firefox: cannot run gv and gs (GhostScript)

[vinc17fr]

Description

When I run gv on a PostScript file from the firefox profile, it hangs, taking 100% CPU time. If I run gs directly on the PostScript file, it fails, and this is the cause.

Note that gv is useful to open PostScript files on the web (this was how I found this issue), e.g. via Firefox, hence the firefox profile.

Steps to Reproduce

1. Put a PostScript file file.ps in the Downloads directory.
2. Run LC_ALL=C firejail --profile=firefox gv ~/Downloads/file.ps.
3. Run LC_ALL=C firejail --profile=firefox gs ~/Downloads/file.ps.

Expected behavior

The contents of the PostScript document should appear in the window.

Actual behavior

At step 2, a gv window appears. The page numbers in the left pane are correct, showing that the PostScript file could have been read. But the document pane remains blank and there's a running throbber; gv takes 100% CPU time, apparently waiting for data from gs, which died.

At step 3, gs dies with the error GPL Ghostscript 9.53.3: Can't find initialization file gs_init.ps.. To make it work, I need to whitelist both /usr/share/ghostscript and /usr/share/color/icc/ghostscript.

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

No issues.

Environment

• Debian/unstable
• firejail version 0.9.66

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [ ] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [x] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

``` Reading profile /etc/firejail/firefox.profile Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/firefox-common.profile Reading profile /home/vinc17/.config/firejail/firefox-common.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Warning: networking feature is disabled in Firejail configuration file Warning: Warning: NVIDIA card detected, nogroups command disabled Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Parent pid 124528, child pid 124531 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Seccomp list in: !chroot, check list: @default-keep, prelist: unknown, Child process initialized in 160.30 ms Warning: Cannot convert string "-*-Courier-Medium-R-Normal--*-100-*-*-M-*-ISO8859-1" to type FontStruct ```

[vinc17fr]

BTW, rather independently of this issue, /usr/share/gv should be whitelisted for security (it contains a safe workdir for gs, and who knows what happens if this directory is not available: gv is expected to chdir to it).

[rusty-snake]

firefox.profile is made to run firefox in it and nothing else.

IMHO we should close here.