Google Earth Pro not working on Archlinux

[X6B]

Firejail 0.9.64 version running Google Earth Pro 7.3.3.7786-4 installed from AUR repository:

google-earth-pro
Reading profile /etc/firejail/google-earth.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 31220, child pid 31221
Private /opt installed in 195.92 ms
7 programs installed in 4.55 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 238.68 ms
Error: no suitable /usr/bin/google-earth-pro executable found
Parent is shutting down, bye...>

And this is my local profile to make the program work:

private-bin google-earth-pro,readlink
include /etc/firejail/google-earth.profile

[rusty-snake]

What does firejail --ignore=private-bin --profile=google-earth ls -l /usr/bin/google-earth show?

[X6B]

firejail --ignore=private-bin --profile=google-earth ls -l /usr/bin/google-earth
Reading profile /etc/firejail/google-earth.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 77280, child pid 77281
Private /opt installed in 197.85 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 245.52 ms
can't access '/usr/bin/google-earth': file or directory does not exist

[reinerh]

Where is GoogleEarthPro installed? In /usr/bin or somewhere in /opt?

[X6B]

/opt/google/earth/pro/

[reinerh]

Reading profile /etc/firejail/google-earth.profile

It seems to load google-earth.profile instead of google-earth-pro.profile.
Can you try using this one? firejail --profile=/etc/firejail/google-earth-pro.profile google-earth-pro
(It shouldn't be necessary to speficy the profile, but for some reason it didn't load the pro profile in your first post)

[X6B]

firejail --profile=/etc/firejail/google-earth-pro.profile google-earth-pro
Reading profile /etc/firejail/google-earth-pro.profile
Reading profile /etc/firejail/google-earth.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 164455, child pid 164456
Private /opt installed in 899.09 ms
8 programs installed in 5.38 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 943.24 ms
/usr/local/bin/google-earth-pro: line 21: readlink: command not found
/usr/local/bin/google-earth-pro: line 21: ./googleearth-bin: File or directory does not exist.

[reinerh]

/usr/local/bin/google-earth-pro: line 21: readlink: command not found
/usr/local/bin/google-earth-pro: line 21: ./googleearth-bin: File or directory does not exist.

this somehow sounds like /usr/local/bin/google-earth-pro is a shell script.
you probably have to add all binaries called by the script (like readlink) to private-bin.
or maybe it's easer to remove private-bin from your google-earth-pro.profile and google-earth.profile.

[glitsj16]

this somehow sounds like /usr/local/bin/google-earth-pro is a shell script

I've just installed the google-earth-pro package from AUR to help debug this. I must say there's quite a few things going awkward with the app, even without any sandboxing. Need some time to investigate thoroughly but at least I see the package installs a shell script in /usr/bin/google-earth-pro so I'm wondering how/what ended up in /usr/local/bin exactly.

@X6B can you post you local override here (giving us its full name as well) so we can follow the complete train of events.

UPDATE: Our current google-earth-pro.profile doesn't support including a google-earth-pro.local (something we need to fix). I suspect that's why both private-bin readlink and private-bin google-earth-pro are not actually called and the app fails to start. For now a google-earth.local should be used instead.

[rusty-snake]

For now a google-earth.local should be used instead.

For private-bin readlink,dirname,basename,grep,sed,... it will work, but for ignore private-bin not.

[glitsj16]

For private-bin readlink,dirname,basename,grep,sed,... it will work, but for ignore private-bin not.

Correct, just tripped over that one.

I'm not understanding why we blacklist/mkdir/mkfile these paths under ${HOME}/.googleearth. They make the firejailed app throwing error windows with the message: Could not save "My Places". A copy can be found in "/home/glitsj16/.googleearth/myplaces.kml.tmp". For me everything starts to fall into place when blacklisting/mkdir/whitelisting ${HOME}/.googleearth itself instead. That implies changing disable-programs.inc as well obviously and I could understand that for a less experienced user that just installed google-earth-pro and wants to firejail it things get really complicated. Hence I'm marking this as a bug.

[rusty-snake]

firejail/etc/inc/disable-programs.inc

Lines 472 to 475 in fded293

	blacklist ${HOME}/.googleearth/Cache
	blacklist ${HOME}/.googleearth/Temp
	blacklist ${HOME}/.googleearth/myplaces.backup.kml
	blacklist ${HOME}/.googleearth/myplaces.kml

It would be more secure to blacklist ${HOME}/.googleearth. If for example a new G-Earth version starts to execute plug-ins located in e.g. ~/.googleearth/plugins this could be used to escape the sandbox. (admittedly rather theoretical)

[glitsj16]

@rusty-snake I fully agree and did so in the PR. At least on my system google-earth-pro already added ${HOME}/.googleearth/My Style Templates...

[glitsj16]

@X6B As you see we're on top of this. Please hang on while the needed changes trickle down and the related PR gets merged. I'm pretty sure we can fix this properly. Thanks for bringing this to our attention!

[glitsj16]

I'm reopening this so the OP can communicate on how to fix the issue.

@rusty-snake Thanks for the speedy review!

[X6B]

I tried your git changes and the program starts and works fine after deleting my old .googlearth folder, but i can´t reopen it because of this:

google-earth-pro 
Reading profile /etc/firejail/google-earth-pro.profile
Reading profile /etc/firejail/google-earth.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-common.inc
Parent pid 14741, child pid 14742
Private /opt installed in 194.65 ms
12 programs installed in 6.96 ms
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: cleaning all supplementary groups
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Warning: cleaning all supplementary groups
Child process initialized in 239.21 ms
Google Earth appears to be running already. Please kill the
 existing process, or delete /home/xxxxxxxxx/.googleearth/instance-running-lock if this is an error.

Parent is shutting down, bye...

If i delete the ".instant-running-lock" folder inside .googleearth, the program crashes when i open it again.

Major Version 7
Minor Version 3
Build Number 0003
Build Date Jul 21 2020
Build Time 11:15:07
OS Type 3
OS Major Version 5
OS Minor Version 10
OS Build Version 10
OS Patch Version 0
Crash Signal 11
Crash Time 1611485222
Up Time 10.1225

Stacktrace from glibc:
/opt/google/earth/pro/libgoogleearth_pro.so(+0x1a733a)[0x7f752a15833a]
/usr/lib/libpthread.so.0(+0x140f0)[0x7f752a7890f0]
/opt/google/earth/pro/libge_cache.so(_ZN5earth5cache12LdbDiskCache9ReadEntryERK10QByteArrayPS2_+0x103)[0x7f750fdc1363]
/opt/google/earth/pro/libge_cache.so(_ZN5earth5cache12CacheManager7ReadJob5DoRunEv+0xb2)[0x7f750fdbd9d2]
/opt/google/earth/pro/libge_cache.so(_ZN5earth5cache12CacheManager10ManagerJob3RunEv+0xa)[0x7f750fdbd8ea]
/opt/google/earth/pro/libbase.so(_ZN5earth12WorkerThread14ProcessNextJobEv+0x7b)[0x7f75248f74eb]
/opt/google/earth/pro/libbase.so(_ZN5earth12WorkerThread17SpawnFuncInternalEv+0x47)[0x7f75248f7447]
/opt/google/earth/pro/libbase.so(_ZN5earth12WorkerThread9SpawnFuncEPS0_+0x6)[0x7f75248f7336]
/opt/google/earth/pro/libbase.so(_ZN5earth10ThreadInfo16ThreadEntryPointEPv+0x1f)[0x7f75248f10af]
/usr/lib/libpthread.so.0(+0x93e9)[0x7f752a77e3e9]
/usr/lib/libc.so.6(clone+0x43)[0x7f752a566293]

For now google-earth-pro only works fine the first time, when there is not any .googleearth folder at home.

[X6B]

I see the package installs a shell script in /usr/bin/google-earth-pro so I'm wondering how/what ended up in /usr/local/bin exactly.

@X6B can you post you local override here (giving us its full name as well) so we can follow the complete train of events.

That /usr/local/bin/google-earth-pro was created by firecfg!

As i said in my first message, adding readlink and google-earth-pro to private-bin on my google-earth-pro local profile fixed the issue (before the git changes).

private-bin google-earth-pro,readlink
include /etc/firejail/google-earth.profile

[glitsj16]

Google Earth appears to be running already. Please kill the
existing process, or delete /home/xxxxxxxxx/.googleearth/instance-running-lock if this is an error.

@X6B Confirming I see this too.

If i delete the ".instant-running-lock" folder inside .googleearth, the program crashes when i open it again.

Oddly enough, for me (also running Arch Linux btw) this doesn't happen after rm -f ${HOME}/.googleearth/instance-running-lock before starting it again. When that folder is removed it starts happily again here. A basic shell wrapper script can handle this, but I agree that's an ugly workaround at best (not to mention things breaks for users using firecfg). Without firejail I noticed GEP doesn't properly remove that path (which is a symlink to /proc/) after shutting down, resulting in a dangling symlink. That should be fixed upstream IMO. As firejail uses a special setup for /proc this symlink always stays intact, confusing GEP into believing it is still running, so it throws that message shown by you above when you try to start it again. We would need a way to remove a file/dir on the real filesystem after shutting down the sandbox. That kind of functionality does not exist in firejail AFAIK.

I do realize this is not good news. The above - if correct - only hints at explaining what's going on. Playing with the profile hasn't resulted in a clean way to 'fix' this behaviour yet, if at all possible. Looks like an upstream bug that we can't do much about. It's my very first encounter with google-earth-pro though, so perhaps there's something I'm not seeing here.

On a related note there's much more to be done to the profile. Functionality like opening Google Maps, mail and a web browser for example is currently broken/missing in the firejail sandbox too. I'll keep playing with the app and the profiles, just wanted to inform you on where I'm at currently...

[X6B]

As this is a pain in the ass, I'll use the web version instead: https://earth.google.com/web/

It's basically the same thing.

[glitsj16]

As this is a pain in the ass, I'll use the web version instead: https://earth.google.com/web/

I fully understand your sentiment. In a follow-up PR I'll add extensive comments on this sad situation. Upstream is hardly interested it seems, let alone easily contactable. I wonder if we should disable it in firecfg or drop it completely. That's ofcourse not a decision for me to take on my own. In any case, thanks for reporting it, at least we're in the know!

[rusty-snake]

FTR #3978 (comment):

so we should consider to add additional blacklists for ~/.config/Google/*