Can't find libstdc++.so.6 due to private-etc and private-lib in aria2c.profile

[crocket]

Description

This aria2c.local file works around the issue

private-etc ld.so.cache
ignore private-lib

private-lib eliminates /usr/lib/gcc by mounting tmpfs on /usr/lib.
/etc/ld.so.cache is necessary for finding libstdc++.so.6 in /usr/lib/gcc.

Environment

• Linux distribution and version // Gentoo Linux
• Firejail version (firejail --version).

firejail --version
firejail version 0.9.66

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file and directory whitelisting support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled

[rusty-snake]

ignore private-lib

We have private-lib …,gcc/*/*/libstdc++.so.*,… already in other profiles, maybe we should just hardcode it?

private-etc ld.so.cache

to sum up:

• always necessary: alternatives,ld.so.cache,ld.so.preload
• always necessary if there is no net none: ca-certificates,crypto-policies,nsswitch.conf,pki,resolv.conf,ssl
  • crypto-policies,pki,ssl can be future restricted to use subdirs

[crocket]

Perhaps, you could put those in something like /etc/firejail/globals.inc and put include globals.inc in every profile in /etc/firejail?

[rusty-snake]

Nope, because not every profiles uses private-etc. I solved this in my overrides with include private-etc:net.inc. Anyway we need private-etc groups like for seccomp (private-etc @network,fonts,...). cloudn't find the issue for it

[crocket]

Perhaps, something like this in /etc/firejail/globals.inc can work.

?HAS_PRIVATE_ETC: private-etc alternatives,ld.so.cache,ld.so.preload

[crocket]

I don't think testing profiles is the definite solution because people are going to have private profiles that are not subject to tests.

People will still keep submitting profiles without required files, and you will have to explain every time. That's why it's not the definite solution.

The solution would eradicate the possibility of a wrong profile. Perhaps, private-etc should implicitly add required files, and man page should explain private-etc automatically adds required files.