geary: fails to fully start and burns CPU

[spantaleev]

Description

geary (1:40.0-6 on Archlinux) starts, but the UI is frozen.

Steps to Reproduce

I'm using the default geary profile. The one deployed by the Archlinux firejail package seems to be up to date with current master.

Steps to reproduce the behavior

1. LC_ALL=C firejail geary
2. Observe geary's frozen / empty UI and 100% CPU usage

Geary's dialog window still remains running after that, but nothing is clickable.

See the log below for some errors.

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /usr/bin/geary in a terminal?_

Geary starts up normally.

Additional context

Any other detail that may help to understand/debug the problem

Environment

• Archlinux
• Firejail version (firejail --version): 0.9.68

Checklist

• [x] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
• [x] I can reproduce the issue without custom modifications (e.g. globals.local).
• [x] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• [x] The profile (and redirect profile if exists) hasn't already been fixed upstream.
• [x] I have performed a short search for similar issues (to avoid opening a duplicate).
  • [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• [ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

Output of LC_ALL=C firejail /path/to/program

``` Reading profile /etc/firejail/geary.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 465344, child pid 465347 1 program installed in 1.31 ms Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 38.06 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 143.87 ms *[wrn] 15:54:06.0147 dbind:AT-SPI: Error retrieving accessibility bus address: org.freedesktop.DBus.Error.ServiceUnknown: org.freedesktop.DBus.Error.ServiceUnknown *[wrn] 15:54:06.0158 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 15:54:06.0166 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable *[wrn] 15:54:06.0263 GLib:getpwuid_r(): failed due to unknown user id (1000) Failed to create secure directory (/run/user/1000/pulse): Permission denied ```

Output of LC_ALL=C firejail --debug /path/to/program

``` Parent pid 465462, child pid 465463 Child process initialized in 8.49 ms *[wrn] 17:54:38.0771 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:54:38.0778 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:54:38.0788 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 17:54:38.0788 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable ```

[glitsj16]

*[wrn] 15:54:06.0147 dbind:AT-SPI: Error retrieving accessibility bus address: [...]

This is due to dbus-user filter and not allowing the app to talk to 'org.a11y.Bus' (I think). None of our profiles allow D-Bus accessibility features. Don't recall any explicit discussion on this option, but can always be added in geary.local if needed. [UNRELATED]

*[wrn] 15:54:06.0158 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory

Might be due to the very restrictive private-bin (which only allows the geary executable). [RELATED]

[wrn] 15:54:06.0176 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable [wrn] 15:54:06.0176 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable

I'm not familiar with Geary's certificate-management. But here private-bin might also be blocking something. [RELATED]

*[wrn] 15:54:06.0263 GLib:getpwuid_r(): failed due to unknown user id (1000)

Add private-etc group,login.defs,passwd in geary.local should fix this. [PROFILE BUG]

Failed to create secure directory (/run/user/1000/pulse): Permission denied

Due to machine-id/nosound in the profile, so to be expected. Again, if you need/want Geary to provide audible notifications, you can override these in geary.local. [UNRELATED]

To sum up, these are some things you can try to see if they help fixing your Geary by creating ~/.config/firejail/geary.local with the below content:

ignore private-bin
private-etc group,login.defs,passwd
#+ temporarily allow all dbus-user traffic while debugging
ignore dbus-user filter

[spantaleev]

Wow, thank you for that very detailed analysis and proposed profile changes!

I've tried with your proposed geary.local and the output is like this now:

Output of LC_ALL=C firejail /path/to/program

``` Reading profile /etc/firejail/geary.profile Reading profile /home/USER/.config/firejail/geary.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Ignoring "dbus-user.own org.gnome.Geary" and 6 other dbus-user filter rules. Parent pid 850934, child pid 850935 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 30.94 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 158.82 ms Warning: an existing sandbox was detected. /usr/bin/geary will run without any additional sandboxing features *[wrn] 09:28:32.0680 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WTUR9G4M0H: No such file or directory *[wrn] 09:28:32.0691 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 09:28:32.0699 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 09:28:32.0709 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 09:28:32.0709 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable Failed to create secure directory (/run/user/1000/pulse): Permission denied W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted ```

The UI is still frozen and Geary still burns CPU just the same.

[rusty-snake]

W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted

seccomp !personality

[glitsj16]

Output of LC_ALL=C firejail /path/to/program [...] Warning: an existing sandbox was detected. /usr/bin/geary will run without any additional sandboxing features [...]

Hmm, that message indicates firejail is trying to sandbox geary twice. If you used firecfg to generate symlinks in /usr/local/bin (or your package manager did in a post-install hook) the correct call to start a firejailed geary process from a script or from the command line is

$ geary <-- because /usr/local/bin preceeds /usr/bin in PATH and /usr/local/bin/geary is a symlink to /usr/bin/firejail OR $ /usr/local/bin/geary <-- calling the symlink directly with full path OR $ firejail /usr/bin/geary <-- calling firejail with the full path to the geary executable

Which one did you use?

[spantaleev]

Oh, silly me! You're right, I've been using LC_ALL=C firejail geary lately (for making these reports) and I do have symlinks installed.

Nevertheless, ~/.config/firejail/geary.local is like this now:

ignore private-bin
private-etc group,login.defs,passwd
#+ temporarily allow all dbus-user traffic while debugging
ignore dbus-user filter
seccomp !personality

and

Output of LC_ALL=C firejail /usr/bin/geary

``` Reading profile /etc/firejail/geary.profile Reading profile /home/USER/.config/firejail/geary.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Seccomp list in: !personality, check list: @default-keep, prelist: unknown, Ignoring "dbus-user.own org.gnome.Geary" and 6 other dbus-user filter rules. Parent pid 885332, child pid 885333 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 30.58 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Seccomp list in: !personality, check list: @default-keep, prelist: unknown, Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 159.43 ms *[wrn] 06:37:43.0443 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-WTUR9G4M0H: No such file or directory *[wrn] 06:37:43.0456 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 06:37:43.0464 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 06:37:43.0475 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 06:37:43.0475 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable Failed to create secure directory (/run/user/1000/pulse): Permission denied ```

[glitsj16]

Let me provide some context. I personally don't like the newer Geary UI and use a custom Arch Linux PKGBUILD to install geary 3.34.2. Obviously that doesn't help when trying to debug the reported issues here. So I temporarily moved aside my custom stuff and installed the current geary repo package.

After some testing I created a new geary.profile, which works fine for me here. If you'd like to try that, download the linked gist, place it in ~/.config/firejail/geary.profile (so it overrides /etc/firejail/geary.profile) and (temporarily) remove the ~/.config/firejail/geary.local to avoid confusion. As you can see I integrated above suggestions in the refactored one.

I didn't have to use the seccomp !personality option mentioned above and can use the full seccomp option. We can worry later on what the current geary.profile needs to fix this. Let's try to get it going first on your setup.

[spantaleev]

With your geary.profile and with my geary.local disabled, Geary is working as per normal now.

Output of LC_ALL=C firejail /usr/bin/geary

``` Reading profile /home/USER/.config/firejail/geary.profile Reading profile /etc/firejail/allow-bin-sh.inc Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/disable-shell.inc Reading profile /etc/firejail/disable-xdg.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-usr-share-common.inc Reading profile /etc/firejail/whitelist-var-common.inc Parent pid 56438, child pid 56441 Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set. Warning: skipping alternatives for private /etc Warning: skipping crypto-policies for private /etc Warning: skipping pki for private /etc Warning fcopy: skipping /etc/xdg/menus/cinnamon-applications-merged, cannot find inode Private /etc installed in 36.78 ms Private /usr/etc installed in 0.00 ms Warning: cleaning all supplementary groups Warning: cleaning all supplementary groups Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Blacklist violations are logged to syslog Warning: cleaning all supplementary groups Warning: Cannot confine the application using AppArmor. Maybe firejail-default AppArmor profile is not loaded into the kernel. As root, run "aa-enforce firejail-default" to load it. Child process initialized in 185.43 ms *[wrn] 17:11:45.0998 dbind:Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-JqpPRxuKDk: No such file or directory *[wrn] 17:11:46.0010 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:11:46.0021 [no domain]:Error loading plugin: libnuspell.so.5: cannot open shared object file: No such file or directory *[wrn] 17:11:46.0032 geary:application-certificate-manager.vala:87: No GCR store found, GCR certificate pinning unavailable *[wrn] 17:11:46.0032 geary:application-certificate-manager.vala:91: GCR store is not RW, GCR certificate pinning unavailable Failed to create secure directory (/run/user/1000/pulse): Permission denied W: [pulseaudio] core-util.c: Uh, personality() failed: Operation not permitted ```

Thanks for taking the time to figure it all out!

[glitsj16]

With your geary.profile and with my geary.local disabled, Geary is working as per normal now.

Great! Thanks for confirming, very much appreciated. I'll make the necessary changes to our geary.profile later today. Before doing so I want to test if the seccomp !personality is indeed needed in case users try to enable audio support. Left that out for now to start with basic functionality but it would be a nice comment.

Thanks for taking the time to figure it all out!

Very welcome. Thanks to your issue report we're now aware of this and will do the work. Just remember to remove your ~/.config/firejail/geary.profiles when Arch Linux pushes a future firejail upgrade to its repo's.

[glitsj16]

@spantaleev The PR is in. Added some minor changes, but sound notifications (Preferences > Plugins) are working, without seccomp !personality. Just a FYI.

[spantaleev]

Great work, @glitsj16! I can confirm that everything (including sound) works with the new profile from #4992 without any custom changes (like seccomp !personality, etc.).

[mizzunet]

Yes, geary works fine.

Well, I have this output though

EGLDisplay Initialization failed: EGL_NOT_INITIALIZED
libEGL warning: MESA-LOADER: failed to open swrast: libLLVM-13.so: cannot open shared object file: No such file or directory (search paths /usr/lib/dri, suffix _dri)

EGLDisplay Initialization failed: EGL_NOT_INITIALIZED