netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.8k stars 567 forks source link

audacity: error while loading shared libraries: lib-project-rate.so (private-bin) #5532

Open anomalocaris452 opened 1 year ago

anomalocaris452 commented 1 year ago

Manjaro Audacity 3.2.2 firejail 0.9.70

Reading profile /etc/firejail/audacity.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 130485, child pid 130486
1 program installed in 186.67 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Warning: Cannot confine the application using AppArmor.
Maybe firejail-default AppArmor profile is not loaded into the kernel.
As root, run "aa-enforce firejail-default" to load it.
Child process initialized in 676.32 ms
audacity: error while loading shared libraries: lib-project-rate.so: cannot open shared object file: No such file or directory       

Parent is shutting down, bye...
rusty-snake commented 1 year ago

Can you check if https://github.com/netblue30/firejail/commit/72eac267253543dd00e802d01123c4af5add33a3 fixed that too.

rusty-snake commented 1 year ago

Also consider to format your posts and provided information requested in the bug report template.

anomalocaris452 commented 1 year ago

@rusty-snake disabling apparmor aint helps (new eerrors)

firejail audacity
Reading profile /etc/firejail/audacity.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 4973, child pid 4974
1 program installed in 1224.26 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: not remounting /run/user/1000/doc
Warning: not remounting /run/user/1000/gvfs
Blacklist violations are logged to syslog
Child process initialized in 1512.63 ms
audacity: error while loading shared libraries: lib-project-rate.so: cannot open shared object file: No such file or directory

Parent is shutting down, bye...

BUT disabling private-bin WORKS well!! Thanks

kmk3 commented 1 year ago

(Offtopic)

@anomalocaris452

Please see the following links for how to format code blocks in markdown:

glitsj16 commented 1 year ago

Can you check if 72eac26 fixed that too.

@rusty-snake IMO it is related (cfr. the discussion in #5281). I normally don't use audacity but have installed it to test all this. Will need some time. But I can already confirm having apparmor + private-bin works flawlessly on Arch Linux. But we might need to loosen up the profile to support distro's where private-bin might be causing issues.

@anomalocaris452 What distro are you running? And do you actually use AppArmor?

On another note, Audacity 3.2.2 apparently now supports XDG_CONFIG_HOME. It no longer uses ${HOME/.audacity-data by default. I'll be opening a PR for this shortly, as that's something we can do right now without breaking things.

anomalocaris452 commented 1 year ago

@glitsj16 manjaro

glitsj16 commented 1 year ago

@glitsj16 manjaro

Fine, thanks. I assume Manjaro packages Audacity in the same way Arch Linux does, but I'll check up on that.

We still would like to know if you're running with AppArmor enabled or not. Details on how to find out are on the Arch wiki. This can help us to determine how best to fix this. Currently our audacity.profile is pretty tight, and private-bin audacity is an important part of that, which we'd prefer to keep as tight as possible. Also, we just recently made a few changes to it, as Audacity 3.2.2 started to support different configuration locations:

If you still have a ${HOME}/.audacity-data, move that out of the way and test with the below ~/.config/firejail/audacity.profile if you can:

# Firejail profile for audacity
# Description: Fast, cross-platform audio editor
# This file is overwritten after every install/update
# Persistent local customizations
include audacity.local
# Persistent global definitions
include globals.local

# Add the below lines to your audacity.local if you need online plugins.
#ignore net none
#netfilter
#protocol inet6

noblacklist ${HOME}/.audacity-data
noblacklist ${HOME}/.cache/audacity
noblacklist ${HOME}/.config/audacity
noblacklist ${HOME}/.local/share/audacity
noblacklist ${HOME}/.local/state/audacity
noblacklist ${DOCUMENTS}
noblacklist ${MUSIC}

include disable-common.inc
include disable-devel.inc
include disable-exec.inc
include disable-interpreters.inc
include disable-programs.inc
include disable-shell.inc
include disable-xdg.inc

include whitelist-var-common.inc

# Silence blacklist violation. See #5539.
allow-debuggers
## Enabling App Armor appears to break some Fedora / Arch installs
#apparmor
caps.drop all
net none
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet
seccomp
tracelog

private-bin audacity
private-dev
private-tmp

# problems on Fedora 27
# dbus-user none
# dbus-system none