keepassxc fails to launch on Gentoo (private-etc)
elde-n opened this issue · comments
Description
Keepassxc fails to launch with firejail
Steps to Reproduce
- Run in bash
LC_ALL=C firejail keepassxc
Expected behavior
Keepassxc to launch with a graphical window 
Actual behavior
It didn't launch a graphical window
Behavior without a profile
The application started as expected.
Environment
- Gentoo 2.15 x86_64 (default/linux/amd64/23.0/split-usr/musl/hardened)
- firejail version 0.9.72
Checklist
- The issues is caused by firejail (i.e. running the program by path (e.g.
/usr/bin/vlc) "fixes" it). - I can reproduce the issue without custom modifications (e.g. globals.local).
- The program has a profile. (If not, request one in
https://github.com/netblue30/firejail/issues/1139) - The profile (and redirect profile if exists) hasn't already been fixed upstream.
- I have performed a short search for similar issues (to avoid opening a duplicate).
- I'm aware of
browser-allow-drm yes/browser-disable-u2f noinfirejail.configto allow DRM/U2F in browsers.
- I'm aware of
- I used
--profile=PROFILENAMEto set the right profile. (Only relevant for AppImages)
Log
Output of LC_ALL=C firejail /usr/bin/keepassxc
https://github.com/netblue30/firejail/files/14961690/log.txt
Output of LC_ALL=C firejail --debug /usr/bin/keepassxc
Seccomp list in: !name_to_handle_at, check list: @default-keep, prelist: unknown, [...] Child process initialized in 386.34 ms Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr/bin/keepassxc) Error loading shared library libgcc_s.so.1: No such file or directory (needed by /usr/bin/keepassxc) Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr/lib/libQt5Svg.so.5) Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr/lib/libQt5Concurrent.so.5) Error loading shared library libgcc_s.so.1: No such file or directory (needed by /usr/lib/libQt5Concurrent.so.5) Error loading shared library libstdc++.so.6: No such file or directory (needed by /usr/lib/libbotan-3.so.2) Error loading shared library libgcc_s.so.1: No such file or directory (needed by /usr/lib/libbotan-3.so.2) [...]
That's strange, do you use private-lib?
Where are those libraries (libgcc_s.so.1, etc) located?
Is there anything modified in firejail.config?
What is the keepassxc version?
Does it work with firejail-git?
That's strange, do you use
private-lib?
Not sure what private-lib is I assume no
Where are those libraries (
libgcc_s.so.1, etc) located?
libstdc++.so.6 => /usr/lib/gcc/x86_64-pc-linux-musl/13/libstdc++.so.6
libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-musl/13/libgcc_s.so.1
Is there anything modified in firejail.config?
What is the keepassxc version?
KeePassXC 2.7.7
Does it work with firejail-git?
No
Does it work with firejail --noprofile /usr/bin/keepassxc or with
firejail --profile=noprofile /usr/bin/keepassxc?
Where are those libraries (
libgcc_s.so.1, etc) located?libstdc++.so.6 => /usr/lib/gcc/x86_64-pc-linux-musl/13/libstdc++.so.6 libgcc_s.so.1 => /usr/lib/gcc/x86_64-pc-linux-musl/13/libgcc_s.so.1
Can you access these paths with a shell using keepassxc.profile?
Example:
firejail --ignore='include disable-shell.inc' --ignore='private-bin' --tab \
--profile=keepassxc /bin/bashI'd try to comment lines in keepassxc.profile until it works to find which ones
are causing issues.
Does it work with
firejail --noprofile /usr/bin/keepassxcor withfirejail --profile=noprofile /usr/bin/keepassxc?
Yes
Can you access these paths with a shell using keepassxc.profile?
Yes
I'd try to comment lines in keepassxc.profile until it works to find which ones are causing issues.
Commenting out the line private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id fixes the issue, thank you
Can you access these paths with a shell using keepassxc.profile?
Yes
I'd try to comment lines in keepassxc.profile until it works to find which
ones are causing issues.Commenting out the line
private-etc alternatives,fonts,ld.so.cache,ld.so.preload,machine-id
fixes the issue, thank you
No problem.
It would be good to try to find which paths are needed in private-etc.
Do you know how those libraries are configured in /etc?
What is the output of the following commands?
firejail --private --trace=trace.txt /usr/bin/keepassxc
# (manually close keepassxc)
cut -f 2 -d ' ' trace.txt | grep /etc/ | LC_ALL=C sort | uniq -csudo grep -R libgcc_s libstdc++ /etc 2>/dev/null | LC_ALL=C sort
Probably missing ld.so.conf,ld.so.conf.d in private-etc. The new group refactoring in git 0.9.73 added those to the @default group:
firejail/src/include/etc_groups.h
Lines 27 to 49 in 27cd032
Do you know how those libraries are configured in /etc?
No
What is the output of the following commands?
firejail --private --trace=trace.txt /usr/bin/keepassxc # (manually close keepassxc) cut -f 2 -d ' ' trace.txt | grep /etc/ | LC_ALL=C sort | uniq -c
The trace.txt file is empty
sudo grep -R libgcc_s libstdc++ /etc 2>/dev/null | LC_ALL=C sort
/etc/firejail/display.local:private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,libMagickWand-*.so.*,libfreetype.so.*,libXext.so.*,libltdl.so.*,ImageMagick*
/etc/firejail/display.profile:private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libgomp.so.*,ImageMagick*,libfreetype.so.*,libltdl.so.*,libMagickWand-*.so.*,libXext.so.*
/etc/firejail/evince.profile:private-lib evince,gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,gconv,gdk-pixbuf-2.*,gio,gvfs/libgvfscommon.so,libarchive.so.*,libdjvulibre.so.*,libgconf-2.so.*,libgraphite2.so.*,libpoppler-glib.so.*,librsvg-2.so.*,libspectre.so.*
/etc/firejail/pdftotext.local:private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*
/etc/firejail/unf.profile:private-lib gcc/*/*/libgcc_s.so.*
/etc/firejail/zathura.profile:#private-lib gcc/*/*/libgcc_s.so.*,gcc/*/*/libstdc++.so.*,libarchive.so.*,libdjvulibre.so.*,libgirara-gtk*,libpoppler-glib.so.*,libspectre.so.*,zathura
Noticing that pdftotext also fails and also a lot of 'gcc' related stuff I thought I should maybe mention that I use clang as my system compiler
Noticing that pdftotext also fails ...
Same as #6310 (comment).
$ cat ~/.config/firejail/keepassxc.local
private-etc ld.so.conf,ld.so.conf.d
$ cat ~/.config/firejail/pdftotext.local
private-etc ld.so.conf,ld.so.conf.dI have fixed my issue by ripping gcc out of my system and recompiling everything with the llvm toolchain although I do seem to have a fonts issue for example librewolf:
... although I do seem to have a fonts issue for example librewolf
Here are all font-related files that I could track in our *.inc files. Perhaps we are missing something for gentoo or gentoo uses different paths. You could check and compare with:
disable-programs.inc
- blacklist ${HOME}/.cache/font-manager
- blacklist ${HOME}/.config/font-manager
whitelist-common.inc
- whitelist ${HOME}/.cache/fontconfig
- whitelist ${HOME}/.config/fontconfig
- whitelist ${HOME}/.fontconfig
- whitelist ${HOME}/.fonts
- whitelist ${HOME}/.fonts.conf
- whitelist ${HOME}/.fonts.conf.d
- whitelist ${HOME}/.fonts.d
- whitelist ${HOME}/.local/share/fonts
- whitelist ${HOME}/.pangorc
whitelist-usr-share-common.inc
- whitelist /usr/share/fontconfig
- whitelist /usr/share/fonts
- whitelist /usr/share/fonts-config
whitelist-var-common.inc
- whitelist /var/cache/fontconfig
HTH