yelp: cannot open man pages

[Rosika2]

Info:

OS: Linux Lite 6.2
firejail version: 0.9.72

Hi all, 👋

I just noticed there´s a yelp.profile available for firejail.

yelp provides an interesting alternative for viewing man pages. However the command (example):
firejail yelp man:ls didn´t provide the results as expected.

The yelp GUI opened up but couldn´t access the respective file. It said:
"Document not found. The URI ´man:ls´ does not point to a valid page." 😞

However: the command firejail --noprofile yelp man:ls worked well. The man pages for ls were flawlessly displayed in the yelp GUI. That was just for experimental reasons, of course.

I already copied the the yelp.profile to ~/.config/firejail in order to change (some of) the options stored therein but frankly I don´t know where to start.
Surely the profile needs some modification.

Thanks a lot for your help in advance.

Many greetings from Rosika 🙂

P.S.:

the terminal´s output was:

firejail yelp man:ls
Reading profile /home/rosika/.config/firejail/yelp.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 33840, child pid 33843
5 programs installed in 10.26 ms
Warning: skipping asound.conf for private /etc
Warning: skipping crypto-policies for private /etc
Warning: skipping drirc for private /etc
Warning: skipping gcrypt for private /etc
Warning: skipping man_db.conf for private /etc
Private /etc installed in 32.14 ms
Private /usr/etc installed in 0.00 ms
Warning: not mounting tmpfs on /home/rosika/.config/pulse
Child process initialized in 188.24 ms
Gtk-Message: 14:58:49.752: Failed to load module "xapp-gtk3-module"

(yelp:31): dbind-WARNING **: 14:58:49.813: Couldn't connect to accessibility bus: Failed to connect to socket /run/user/1000/at-spi/bus_0: No such file or directory
Gtk-Message: 14:58:50.120: Failed to load module "xapp-gtk3-module"

** (WebKitWebProcess:54): WARNING **: 14:58:50.355: Can't connect to a11y bus: Could not connect: No such file or directory

Parent is shutting down, bye...

[glitsj16]

OS: Linux Lite 6.2

The yelp.profile assumes man pages are located under /usr/share/man and whitelists that path accordingly. Does Linux Lite store these in the same location? If not you will need to whitelist the path it uses.

HTH

[Rosika2]

Hi @glitsj16, 👋

thanks for your reply.

/usr/share/man and whitelists that path accordingly. Does Linux Lite store these in the same location?

In fact it does. I looked it up. Nothing unusual here, it seems.

Seems curious. I don´t know why yelp.profile wouldn´t work then. 🤔

Still: thanks a lot and many greetings from Rosika 🙂

[glitsj16]

In fact it does. I looked it up. Nothing unusual here, it seems.

Ah well, that would have been too easy. So that leaves the manual trial and error routine. Try commenting all the include disable-foo.inc lines, private-bin and private-tmp and hopefully that can identify the culprit(s). Work your way up from there and post your observations so we can assist. There's also our IRC channel.

Enjoy your weekend.

[Rosika2]

Hi @glitsj16, 👋

thanks for your reply.

O.K., I´ll try to follow the path you suggested.
As soon as I come up with anything substantial (perhaps even a soultion) I´ll post it here.

In the meantime: goodybe and have a nice weekend as well.

Cheers from Rosika 🙂

P.S.:

Thanks also for the hint regarding the IRC channel.

[Rosika2]

Hi again @glitsj16, 👋

I tried what you suggested but those ones weren´t the culprit.
I tried some options more and found out that it´s line 58 which has to be commented out:

# private-etc alsa,alternatives,asound.conf,crypto-policies,cups,dconf,drirc,fonts,gcrypt,groff,gtk-3.0,ld.so.cache,ld.so.preload,machine-id,man_db.conf,openal,os-release,pulse,sgml,xml

I left everything else unchanged.
Now yelp can access the man pages within firejail. 😃

I´m just wondering: Isn´t it a bit much that gets commented out this way?
It´s just one line but affects a lot of of options... 🤔

Many greetings from Rosika 🙂

[glitsj16]

Nice find.

I'm just wondering: Isn't it a bit much that gets commented out this way?

That's correct. Ideally, now that you've determined something is missing from private-etc, the best option would be to track down what that is and add that.

With the newly introduced @groups syntax for private-etc (only in git for now) this issue could go away. But while you're on 0.9.72, try adding (some of) the below 'usual suspects' and check if that kicks yelp into working mode while maintaining a restrictive sandbox:

$ cat ~/.config/firejail/yelp.local
private-etc group,ld.so.conf,ld.so.conf.d,locale,locale.alias,locale.conf,localtime,login.defs,pango,passwd,xdg

HTH

[Rosika2]

Hi @glitsj16, 👋

I followed your suggestion and I did it this way:
In yelp.local I erased one entry at a time, e.g. group, ld.so.conf etc.

But yelp didn´t work, no matter which of the entries I kicked out.

While commenting out the complete line with all of it´s entries works it must be a combination of 2 or more entries then. 🤔

Seems hard to find out the culprits.
For the time being it seems commenting out the line completely is mandatory.

Thanks again and many greetings from Rosika 🙂

[glitsj16]

Seems hard to find out the culprits.

Agreed, that can become a rabbit-hole. And it's not 'insecure' without private-etc. Your OS and yourself are still there to protect sensitive things under /etc too. As I've mentioned, for me on firejail-git (with the refactored private-etc etcetera) yelp works fine. So let's hope it's only a matter of time before 0.9.74 reaches you and things sort themselves out :)

Thanks for your response. We'll keep this open for now.

[Rosika2]

@glitsj16, 👋

thanks so much for your feedback.

And it's not 'insecure' without private-etc.

That´s good to know.

I might still follow some kind of "gradual reintroduction" approach:

Instead of removing one entry at a time, I could try gradually reintroducing entries back into yelp.local and testing yelp after each addition. This might help identify which specific combination of entries causes the problem.

Just an idea. Not sure if it will lead to anything. 😉

In the meantime: thanks again and have nice Sunday.
Cheers from Rosika 🙂