Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with printing evince #4187

Closed
Tus1688 opened this issue Apr 13, 2021 · 10 comments
Closed

Issue with printing evince #4187

Tus1688 opened this issue Apr 13, 2021 · 10 comments

Comments

@Tus1688
Copy link
Contributor

Tus1688 commented Apr 13, 2021

I'm sorry that this issue likely same as issue #2101, I used ubuntu 20.04 and there is preconfigured app armor, I am curious that when I open evince via firefox, It shows lists of my printer machines, but when I open evince normally, I don't see it though.

it doesn't show printer lists when I do firejail --noprofile evince but, it is working normally when I reset the sandbox using sudo firecfg --clean

I commented nodbus and it doesn't show any differences. I wonder, if there is a way to solve this problem. Thanks in advance.

@rusty-snake
Copy link
Collaborator

Try this:

include allow-bin-sh.inc
private-bin sh

@glitsj16
Copy link
Collaborator

I commented nodbus ...

Side-note: what version of firejail are you running? The nodbus option has been deprecated. If your version is older than 0.9.64.4 you might be vulnerable to CVE-2021-26910, so it's worthwhile to double-check that.

@Tus1688
Copy link
Contributor Author

Tus1688 commented Apr 14, 2021

thank you for your reply
I put this on ~/.config/firejail
include allow-bin-sh.inc private-bin sh
It doesn't work. When I checked /etc/firejail/ there is no allow-bin-sh.inc
I am running version 0.9.62, and I have made the nodbus options as it supposed before.

@Tus1688
Copy link
Contributor Author

Tus1688 commented Apr 14, 2021

I have (edit: deleted) include allow-bin-sh.inc and private-bin sh here is the snippets from terminal when I tried to open printers window
`* (evince:224): WARNING **: 03:45:02.373: Could not connect: Permission denied

** (evince:224): WARNING **: 03:45:02.373: Couldn't connect to D-Bus system bus, Could not connect: Permission denied`

@glitsj16
Copy link
Collaborator

I am running version 0.9.62, and I have made the nodbus options as it supposed before.

Please upgrade your firejail package as soon as possible. As mentioned above 0.9.62 is vulnerable to CVE-2021-26910. Also, important improvements have been made with regards to D-Bus filtering, which seems to be (part of) the issue you're experiencing. You can use this PPA maintained by one of our collaborators. Follow the instructions on the Launchpad page to add the PPA and upgrade firejail. To get the best D-Bus supprt with Firejail it's important to also install xdg-dbus-proxy via your package manager.

I do realize this is not a straightforward 'do this to fix your issue', but we need to get you on the latest firejail release first. It could be that the issue with evince resolves itself or not. We'll get to that once you can confirm running 0.9.64.4.

@Tus1688
Copy link
Contributor Author

Tus1688 commented Apr 14, 2021

Hi, thank you for your reply, I did upgrade the firejail and add include allow-bin-sh.inc and private-bin sh in .config/firejail, unfortunately it doens't work though, I mean I can open evince, but I can't see the printer options, then I decided to remove envince.profile in .config/firejail, and put include allow-bin-sh.inc and private-bin sh in evince.profile in /etc/firejail . Unfortunately,I notice same thing.
But, When I typed firejail evince it show:
** (evince:229): WARNING **: 05:00:45.504: Couldn't connect to D-Bus system bus, Could not connect: Permission denied

** (evince:229): WARNING **: 05:00:45.509: failed to contact colord: Could not connect: Permission denied

the printers options show up there, I triend to remove the sandbox using sudo firecfg --clean and configure it again then relog. I had the same issue by open evince normally (without typing firejail evince)

@glitsj16
Copy link
Collaborator

Okay, nice to read you've upgraded!

** (evince:229): WARNING **: 05:00:45.504: Couldn't connect to D-Bus system bus, Could not connect: Permission denied
** (evince:229): WARNING **: 05:00:45.509: failed to contact colord: Could not connect: Permission denied

Those are warnings about the D-Bus system bus, not the session bus. Access to the system bus is blocked in our evince.profile via the dbus-system none option by design. It hardens the profile, and I wouldn't recommend changing that.

Now, what confuses me is that you mention seeing Evince's Print window when you use it via Firefox, but not when you run it directly. Correct? I cannot reproduce that on my box. But I'm pretty sure those warnings about the system bus are not related and can be ignored.

... then I decided to remove envince.profile in .config/firejail, and put include allow-bin-sh.inc and private-bin sh in evince.profile in /etc/firejail.

That is not the proper way to do persistent overrides. As the first lines in that file mention, any changes you make in /etc/firejail/evince.profile will get lost on a firejail upgrade/reinstall. Make your edits in evince.local instead, either in /etc/firejail (used for all users) or in ~/.config/firejail (for your user only).

But, When I typed firejail evince ... the printers options show up there

That's what you want, no? Unless something like network printing is involved I'm just not fully understanding what you've been doing/trying to achieve. I'm sure that's a communication mixup. Perhaps you can upload a 'working' versus 'not working' screenshot somewhere to get things more clear?

@Tus1688
Copy link
Contributor Author

Tus1688 commented Apr 14, 2021

I am sorry for the confusion as english is not my native language

method 1 (open evince using firefox by typing file:///)
1

method 2 (open evince using terminal firejail evince)
2

method 3 (open evince normally)
3

I want to print using method number 3
thank you

@glitsj16
Copy link
Collaborator

Thanks for the images, they do help 👍.

I didn't notice it at first, but the link to #2101 didn't work for me earlier and there's where I got side-tracked and added confusion of my own heh. My apologies. GitHub decided to turn that into https://github.com/netblue30/firejail/issues/url for some reason and I completely missed the firecfg connection. Only now I actually get what you mean and I believe #3831 is relevant for you in this context.

You could try firecfg.py, writtenby our collaborator-and-local-firejail-wizard @rusty-snake. Or you can adapt something I proposed here a while ago. But that's more suited for Arch Linux (based) systems in all fairness. Sadly I don't know much about apt/dpkg to quickly give you a similar procedure for Ubuntu.

HTH

@Tus1688 Tus1688 closed this as completed Apr 14, 2021
@Tus1688
Copy link
Contributor Author

Tus1688 commented Apr 14, 2021

Thanks for the images, they do help +1.

I didn't notice it at first, but the link to #2101 didn't work for me earlier and there's where I got side-tracked and added confusion of my own heh. My apologies. GitHub decided to turn that into https://github.com/netblue30/firejail/issues/url for some reason and I completely missed the firecfg connection. Only now I actually get what you mean and I believe #3831 is relevant for you in this context.

You could try firecfg.py, writtenby our collaborator-and-local-firejail-wizard @rusty-snake. Or you can adapt something I proposed here a while ago. But that's more suited for Arch Linux (based) systems in all fairness. Sadly I don't know much about apt/dpkg to quickly give you a similar procedure for Ubuntu.

HTH

thank you for your reply, after I disabled app armor, it is working 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants