Tag: MuPDF

Firejail and MuPDF permissions error: “X Error of failed request: GLXBadContext”

adminguy / / IT

Was setting up Firejail and MuPDF on Funtoo 1.3…

$ firejail mupdf sample.pdf

Reading profile /etc/firejail/mupdf.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31753, child pid 31754
Private /etc installed in 82.08 ms
Blacklist violations are logged to syslog
Child process initialized in 235.06 ms
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965
libGL error: unable to load driver: swrast_dri.so
libGL error: failed to load driver: swrast
X Error of failed request: GLXBadContext
Major opcode of failed request: 150 (GLX)
Minor opcode of failed request: 6 (X_GLXIsDirect)
Serial number of failed request: 36
Current serial number in output stream: 35

Parent is shutting down, bye...

After searching around online with other MuPDF issues (issues tracker, etc. I had some other ideas.

$strace firejail mupdf sample.pdf



setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
unlink("/run/firejail/bandwidth/31761-bandwidth") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/network/31761-netmap") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/name/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/x11/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/profile/31761") = -1 ENOENT (No such file or directory)
setresuid(-1, 1000, -1) = 0
setresgid(-1, 1000, -1) = 0
getppid() = 31759
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, "/proc/31759/comm", O_RDONLY) = 3
read(3, "strace\n", 4095) = 7
close(3) = 0
setresuid(-1, 1000, -1) = 0
setresgid(-1, 1000, -1) = 0
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/etc/firejail/firejail.config", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=4395, ...}) = 0
read(3, "# This is Firejail system-wide c"..., 4096) = 4096
read(3, " third dimension is\n# color dept"..., 4096) = 299
read(3, "", 4096) = 0
close(3) = 0
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
getuid() = 1000
geteuid() = 1000
getuid() = 1000
stat("/bin/bash/", 0x7ffe9b611270) = -1 ENOTDIR (Not a directory)
stat("/bin/bash", {st_mode=S_IFREG|0755, st_size=926688, ...}) = 0
access("/bin/bash", X_OK) = 0
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/home/farm/.config/firejail", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = -1 ENOENT (No such
file or directory)
getuid() = 1000
geteuid() = 1000
openat(AT_FDCWD, "/etc/firejail", O_RDONLY|O_NONBLOCK|O_CLOEXEC|O_DIRECTORY) = 3
fstat(3, {st_mode=S_IFDIR|0755, st_size=32768, ...}) = 0
getdents(3, /* 566 entries */, 32768) = 22808
getuid() = 1000
geteuid() = 1000
stat("/etc/firejail/mupdf.profile/", 0x7ffe9b60f0d0) = -1 ENOTDIR (Not a directory)
access("/etc/firejail/mupdf.profile", R_OK) = 0
openat(AT_FDCWD, "/etc/firejail/mupdf.profile", O_RDONLY) = 4
getpid() = 31761
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
openat(AT_FDCWD, "/run/firejail/profile/31761", O_WRONLY|O_CREAT|O_TRUNC, 0666) = -1 EACCES (Permission denied)
write(2, "Error: cannot create /run/fireja"..., 49Error: cannot create /run/firejail/profile/31761
) = 49
setresuid(-1, 0, -1) = -1 EPERM (Operation not permitted)
setresgid(-1, 0, -1) = -1 EPERM (Operation not permitted)
getpid() = 31761
unlink("/run/firejail/bandwidth/31761-bandwidth") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/network/31761-netmap") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/name/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/x11/31761") = -1 ENOENT (No such file or directory)
unlink("/run/firejail/profile/31761") = -1 ENOENT (No such file or directory)
exit_group(1) = ?
+++ exited with 1 +++

It looks like the error is:
write(2, “Error: cannot create /run/fireja”…, 49Error: cannot create /run/firejail/profile/31761
) = 49

Solution

In gentoo, the mupdf profileĀ  in /etc/firejail/has

# Firejail profile for mupdf
# Description: Lightweight PDF viewer
# This file is overwritten after every install/update
# Persistent local customizations
include /etc/firejail/mupdf.local
# Persistent global definitions
include /etc/firejail/globals.local

noblacklist ${DOCUMENTS}

include /etc/firejail/disable-common.inc
include /etc/firejail/disable-devel.inc
include /etc/firejail/disable-interpreters.inc
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-xdg.inc

include /etc/firejail/whitelist-var-common.inc

caps.drop all
machine-id
net none
nodbus
nodvd
nogroups
nonewprivs
noroot
nosound
notv
novideo
protocol unix
seccomp
# seccomp.keep
access,arch_prctl,brk,clone,close,connect,execve,exit_group,fchmod,fchown,fcntl,fstat,futex,getcwd,getpeername,getrlimit,getsock$
shell none
tracelog

# private-bin mupdf,sh,tempfile,rm
private-dev
private-etc fonts
private-tmp

# mupdf will never write anything
read-only ${HOME}

However, the private-etc fonts will cause this error. This was found by brute force troubleshooting (delete entries from profile, until it works).

Comment it out, and MuPDF should display correctly.

now you will get:

$ firejail mupdf sample.pdf
Reading profile /etc/firejail/mupdf.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Parent pid 31763, child pid 31764
Blacklist violations are logged to syslog
Child process initialized in 130.35 ms
libGL error: failed to open drm device: Permission denied
libGL error: failed to load driver: i965

and the PDF opens.