Cannot run Icecat installed with Guix

[ghost]

Hello! I'm having trouble running GNUzilla Icecat installed with GNU Guix, a package manager that may be used on any GNU distribution in addition to the native one. It stores its packages in the /gnu directory, automatically generating symlinks to them in ~/.guix-profile/bin, which is then added to the path. My path currently contains these:

• ~/.guix-profile/bin
• ~/.guix.profile/sbin
• ~/.config/guix/current/bin
• /usr/local/bin
• …

My operating system is Parabola GNU+Linux-libre and Firejail has been working fine with it. I have only installed Icecat and TeXmacs with Guix; TeXmacs appears to run perfectly fine with firejail, but doesn't have a pre-made profile in Firejail (which therefore falls back to the default profile), whereas Icecat currently does.

Running firejail icecat gives me the message: Error: cannot find the program in the path. When I specify the full path to the binary with ~/.guix-profile/bin/icecat , I get the message: Error: no suitable /home/username/.guix-profile/bin/icecat executable found.

I thought to try whitelisting /gnu for Icecat, so I added whitelist /gnu to its local profile, but with that, Firejail only tells me: Error: invalid whitelist path /gnu.

If whitelisting /gnu might help, how should I do it? If it's unlikely to work, how else could I get Icecat to run in Firejail? Please let me know if any further details on my setup or directory tree might help. Thank you!

[glitsj16]

Have you tried starting icecat using its full path instead of the symlinks this guix provides? I'm not familiar with guix but I assume it would be somewhere under the /gnu directory you mentioned. Hopefully that's enough to get it going. Otherwise you might need to add the below to your icecat.local to ensure the guix stuff in your $HOME is known to firejail:

mkdir ${HOME}/.config/guix/current/bin
mkdir ${HOME}/.guix-profile
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile

[ghost]

Thank you, @glitsj16! Starting Icecat via the full path actually gets it running, and the sandbox seems to work, too. It'd be convenient for the symlink to work, since it changes on every update and the launcher points to it by default, but I reckon I can get my system to update all of that automatically.

Unfortunately, the fonts in Icecat appear to be broken or missing, as the window only shows tofu. The console output complains about files not being found in /gnu/store/[…]/lib/icecat. I suspect Icecat might need access to the directory, but am not sure how to grant it. Is that possible at all?

(I'll check with the Guix community whether access to sub-directories of /gnu is necessary, but it would seem that way.)

[rusty-snake]

Running firejail icecat gives me the message: Error: cannot find the program in the path.

IDK why, but FJ ignores $PATH entrys in $HOME.

When I specify the full path to the binary with ~/.guix-profile/bin/icecat , I get the message: Error: no suitable /home/username/.guix-profile/bin/icecat executable found.

Icecat has a whitelisting profile, therefore you must also whitelist this file/dir.

I thought to try whitelisting /gnu for Icecat, so I added whitelist /gnu to its local profile, but with that, Firejail only tells me: Error: invalid whitelist path /gnu.

whitelisting is not supported in /gnu. (see the manpage for supported paths)

---

Where is my first post? I have already commented this? :confused:

---

Unfortunately, the fonts in Icecat appear to be broken or missing, as the window only shows tofu. The console output complains about files not being found in /gnu/store/[…]/lib/icecat. I suspect Icecat might need access to the directory, but am not sure how to grant it. Is that possible at all?

Start with firejail --name=icecat --ignore=private-bin icecat and the join with firejail --join=icecat bash. Then you can show how /gnu looks in the sandbox (ls /gnu).

[glitsj16]

It'd be convenient for the symlink to work, since it changes on every update and the launcher points to it by default, but I reckon I can get my system to update all of that automatically.

I think you can do this by adding this to your icecat.local, cfr. my earlier post:

mkdir ${HOME}/.config/guix/current/bin
mkdir ${HOME}/.guix-profile
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile

The only hurdle at the moment for that to work is trying to figure out how we can grant access to the /gnu directory. That's what @rusty-snake is trying to gather more info on. We'll get there, always fun to stumble onto new stuff like guix.

[ghost]

Reply to @rusty-snake:

Icecat has a whitelisting profile, therefore you must also whitelist this file/dir.

I have added the line whitelist ${HOME}/.guix-profile/bin/icecat, which resulted in the message: Error: invalid whitelist path /home/username/.guix-profile/bin/icecat. The problem may be that the ~/.guix.profile directory is another symlink (see below).

Start with firejail --name=icecat --ignore=private-bin icecat and the join with firejail --join=icecat bash. Then you can show how /gnu looks in the sandbox (ls /gnu).

Interesting enough, it lists the same files it does when I run the command normally, so maybe the issue is not Icecat being unable to access the directory? :/ I guess I'll ask if anyone knows how that might be intended to work in Guix…

Follow-up reply to @glitsj16:

I think you can do this by adding this to your icecat.local, cfr. my earlier post:

mkdir ${HOME}/.config/guix/current/bin mkdir ${HOME}/.guix-profile whitelist ${HOME}/.config/guix/current/bin whitelist ${HOME}/.guix-profile

So it turns out that all paths lead to /gnu. The directory /home/username/.guix-profile is a symlink to /var/guix/profiles/per-user/username/guix-profile, which in turn is a (likely dynamically changing) symlink to guix-profile-17-link in the same directory, which itself is a symlink to the appropriate profile in /gnu/store. That profile contains a bin directory with further symlinks to the individual packages, also installed in /gnu/store.

[rusty-snake]

icecat.profile includes firefox-common.profile which includes whitelist-var-common.inc. So your issue is there. https://github.com/netblue30/firejail/blob/11418a46c1c1c51a1270bb585bf8152f9298bc74/etc/firefox-common.profile#L30

Try adding whitelist /var/guix.

[rusty-snake]

@F3nd0 I'm closing here due to inactivity, please fell free to reopen if you still have this issue.

[ghost]

@rusty-snake Unfortunately I do still have the issue, and didn't get much insight into the problem from the Guix community. None of the solutions suggested here have worked for me, either. I could reopen the issue, but I'm out of ideas. :/

[smitsohu]

I have added the line whitelist ${HOME}/.guix-profile/bin/icecat, which resulted in the message: Error: invalid whitelist path /home/username/.guix-profile/bin/icecat. The problem may be that the ~/.guix.profile directory is another symlink (see below).

@F3nd0 I guess the mkdir ${HOME}/.guix-profile prevents creating the symbolic link, can you try again without? It is possible you also need to set follow-symlink-as-user to no in /etc/firejail/firejail.config.

Assuming there is not another symlink in ~/.config/guix/current/bin, we currently are at

mkdir ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.config/guix/current/bin
whitelist ${HOME}/.guix-profile
whitelist /var/guix

[smitsohu]

I guess the mkdir ${HOME}/.guix-profile prevents creating the symbolic link

Scratch that part, it is nonsense

[ghost]

@smitsohu Thank you, setting follow-symlink-as-user to no did the trick! With that, the only line I need in my icecat.local for Icecat to work is: whitelist ${HOME}/.guix-profile. I'll see later if that works for other Guix-origin software, too.

Thank you all for your persistent help; closing!