Firejail: Evince does not run due to --private-lib configuration option

I cannot reproduce it on Arch running LXDE. Do you have /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache in your filesystem? They say in the log to create it by running
gdk-pixbuf-query-loaders > /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache

Yes, the file is present in the filesytem. But the private-lib switch makes it invisible for Evince.

I'll try again to reproduce it, so far no luck. What window/desktop manager are you using?

I'm using Gnome Shell (3.26.2) desktop environment. Window manager is Mutter.

I have removed private-lib from the profile until we figure out what's going on. Thanks for the bug.

Re-enabling private-lib temporarily in evince profile.

We found some problem with 32bit libraries being copied by private-lib instead of the regular 64bit libraries. @elvetemedve, can you give it a try please - we will take it out if it doesn't work. Thanks!

I'm getting this error now when trying to open a file with evince on Fedora 27 amd64:

 firejail evince
Reading profile /etc/firejail/evince.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 10632, child pid 10633
Private /etc installed in 5.42 ms
Standard C library installed in 83.23 ms
Program libraries installed in 236.50 ms
GdkPixbuf installed in 79.83 ms
GTK3 installed in 145.03 ms
Pango installed in 0.01 ms
GIO installed in 38.40 ms
Installed 131 libraries and 5 directories
Blacklist violations are logged to syslog
Child process initialized in 640.61 ms
dbus[152]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry

dbus[152]: Could not get password database information for UID of current process: User "???" unknown or no memory to allocate password entry


(evince:152): EvinceDocument-WARNING **: libpoppler-glib.so.8: cannot open shared object file: No such file or directory

(evince:152): EvinceDocument-WARNING **: libpoppler-glib.so.8: cannot open shared object file: No such file or directory

Evince does start, but it won't open pdfs.

Scratch that, it was a problem with the profile not private-lib. I just needed to add libpoppler-glib.so.8 to private-lib. :smile: @elvetemedve Please try https://github.com/netblue30/firejail/blob/25b9c72c8b557637177b2808ffcf34389b58aea1/etc/evince.profile if plain old firejail --private-lib evince doesn't work.

I'm not all that familiar with libraries - is it safe to assume that all distros will have a library file precisely named libpoppler-glib.so.8? If not then we might need to add wildcard expansion to private-lib so we could do something more like private-lib ibpoppler-glib.so.*

@netblue30 @Fred-Barclay Which version of Firejail do you expect me to run? I have the latest version 0.9.52.

I copied the referenced config to ~/.config/firejail/evince.profile and run firejail /usr/bin/evince. Unfortunately I still see the same error messages (firejail-evince.log).

Regarding naming of libraries, I think only the location is different from one Linux distribution to the other. There is a naming convention which tells there should be a filename without version pointing to the actual version provided by the OS level package.
In this case libpoppler-glib.so looks like:

file /usr/lib/libpoppler-glib.so
_/usr/lib/libpoppler-glib.so: symbolic link to libpoppler-glib.so.8_

file /usr/lib/libpoppler-glib.so.8
_/usr/lib/libpoppler-glib.so.8: symbolic link to libpoppler-glib.so.8.9.0_

file /usr/lib/libpoppler-glib.so.8.9.0
_/usr/lib/libpoppler-glib.so.8.9.0: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=4d3c61c7b210d4a7b0d15e9efbe29eceaaed0f3e, stripped_

Can you get the version in git running?

libpoppler-glib.so.8 is in all distros, at least from Ubuntu 14.04 up to the latest Debian sid and arch. It shouldn't be a problem. Thanks for your help.

@netblue30 I'm sorry to tell you that it still complains about missing /usr/lib/gdk-pixbuf-2.0/2.10.0/loaders.cache file (I'm using the latest code from master branch, currently 0.9.53). I turned on debugging which shows libpoppler-glib.so.8 being copied to the private lib directory (firejail-evince-with-debugging.log).

Let me know if you need more info!

Thanks @elvetemedve , let's remove private-lib for the next release, we are still missing something there.

@startx2017: can you bring in support for "private-lib libpoppler-glib.so*", something similar with private-bin and all the others?

can you bring in support for "private-lib libpoppler-glib.so*", something similar with private-bin and all the others?

Sure, it will be easy.

@elvetemedve Can you test from git again? We've got some more files added to private-lib in evince.
Thanks!
Fred

Hi @Fred-Barclay,
I can confirm that it works well now (using the latest commit from master branch).
Thank you for the fix. :)

Awesome!
Credits to @glitsj16