firejail with missing libGL.so.1

If none of the more specific forums is the right place to ask

firejail with missing libGL.so.1

Postby locke » 2019-09-06 19:44

Hi,

after many years I changed my desktop to Debian and installed Buster. Everything works fine. Only Firejail brings me errors when starting some programs (e.g. KeepassXC, gwenview, ...) due to the missing library libGL.so.1.

Code: Select all
user@machine:~$ keepassxc
Reading profile /etc/firejail/keepassxc.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 32242, child pid 32243
Private /etc installed in 6.29 ms
1 program installed in 5.94 ms
Child process initialized in 102.60 ms
/usr/bin/keepassxc: error while loading shared libraries: libGL.so.1: cannot open shared object file: No such file or directory

Parent is shutting down, bye...


The firejail config-files (e.g. /etc/firejail/keepass.profile) are unchanged and i have no *.local configs in place:
Code: Select all
# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc

# 2.2.4 needs this path when compiled with "Native messaging browser extension"
noblacklist ${HOME}/.mozilla
noblacklist ${DOCUMENTS}

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

include whitelist-var-common.inc

caps.drop all
machine-id
net none
no3d
nodvd
nodbus
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none

private-bin keepassxc
private-dev
private-etc fonts,ld.so.cache,machine-id
private-tmp

# 2.2.4 crashes on database open
#memory-deny-write-execute
noexec ${HOME}
noexec /tmp

# Mutex is stored in /tmp by default, which is broken by private-tmp
join-or-start keepassxc


If i run the programs not "firejailed" i got no problems. Does anyone know how I can fix this ?
locke
 
Posts: 2
Joined: 2019-09-06 19:26

Re: firejail with missing libGL.so.1

Postby 4D696B65 » 2019-09-06 19:57

https://packages.debian.org/buster/libgl1
File list of package libgl1 in buster of architecture amd64

/usr/lib/x86_64-linux-gnu/libGL.so.1
/usr/lib/x86_64-linux-gnu/libGL.so.1.7.0
/usr/share/bug/libgl1/control
/usr/share/doc/libgl1/changelog.Debian.gz
/usr/share/doc/libgl1/copyright

User avatar
4D696B65
 
Posts: 2438
Joined: 2009-06-28 06:09

Re: firejail with missing libGL.so.1

Postby locke » 2019-09-06 20:49

Thanks, that gave me the missing clue.

Code: Select all
user@maschine:~$ whereis libGL.so.1
libGL.so: /usr/lib/x86_64-linux-gnu/libGL.so.1

user@maschine:~$ ls -l /usr/lib/x86_64-linux-gnu/libGL.so.1
lrwxrwxrwx 1 root root 50 Aug 26 11:36 /usr/lib/x86_64-linux-gnu/libGL.so.1 -> /etc/alternatives/glx--libGL.so.1-x86_64-linux-gnu
 


So i have to allow programs to access /etc/alternatives. (source: https://askubuntu.com/questions/865991/ ... rivate-etc)
The /etc/firejail/keepassxc.profile needs to be (changes in the line "private-etc fonts,ld.so.cache,machine-id,alternatives")

Code: Select all
# Firejail profile for keepassxc
# Description: Cross Platform Password Manager
# This file is overwritten after every install/update
# Persistent local customizations
include keepassxc.local
# Persistent global definitions
include globals.local

noblacklist ${HOME}/*.kdb
noblacklist ${HOME}/*.kdbx
noblacklist ${HOME}/.config/keepassxc
noblacklist ${HOME}/.keepassxc
noblacklist /usr/lib/x86_64-linux-gnu/libGL.so.1

# 2.2.4 needs this path when compiled with "Native messaging browser extension"
noblacklist ${HOME}/.mozilla
noblacklist ${DOCUMENTS}

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc
include disable-passwdmgr.inc
include disable-programs.inc
include disable-xdg.inc

include whitelist-var-common.inc

caps.drop all
machine-id
net none
no3d
nodvd
nodbus
nogroups
nonewprivs
noroot
nosound
notv
nou2f
novideo
protocol unix
seccomp
shell none

private-bin keepassxc
private-dev
private-etc fonts,ld.so.cache,machine-id,alternatives
private-tmp

# 2.2.4 crashes on database open
#memory-deny-write-execute
noexec ${HOME}
noexec /tmp

# Mutex is stored in /tmp by default, which is broken by private-tmp
join-or-start keepassxc


Same with gwenview. Now everything works fine.
locke
 
Posts: 2
Joined: 2019-09-06 19:26


Return to General Questions

Who is online

Users browsing this forum: 4D696B65, cooler01 and 10 guests

fashionable