<!-- gh-comment-id:1054322345 --> @ghost commented on GitHub (Feb 28, 2022): Let me provide some context. I personally don't like the newer Geary UI and use a custom Arch Linux PKGBUILD to install geary 3.34.2. Obviously that doesn't help when trying to debug the reported issues here. So I temporarily moved aside my custom stuff and installed the current [geary](https://archlinux.org/packages/community/x86_64/geary/) repo package. After some testing I created a new [geary.profile](https://gist.github.com/glitsj16/ad78eb15f696173dbf8e1678e96a8add), which works fine for me here. If you'd like to try that, download the linked gist, place it in `~/.config/firejail/geary.profile` (so it overrides /etc/firejail/geary.profile) and (temporarily) remove the ~/.config/firejail/geary.local to avoid confusion. As you can see I integrated above suggestions in the refactored one. I didn't have to use the `seccomp !personality` option mentioned above and can use the full `seccomp` option. We can worry later on what the current geary.profile needs to fix this. Let's try to get it going first on your setup.
gitea-mirror commented 2026-05-05 09:29:57 -06:00
Author
Owner
Copy link

@spantaleev commented on GitHub (Feb 28, 2022):

With your geary.profile and with my geary.local disabled, Geary is working as per normal now.

Output of LC_ALL=C firejail /usr/bin/geary 

Reading profile /home/USER/.config/firejail/geary.profile
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 56438, child pid 56441
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: skipping alternatives for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping pki for private /etc
Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode
Private /etc installed in 36.78 ms
Private /usr/etc installed in 0.00 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Blacklist violations are logged to syslog
Warning: cleaning all supplementary groups
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 185.43 ms
*[wrn] 17:11:45.0998 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-JqpPRxuKDk: No such file or directory
*[wrn] 17:11:46.0010 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 17:11:46.0021 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

*[wrn] 17:11:46.0032 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable
*[wrn] 17:11:46.0032 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable
Failed to create secure directory (/run/user/1000/pulse): Permission denied
W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted

Thanks for taking the time to figure it all out!

<!-- gh-comment-id:1054478101 --> @spantaleev commented on GitHub (Feb 28, 2022): With your [`geary.profile`](https://gist.github.com/glitsj16/ad78eb15f696173dbf8e1678e96a8add) and with my `geary.local` disabled, Geary is working as per normal now. <details> <summary>Output of <code>LC_ALL=C firejail /usr/bin/geary</code></summary> <p> ``` Reading profile /home/USER/.config/firejail/geary.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 56438, child pid 56441 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 36.78 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 185.43 ms *[wrn] 17:11:45.0998 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-JqpPRxuKDk: No such file or directory *[wrn] 17:11:46.0010 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:11:46.0021 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:11:46.0032 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 17:11:46.0032 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable Failed to create secure directory (/run/user/1000/pulse): Permission denied W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted ``` </p> </details> Thanks for taking the time to figure it all out!
gitea-mirror commented 2026-05-05 09:29:57 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Feb 28, 2022):

With your geary.profile and with my geary.local disabled, Geary is working as per normal now.

Great! Thanks for confirming, very much appreciated. I'll make the necessary changes to our geary.profile later today. Before doing so I want to test if the seccomp !personality is indeed needed in case users try to enable audio support. Left that out for now to start with basic functionality but it would be a nice comment.

Thanks for taking the time to figure it all out!

Very welcome. Thanks to your issue report we're now aware of this and will do the work. Just remember to remove your ~/.config/firejail/geary.profiles when Arch Linux pushes a future firejail upgrade to its repo's.

<!-- gh-comment-id:1054502310 --> @ghost commented on GitHub (Feb 28, 2022): > With your geary.profile and with my geary.local disabled, Geary is working as per normal now. Great! Thanks for confirming, very much appreciated. I'll make the necessary changes to our geary.profile later today. Before doing so I want to test if the `seccomp !personality` is indeed needed in case users try to enable audio support. Left that out for now to start with basic functionality but it would be a nice comment. > Thanks for taking the time to figure it all out! Very welcome. Thanks to your issue report we're now aware of this and will do the work. Just remember to remove your ~/.config/firejail/geary.profiles when Arch Linux pushes a future firejail upgrade to its repo's.
gitea-mirror commented 2026-05-05 09:29:58 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Mar 1, 2022):

@spantaleev The PR is in. Added some minor changes, but sound notifications (Preferences > Plugins) are working, without seccomp !personality. Just a FYI.

<!-- gh-comment-id:1054837646 --> @ghost commented on GitHub (Mar 1, 2022): @spantaleev The PR is in. Added some minor changes, but sound notifications (Preferences > Plugins) are working, without `seccomp !personality`. Just a FYI.
gitea-mirror commented 2026-05-05 09:29:58 -06:00
Author
Owner
Copy link

@spantaleev commented on GitHub (Mar 1, 2022):

Great work, @glitsj16! I can confirm that everything (including sound) works with the new profile from #4992 without any custom changes (like seccomp !personality, etc.).

<!-- gh-comment-id:1055096659 --> @spantaleev commented on GitHub (Mar 1, 2022): Great work, @glitsj16! I can confirm that everything (including sound) works with the new profile from #4992 without any custom changes (like `seccomp !personality`, etc.).
gitea-mirror commented 2026-05-05 09:29:58 -06:00
Author
Owner
Copy link

@mizzunet commented on GitHub (May 5, 2022):

Yes, geary works fine.

Well, I have this output though

EGLDisplay Initialization failed: EGL_NOT_INITIALIZED
libEGL warning: MESA-LOADER: failed to open swrast: libLLVM-13.so: cannot open shared object file: No such file or directory (search paths /usr/lib/dri, suffix _dri)

EGLDisplay Initialization failed: EGL_NOT_INITIALIZED
<!-- gh-comment-id:1118924749 --> @mizzunet commented on GitHub (May 5, 2022): Yes, geary works fine. Well, I have this output though ``` EGLDisplay Initialization failed: EGL_NOT_INITIALIZED libEGL warning: MESA-LOADER: failed to open swrast: libLLVM-13.so: cannot open shared object file: No such file or directory (search paths /usr/lib/dri, suffix _dri) EGLDisplay Initialization failed: EGL_NOT_INITIALIZED
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2842
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?