[GH-ISSUE #5938] 0ad: error while loading shared libraries: libmozjs-78.so.0 (OpenSUSE Tumbleweed) #3138

New issue

Closed

opened 2026-05-05 09:46:21 -06:00 by gitea-mirror · 13 comments

gitea-mirror commented 2026-05-05 09:46:21 -06:00

Owner

Copy link

Originally created by @leukimi on GitHub (Aug 2, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5938

Solution

Working 0ad.profile for OpenSUSE Tumbleweed

Description

Output when run firejail 0ad on OpenSUSE Tumbleweed.

/usr/local/bin/pyrogenesis: error while loading shared libraries: libmozjs-78.so.0: cannot open shared object file: Permission denied

Steps to Reproduce

Steps to reproduce the behavior

1. Install 0ad from software.opensuse.org (link to 0ad package)
2. Run in bash LC_ALL=C firejail 0ad

Behavior without a profile

Program window opens as expected.

Environment

• Linux distribution and version:

cat /etc/os-release 
NAME="openSUSE Tumbleweed"
VERSION="20230801"

• Firejail version:

firejail version 0.9.72

Checklist

• The issues is most probably caused by firejail profile for 0ad.
• I can reproduce the issue without custom modifications.
• The program has a profile.
• I have performed a short search for similar issues (to avoid opening a duplicate).

Log

Output of LC_ALL=C firejail 0ad

Reading profile /etc/firejail/0ad.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 1, child pid 2
5 programs installed in 1 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Warning: NVIDIA card detected, nogroups command ignored
Warning: not remounting /run/user/1000/gvfs
Warning: not remounting /run/user/1000/doc
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: NVIDIA card detected, nogroups command ignored
Warning: cleaning all supplementary groups
Child process initialized in 1 ms
/usr/local/bin/pyrogenesis: error while loading shared libraries: libmozjs-78.so.0: cannot open shared object file: Permission denied

Originally created by @leukimi on GitHub (Aug 2, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5938 ### Solution [Working `0ad.profile` for OpenSUSE Tumbleweed](https://github.com/netblue30/firejail/issues/5938#issuecomment-1666480349) ### Description Output when run `firejail 0ad` on OpenSUSE Tumbleweed. `/usr/local/bin/pyrogenesis: error while loading shared libraries: libmozjs-78.so.0: cannot open shared object file: Permission denied` ### Steps to Reproduce _Steps to reproduce the behavior_ 1. Install `0ad` from [software.opensuse.org (link to 0ad package)](https://software.opensuse.org/package/0ad) 2. Run in bash `LC_ALL=C firejail 0ad` ### Behavior without a profile Program window opens as expected. ### Environment - Linux distribution and version: ``` cat /etc/os-release NAME="openSUSE Tumbleweed" VERSION="20230801" ``` - Firejail version: `firejail version 0.9.72` ### Checklist <!-- Note: Items are checked with an "x", like so: - [x] This is a checked item. --> - [x] The issues is most probably caused by firejail profile for 0ad. - [x] I can reproduce the issue without custom modifications. - [x] The program has a profile. - [x] I have performed a short search for similar issues (to avoid opening a duplicate). ### Log </p> </details> <details> <summary>Output of <code>LC_ALL=C firejail 0ad</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> ``` Reading profile /etc/firejail/0ad.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 1, child pid 2 5 programs installed in 1 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: NVIDIA card detected, nogroups command ignored Warning: not remounting /run/user/1000/gvfs Warning: not remounting /run/user/1000/doc Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: cleaning all supplementary groups Child process initialized in 1 ms /usr/local/bin/pyrogenesis: error while loading shared libraries: libmozjs-78.so.0: cannot open shared object file: Permission denied ``` </p> </details>

gitea-mirror 2026-05-05 09:46:21 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 09:46:23 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 2, 2023):

Hi, I cannot reproduce on Arch Linux. 0ad starts fine when sandboxed here. Its profile includes disable-interpreters.inc, which blacklists libmozjs-*:

95184d8c2e/etc/inc/disable-interpreters.inc (L22-L24)

That doesn't stop 0ad on my box, but perhaps openSUSE puts files in different places. Can you try adding include allow-gjs.inc (which undoes the libmozjs-* blacklisting)?

95184d8c2e/etc/inc/allow-gjs.inc (L1-L12)

<!-- gh-comment-id:1662864348 --> @ghost commented on GitHub (Aug 2, 2023): Hi, I cannot reproduce on Arch Linux. 0ad starts fine when sandboxed here. Its profile includes `disable-interpreters.inc`, which blacklists libmozjs-*: https://github.com/netblue30/firejail/blob/95184d8c2ed5e41c6f44ecc442bf02f7b2371ae1/etc/inc/disable-interpreters.inc#L22-L24 That doesn't stop 0ad on my box, but perhaps openSUSE puts files in different places. Can you try adding `include allow-gjs.inc` (which undoes the libmozjs-* blacklisting)? https://github.com/netblue30/firejail/blob/95184d8c2ed5e41c6f44ecc442bf02f7b2371ae1/etc/inc/allow-gjs.inc#L1-L12

gitea-mirror commented 2026-05-05 09:46:24 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Aug 3, 2023):

I tested the suggestion and it does not change the outcome on OpenSUSE Tumbleweed. Still the same error reported. Maybe a virtual machine with OpenSUSE Tumbleweed could provide a test environment.

<!-- gh-comment-id:1664216628 --> @leukimi commented on GitHub (Aug 3, 2023): I tested the suggestion and it does not change the outcome on OpenSUSE Tumbleweed. Still the same error reported. Maybe a virtual machine with OpenSUSE Tumbleweed could provide a test environment.

gitea-mirror commented 2026-05-05 09:46:25 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 3, 2023):

I'll see what I can do with OpenSUSE Tumbleweed. What I noticed before but didn't ask is the path mentioned in the error message:

/usr/local/bin/pyrogenesis: error while loading shared libraries: libmozjs-78.so.0: cannot open shared object file: Permission denied

Is it normal for OpenSUSE (Tumbleweed or otherwise) to place the 0ad executables in /usr/local/bin? I'd expected those to reside under /usr/bin. When users (or packagers) enable firecfg there will be symlinks under /usr/local/bin with the same name. That can be a bit confusing and is why we ask in the issue template to use full paths (to avoid attempting to run the sandbox twice). Does LC_ALL=C firejail /usr/bin/0ad produce the same error?

<!-- gh-comment-id:1664397925 --> @ghost commented on GitHub (Aug 3, 2023): I'll see what I can do with OpenSUSE Tumbleweed. What I noticed before but didn't ask is the path mentioned in the error message: `/usr/local/bin/pyrogenesis: error while loading shared libraries: libmozjs-78.so.0: cannot open shared object file: Permission denied` Is it normal for OpenSUSE (Tumbleweed or otherwise) to place the 0ad executables in `/usr/local/bin`? I'd expected those to reside under /usr/bin. When users (or packagers) enable `firecfg` there will be symlinks under /usr/local/bin with the same name. That can be a bit confusing and is why we ask in the issue template to use full paths (to avoid attempting to run the sandbox twice). Does `LC_ALL=C firejail /usr/bin/0ad` produce the same error?

gitea-mirror commented 2026-05-05 09:46:26 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Aug 4, 2023):

The SPEC file puts executables in /usr/bin as you say. In fact /usr/local/bin/pyrogenesis does not even exist on the system, even though the error log says so.

~> find / -name pyrogenesis 2>/dev/null
/usr/bin/pyrogenesis

~> which 0ad
/usr/bin/0ad

LC_ALL=C firejail /usr/bin/0ad produces the exact same error.

Investigating a bit into this I found out that there are two different libmozjs:

~> find / -name libmozjs-* 2>/dev/null
/usr/lib64/libmozjs-102.so.0
/usr/lib64/libmozjs-102.so.0.0.0
/usr/lib64/libmozjs-78.so.0
/usr/lib64/libmozjs-78.so.0.0.0

~> rpm -qf /usr/lib64/libmozjs-102.so.0
libmozjs-102-0-102.12.0-1.1.x86_64

~> rpm -qf /usr/lib64/libmozjs-78.so.0
libmozjs-78-0-78.15.0-2.5.x86_64

~> sudo zypper se --requires libmozjs-78
S  | Name          | Summary                                      | Type
---+---------------+----------------------------------------------+--------
i+ | 0ad           | A real-time strategy game of ancient warfare | package
   | libcjs0       | Shared Libraries for Cinnamon JS module      | package
   | mozjs78-devel | Development files and tools for mozjs78      | package

~> sudo zypper rm --clean-deps  libmozjs-78-0 
The following 11 packages are going to be REMOVED:
  0ad 0ad-data gnu-free-fonts libenet7 libgloox18 libmozjs-78-0
  libwx_baseu-suse-nostl3_0_5 libwx_baseu_xml-suse-nostl3_0_5
  libwx_gtk2u_core-suse-nostl3_0_5 libwx_gtk2u_gl-suse-nostl3_0_5
  nvidia-texture-tools

~> sudo zypper rm --clean-deps  libmozjs-102-0 
The following 31 packages are going to be REMOVED:
  gdm gdm-branding-openSUSE gjs gnome-extensions gnome-maps gnome-session
  gnome-session-default-session gnome-session-wayland gnome-shell
  gnome-shell-calendar gnome-shell-classic gnome-shell-extension-desktop-icons
  gnome-shell-extensions-common gnome-shell-search-provider-bijiben
  gnome-shell-search-provider-contacts gnome-shell-search-provider-gnome-weather
  gnome-shell-search-provider-nautilus gnome-tweaks gnome-weather libgjs0
  libmozjs-102-0 patterns-gnome-gnome patterns-gnome-gnome_basic
  patterns-gnome-gnome_basis patterns-gnome-gnome_imaging
  patterns-gnome-gnome_office patterns-gnome-gnome_utilities
  patterns-gnome-gnome_x11 polari sushi typelib-1_0-GjsPrivate-1_0

The following 7 patterns are going to be REMOVED:
  gnome gnome_basic gnome_basis gnome_imaging gnome_office gnome_utilities
  gnome_x11

<!-- gh-comment-id:1665091518 --> @leukimi commented on GitHub (Aug 4, 2023): The [SPEC file](https://build.opensuse.org/package/view_file/openSUSE:Factory/0ad/0ad.spec?expand=1) puts executables in `/usr/bin` as you say. In fact `/usr/local/bin/pyrogenesis` does not even exist on the system, even though the error log says so. ``` ~> find / -name pyrogenesis 2>/dev/null /usr/bin/pyrogenesis ~> which 0ad /usr/bin/0ad ``` `LC_ALL=C firejail /usr/bin/0ad` produces the exact same error. Investigating a bit into this I found out that there are two different `libmozjs`: ``` ~> find / -name libmozjs-* 2>/dev/null /usr/lib64/libmozjs-102.so.0 /usr/lib64/libmozjs-102.so.0.0.0 /usr/lib64/libmozjs-78.so.0 /usr/lib64/libmozjs-78.so.0.0.0 ~> rpm -qf /usr/lib64/libmozjs-102.so.0 libmozjs-102-0-102.12.0-1.1.x86_64 ~> rpm -qf /usr/lib64/libmozjs-78.so.0 libmozjs-78-0-78.15.0-2.5.x86_64 ~> sudo zypper se --requires libmozjs-78 S | Name | Summary | Type ---+---------------+----------------------------------------------+-------- i+ | 0ad | A real-time strategy game of ancient warfare | package | libcjs0 | Shared Libraries for Cinnamon JS module | package | mozjs78-devel | Development files and tools for mozjs78 | package ~> sudo zypper rm --clean-deps libmozjs-78-0 The following 11 packages are going to be REMOVED: 0ad 0ad-data gnu-free-fonts libenet7 libgloox18 libmozjs-78-0 libwx_baseu-suse-nostl3_0_5 libwx_baseu_xml-suse-nostl3_0_5 libwx_gtk2u_core-suse-nostl3_0_5 libwx_gtk2u_gl-suse-nostl3_0_5 nvidia-texture-tools ~> sudo zypper rm --clean-deps libmozjs-102-0 The following 31 packages are going to be REMOVED: gdm gdm-branding-openSUSE gjs gnome-extensions gnome-maps gnome-session gnome-session-default-session gnome-session-wayland gnome-shell gnome-shell-calendar gnome-shell-classic gnome-shell-extension-desktop-icons gnome-shell-extensions-common gnome-shell-search-provider-bijiben gnome-shell-search-provider-contacts gnome-shell-search-provider-gnome-weather gnome-shell-search-provider-nautilus gnome-tweaks gnome-weather libgjs0 libmozjs-102-0 patterns-gnome-gnome patterns-gnome-gnome_basic patterns-gnome-gnome_basis patterns-gnome-gnome_imaging patterns-gnome-gnome_office patterns-gnome-gnome_utilities patterns-gnome-gnome_x11 polari sushi typelib-1_0-GjsPrivate-1_0 The following 7 patterns are going to be REMOVED: gnome gnome_basic gnome_basis gnome_imaging gnome_office gnome_utilities gnome_x11 ```

gitea-mirror commented 2026-05-05 09:46:26 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 5, 2023):

My hardware simply is not fit for VM's but I did manage to boot a Live Tumbleweed ISO from grub2. Had to add a large enough persistent overlay to cover the size of 0ad-data. Anyway, regarding the issue, I only had to noblacklist the libmozjs-* files similarly as what allow-gjs.inc does to get 0ad going:

$ cat ~/.config/firejail/0ad.local
# Firejail profile for 0ad
# Persistent local customizations

# Allow mozjs (blacklisted by disable-interpreters.inc)
noblacklist /usr/lib/libmozjs-*
noblacklist /usr/lib64/libmozjs-*

But as you stated earlier that include allow-gjs.inc didn't work for you there must be something else involved that I cannot see (yet). So back to a few basic questions. Are other applications running with firejail as expected? Have you ran sudo firecfg? Is your user in the firejail group as OpenSUSE wisely expects?

~> find / -name pyrogenesis 2>/dev/null
/usr/bin/pyrogenesis

Perhaps check for symlinks as well via find's -L flag.

~> which 0ad
/usr/bin/0ad

Using which -a foo might be better for debugging.

<!-- gh-comment-id:1666309634 --> @ghost commented on GitHub (Aug 5, 2023): My hardware simply is not fit for VM's but I did manage to boot a Live Tumbleweed ISO from grub2. Had to add a large enough persistent overlay to cover the size of 0ad-data. Anyway, regarding the issue, I only had to noblacklist the libmozjs-* files similarly as what allow-gjs.inc does to get 0ad going: ```sh $ cat ~/.config/firejail/0ad.local # Firejail profile for 0ad # Persistent local customizations # Allow mozjs (blacklisted by disable-interpreters.inc) noblacklist /usr/lib/libmozjs-* noblacklist /usr/lib64/libmozjs-* ``` But as you stated earlier that `include allow-gjs.inc` didn't work for you there must be something else involved that I cannot see (yet). So back to a few basic questions. Are other applications running with firejail as expected? Have you ran `sudo firecfg`? Is your user in the `firejail` group as OpenSUSE wisely expects? > ~> find / -name pyrogenesis 2>/dev/null /usr/bin/pyrogenesis Perhaps check for symlinks as well via find's `-L` flag. > ~> which 0ad /usr/bin/0ad Using `which -a foo` might be better for debugging.

gitea-mirror commented 2026-05-05 09:46:26 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Aug 5, 2023):

Working 0ad profile on OpenSUSE Tumbleweed

Expand to see working 0ad profile for OpenSUSE Tumbleweed

# Firejail profile for 0ad
# Description: Real-time strategy game of ancient warfare
# This file is overwritten after every install/update
# Persistent local customizations
include 0ad.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/.cache/0ad
noblacklist ${HOME}/.config/0ad
noblacklist ${HOME}/.local/share/0ad

blacklist /usr/libexec

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
#
#
#
# Fix for OpenSUSE Tumbleweed
# =========================
#
# Allow mozjs (blacklisted by disable-interpreters.inc)
# This code  has to be placed before:
# include disable-interpreters.inc
#
include allow-gjs.inc
#
# which does:
# noblacklist /usr/lib/libmozjs-*
# noblacklist /usr/lib64/libmozjs-*
#
# =========================
# End fix for OpenSUSE Tumbleweed
#
#
#
include disable-interpreters.inc
include disable-programs.inc
include disable-xdg.inc

mkdir ${HOME}/.cache/0ad
mkdir ${HOME}/.config/0ad
mkdir ${HOME}/.local/share/0ad
whitelist ${HOME}/.cache/0ad
whitelist ${HOME}/.config/0ad
whitelist ${HOME}/.local/share/0ad
whitelist /usr/share/0ad
whitelist /usr/share/games
include whitelist-common.inc
include whitelist-usr-share-common.inc
include whitelist-var-common.inc

caps.drop all
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
seccomp
seccomp.block-secondary
tracelog

disable-mnt
private-bin 0ad,pyrogenesis,sh,which
private-cache
private-dev
private-tmp

dbus-user none
dbus-system none

restrict-namespaces

Answers to questions and steps of resolution

a) sudo firecfg did not change a thing still causing the same error message. The user who runs 0ad is listed in file /etc/firejail/firejail.users

b) find / -L -name pyrogenesis 2>/dev/null gives no result. The error message above in first post containing /usr/local/bin/pyrogenesis cannot be detected. Maybe /usr/local/bin/pyrogenesis exists a short while and could be detected with some kind of filemonitor looking into the directory.

~> which -a 0ad
/usr/local/bin/0ad
/usr/bin/0ad
/bin/0ad

c) I can't remember if or when I ran sudo firecfg earlier 2023 but I sure did now before finally editing the 0ad.profile adding the lines (also tried to place the lines in various places in the profile with successful launch of 0ad as result):

# Allow mozjs (blacklisted by disable-interpreters.inc)
noblacklist /usr/lib/libmozjs-*
noblacklist /usr/lib64/libmozjs-*

The full working profile is attached at top of this message for reference.

For further testing, adding include allow-gjs.inc at the exact correct spot in the profile might resolve everything. I tried to put it in various places, but did not get 0ad to launch with adding include allow-gjs.inc. I verified that the file was read, but it did not avoid exiting the process.

It appears to me that the order of code in the profile may matter. It would help if firejail somehow could display the full profile, with all alterations that is in effective use. If one include file blacklists a file and another include file noblacklists the same file, the user would like to know if the file is being blacklisted or not by firejail. As it appears to me, the first include file that does something, whatever that may be, has the higher vote and all other include files that alter this behavior will not have any effect. I arrive at the conclusion by the first line, which gives a local adaptation ~/.config/firejail/0ad.local preference. I am not sure if my assumption is correct, but it looks that order of lines in the different files plays a significant role. In for example bash script, the last definition of a variable is the one that will have final say, whereas in firejail it seems to be the first definition that has the final say.

I still have the pending question why a firejail 0ad.profile needs to be adapted to the linux distribution. If there is no error on Archlinux or Manjaro, why is this an issue in OpenSUSE Tumbleweed. Same software, same files, different result. If it has to do with the way packages are built, if it is via AUR (builds locally on the machine) or via OBS Build Service (builds on a clone in the cloud somewhere), I don't know why this happens in the first place. One idea could be that 0ad on Archlinux does not need to use libmozjs-* library for some reason, while 0ad on OpenSUSE Tumbleweed relies on libmozjs-* library.

For future reference it would be good to in sufficient detail describe how exactly did you start OpenSUSE Tumbleweed live CD with how big persistent overlay for 0ad data so that your insight does not have to be reinvented next time there is a troubleshooting need with OpenSUSE Tumbleweed. I could not find a guide for it (yet).

<!-- gh-comment-id:1666480349 --> @leukimi commented on GitHub (Aug 5, 2023): ### Working 0ad profile on OpenSUSE Tumbleweed <details> <summary>Expand to see working 0ad profile for OpenSUSE Tumbleweed</code></summary> <p> <!-- If the output is too long to embed it into the comment, create a secret gist at https://gist.github.com/ and link it here. --> ``` # Firejail profile for 0ad # Description: Real-time strategy game of ancient warfare # This file is overwritten after every install/update # Persistent local customizations include 0ad.local # Persistent global definitions include globals.local noblacklist ${HOME}/.cache/0ad noblacklist ${HOME}/.config/0ad noblacklist ${HOME}/.local/share/0ad blacklist /usr/libexec include disable-common.inc include disable-devel.inc include disable-exec.inc # # # # Fix for OpenSUSE Tumbleweed # ========================= # # Allow mozjs (blacklisted by disable-interpreters.inc) # This code has to be placed before: # include disable-interpreters.inc # include allow-gjs.inc # # which does: # noblacklist /usr/lib/libmozjs-* # noblacklist /usr/lib64/libmozjs-* # # ========================= # End fix for OpenSUSE Tumbleweed # # # include disable-interpreters.inc include disable-programs.inc include disable-xdg.inc mkdir ${HOME}/.cache/0ad mkdir ${HOME}/.config/0ad mkdir ${HOME}/.local/share/0ad whitelist ${HOME}/.cache/0ad whitelist ${HOME}/.config/0ad whitelist ${HOME}/.local/share/0ad whitelist /usr/share/0ad whitelist /usr/share/games include whitelist-common.inc include whitelist-usr-share-common.inc include whitelist-var-common.inc caps.drop all netfilter nodvd nogroups noinput nonewprivs noroot notv nou2f novideo protocol unix,inet,inet6 seccomp seccomp.block-secondary tracelog disable-mnt private-bin 0ad,pyrogenesis,sh,which private-cache private-dev private-tmp dbus-user none dbus-system none restrict-namespaces ``` </p> </details> ### Answers to questions and steps of resolution a) `sudo firecfg` did not change a thing still causing the same error message. The user who runs `0ad` is listed in file `/etc/firejail/firejail.users` b) `find / -L -name pyrogenesis 2>/dev/null` gives no result. The error message above in first post containing `/usr/local/bin/pyrogenesis` cannot be detected. Maybe `/usr/local/bin/pyrogenesis` exists a short while and could be detected with some kind of *filemonitor* looking into the directory. ``` ~> which -a 0ad /usr/local/bin/0ad /usr/bin/0ad /bin/0ad ``` c) I can't remember if or when I ran `sudo firecfg` earlier 2023 but I sure did now before finally editing the `0ad.profile` adding the lines (also tried to place the lines in various places in the profile with *successful launch* of `0ad` as result): ``` # Allow mozjs (blacklisted by disable-interpreters.inc) noblacklist /usr/lib/libmozjs-* noblacklist /usr/lib64/libmozjs-* ``` The full working profile is attached at top of this message for reference. For further testing, adding `include allow-gjs.inc` at the exact correct spot in the profile might resolve everything. I tried to put it in various places, but did not get `0ad` to launch with adding `include allow-gjs.inc`. I verified that the file was read, but it did not avoid exiting the process. It appears to me that the order of code in the profile may matter. It would help if firejail somehow could display the full profile, with all alterations that is in effective use. If one include file blacklists a file and another include file noblacklists the same file, the user would like to know if the file is being blacklisted or not by firejail. As it appears to me, the first include file that does something, whatever that may be, has the higher vote and all other include files that alter this behavior will not have any effect. I arrive at the conclusion by the first line, which gives a local adaptation `~/.config/firejail/0ad.local` preference. I am not sure if my assumption is correct, but it looks that order of lines in the different files plays a significant role. In for example bash script, the last definition of a variable is the one that will have final say, whereas in firejail it seems to be the first definition that has the final say. I still have the pending question why a firejail `0ad.profile` needs to be adapted to the linux distribution. If there is no error on Archlinux or Manjaro, why is this an issue in OpenSUSE Tumbleweed. Same software, same files, different result. If it has to do with the way packages are built, if it is via AUR (builds locally on the machine) or via OBS Build Service (builds on a clone in the cloud somewhere), I don't know why this happens in the first place. One idea could be that `0ad` on Archlinux does not need to use `libmozjs-*` library for some reason, while `0ad` on OpenSUSE Tumbleweed relies on `libmozjs-*` library. For future reference it would be good to in sufficient detail describe how exactly did you start OpenSUSE Tumbleweed live CD with how big persistent overlay for 0ad data so that your insight does not have to be reinvented next time there is a troubleshooting need with OpenSUSE Tumbleweed. I could not find a guide for it (yet).

gitea-mirror commented 2026-05-05 09:46:28 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 5, 2023):

b) If somethings can write to a system directory you have other problems. I expect it to be an bad way to query the binary path. Something like $(dirname /usr/locale/bin/0ad)/pyrogenisis.
c) Firejail profiles are imperative not declarative. You are right that 1. order matters and 2. the first occurrence of (no)blacklist wins. However this is not always the case, for read-only/read-write the last occurrence wins and for protocol it accumulates unless you specify +-= operators. Also note that some options influence each other.

<!-- gh-comment-id:1666496945 --> @rusty-snake commented on GitHub (Aug 5, 2023): b) If somethings can write to a system directory you have other problems. I expect it to be an bad way to query the binary path. Something like `$(dirname /usr/locale/bin/0ad)/pyrogenisis`. c) Firejail profiles are imperative not declarative. You are right that 1. order matters and 2. the first occurrence of `(no)blacklist` wins. However this is not always the case, for `read-only`/`read-write` the last occurrence wins and for `protocol` it accumulates unless you specify `+-=` operators. Also note that some options influence each other.

gitea-mirror commented 2026-05-05 09:46:28 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 6, 2023):

Maybe /usr/local/bin/pyrogenesis exists a short while and could be detected with some kind of filemonitor looking into the directory.

Sure, inotifywatch for example could be used for that. The sole reference to pyrogenesis in the Firejail universe is in the 0ad.profile's private-bin. There is a setting in firejail.config for hiding /usr/local/bin items from private-bin. But that's disabled by default so I guess you'd know if you touched and changed that.

5e0f35b0cb/etc/firejail.config (L89-L90)

~> which -a 0ad
/usr/local/bin/0ad
/usr/bin/0ad
/bin/0ad

Nothing exceptional here. All due to firecfg symlinking and the FHS.

... also tried to place the lines in various places in the profile with successful launch of 0ad as result
the order of code in the profile may matter

Cfr. @rusty-snake above. Because disable-interpreters.inc blacklists libmozjs-* there's only one place for it, namely before the line that includes that file :)

It would help if firejail somehow could display the full profile, with all alterations that is in effective use.

One could use the --debug option for that. I can see how having such a basic 'this-is-it' overview of the active sandbox would be a nice feature.

Same software, same files, different result.

List 0ad's needed libraries:
$ readelf -d /usr/bin/0ad | grep NEEDED | cut -f2 -d[ | cut -f1 -d] | sort

For future reference it would be good to in sufficient detail describe how exactly did you start OpenSUSE Tumbleweed live CD with how big persistent overlay for 0ad data so that your insight does not have to be reinvented next time there is a troubleshooting need with OpenSUSE Tumbleweed. I could not find a guide for it (yet).

I'll put some notes together and post a link here.

Now you've got a fix, can you open a PR for this?

<!-- gh-comment-id:1666705783 --> @ghost commented on GitHub (Aug 6, 2023): > Maybe /usr/local/bin/pyrogenesis exists a short while and could be detected with some kind of filemonitor looking into the directory. Sure, inotifywatch for example could be used for that. The sole reference to `pyrogenesis` in the Firejail universe is in the 0ad.profile's private-bin. There is a setting in `firejail.config` for hiding /usr/local/bin items from private-bin. But that's disabled by default so I guess you'd know if you touched and changed that. https://github.com/netblue30/firejail/blob/5e0f35b0cb62b434d2efe19996c194f70ab8b37b/etc/firejail.config#L89-L90 > ~> which -a 0ad /usr/local/bin/0ad /usr/bin/0ad /bin/0ad Nothing exceptional here. All due to firecfg symlinking and the [FHS](https://wl.vern.cc/wiki/Filesystem_Hierarchy_Standard). > ... also tried to place the lines in various places in the profile with successful launch of 0ad as result > the order of code in the profile may matter Cfr. @rusty-snake above. Because disable-interpreters.inc blacklists libmozjs-* there's only one place for it, namely before the line that includes that file :) > It would help if firejail somehow could display the full profile, with all alterations that is in effective use. One could use the `--debug` option for that. I can see how having such a basic 'this-is-it' overview of the active sandbox would be a nice feature. > Same software, same files, different result. List 0ad's needed libraries: $ readelf -d /usr/bin/0ad | grep NEEDED | cut -f2 -d[ | cut -f1 -d] | sort > For future reference it would be good to in sufficient detail describe how exactly did you start OpenSUSE Tumbleweed live CD with how big persistent overlay for 0ad data so that your insight does not have to be reinvented next time there is a troubleshooting need with OpenSUSE Tumbleweed. I could not find a guide for it (yet). I'll put some notes together and post a link here. Now you've got a fix, can you open a PR for this?

gitea-mirror commented 2026-05-05 09:46:29 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Aug 6, 2023):

I also now successfully tested to use line:

include allow-gjs.inc

before line:

include disable-interpreters.inc

as I may have put it after the said line before, not knowing that the first include file with noblacklist wins over the latter.

I have updated the working 0ad.profile above accordingly.

Need help to file a correct PR

I looked at the templates for issue reporting and could not deduce how a PR is initiated and how exactly to point out that this issue may only occur on OpenSUSE Tumbleweed. I honestly don't know how a PR is made nor what it stands for. My humble guess is it may be an acronym for "Profile Request". I can't find the way to do it, so I humbly ask for help with further steps and approve someone who knows puts a PR in the correct way on my behalf.

Hopefully this issue leads to the 0ad package/software code being updated so that the same profile that ships for Archlinux also works in OpenSUSE Tumbleweed without modifications.

I also close the issue and add the solution to the top message in case someone looks for a solution.

<!-- gh-comment-id:1666833864 --> @leukimi commented on GitHub (Aug 6, 2023): I also now *successfully* tested to use line: `include allow-gjs.inc` *before* line: `include disable-interpreters.inc` as I may have put it after the said line before, not knowing that the first include file with `noblacklist` wins over the latter. I have updated the working [`0ad.profile`](https://github.com/netblue30/firejail/issues/5938#issuecomment-1666480349) above accordingly. ### Need help to file a correct PR I looked at the templates for issue reporting and could not deduce how a PR is initiated and how exactly to point out that this issue may only occur on OpenSUSE Tumbleweed. I honestly don't know how a PR is made nor what it stands for. My humble guess is it may be an acronym for "Profile Request". I can't find the way to do it, so I humbly ask for help with further steps and approve someone who knows puts a PR in the correct way on my behalf. Hopefully this issue leads to the 0ad package/software code being updated so that the same profile that ships for Archlinux also works in OpenSUSE Tumbleweed without modifications. I also close the issue and add the solution to the top message in case someone looks for a solution.

gitea-mirror commented 2026-05-05 09:46:29 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 6, 2023):

PR = Pull Request

GitHub Docs: https://docs.github.com/en/pull-requests

<!-- gh-comment-id:1666834719 --> @rusty-snake commented on GitHub (Aug 6, 2023): PR = Pull Request GitHub Docs: https://docs.github.com/en/pull-requests

gitea-mirror commented 2026-05-05 09:46:29 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Aug 6, 2023):

You can start with navigating to the (pro)file on github, click the edit button and follow the suggested steps.

<!-- gh-comment-id:1666836474 --> @rusty-snake commented on GitHub (Aug 6, 2023): You can start with navigating to the (pro)file on github, click the edit button and follow the suggested steps.

gitea-mirror commented 2026-05-05 09:46:30 -06:00

Author

Owner

Copy link

@leukimi commented on GitHub (Aug 6, 2023):

I have created a fork and pasted the working code as a suggestion to a pull request for commit along with a short description on why to the merger and a link to this thread for further information if it is needed. Thank you both for all your help in figuring out how to fix this 0ad.profile issue on OpenSUSE Tumbleweed. It's been a learning experience.

<!-- gh-comment-id:1666865411 --> @leukimi commented on GitHub (Aug 6, 2023): I have created a fork and pasted the working code as a suggestion to a [pull request](https://github.com/netblue30/firejail/pull/5944) for [commit](https://github.com/netblue30/firejail/commit/630606d8180bb920deb1bd7e90ce151846356525) along with a short description on why to the merger and a link to this thread for further information if it is needed. Thank you both for all your help in figuring out how to fix this `0ad.profile` issue on OpenSUSE Tumbleweed. It's been a learning experience.

gitea-mirror commented 2026-05-05 09:46:30 -06:00

Author

Owner

Copy link

@ghost commented on GitHub (Aug 8, 2023):

@leukimi Here's my notes on how to create a Tumbleweed ISO with persistence.

<!-- gh-comment-id:1668936652 --> @ghost commented on GitHub (Aug 8, 2023): @leukimi Here's my notes on [how to create a Tumbleweed ISO with persistence](https://gist.github.com/glitsj16/9b1ee962aae82ad5323823e406a8c212).

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3138

No description provided.