Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tesseract output contains firejail messages #6171

Closed
kmille opened this issue Jan 26, 2024 · 5 comments · Fixed by #6173
Closed

tesseract output contains firejail messages #6171

kmille opened this issue Jan 26, 2024 · 5 comments · Fixed by #6173
Labels
bug Something isn't working

Comments

@kmille
Copy link

kmille commented Jan 26, 2024

Hey, I'm using firejail on Arch Linux. My problem: --version shows version of firejail and not of the actual program (and/or some additional debug output).

What I expect:

kmille@linbox:~ /usr/bin/evince --version
GNOME Document Viewer 45.0

What I get

kmille@linbox:~ evince --version         
Reading profile /etc/firejail/evince.profile
Reading profile /home/kmille/.config/firejail/evince.local
Reading profile /home/kmille/.config/firejail/globals.local
Reading profile /etc/firejail/allow-bin-sh.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /home/kmille/.config/firejail/disable-common.local
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-shell.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: private-lib feature is disabled in Firejail configuration file
firejail version 0.9.73

Parent pid 276776, child pid 276781
5 programs installed in 14.25 ms
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Private /etc installed in 27.18 ms
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Base filesystem installed in 84.60 ms
Child process initialized in 231.19 ms
GNOME Document Viewer 45.0

Parent is shutting down, bye...

kmille@linbox:~ which -a evince
/usr/local/bin/evince
/usr/bin/evince
/bin/evince

I'm using

kmille@linbox:scans firejail --version                            
firejail version 0.9.73

Compile time support:
        - always force nonewprivs support is disabled
        - AppArmor support is enabled
        - AppImage support is enabled
        - chroot support is enabled
        - D-BUS proxy support is enabled
        - file transfer support is enabled
        - firetunnel support is disabled
        - IDS support is disabled
        - networking support is enabled
        - output logging is enabled
        - overlayfs support is disabled
        - private-home support is enabled
        - private-lib support is disabled
        - private-cache and tmpfs as user enabled
        - SELinux support is disabled
        - user namespace support is enabled
        - X11 sandboxing support is enabled
@rusty-snake
Copy link
Collaborator

This is expected/intended behaviour. You can add quite to evince.profile or set quiet-by-default yes in firejail.config to make firejail quite for evince/global.

@rusty-snake rusty-snake closed this as not planned Won't fix, can't repro, duplicate, stale Jan 26, 2024
@rusty-snake
Copy link
Collaborator

Reopening, there's a regression from f019f0e (@kmk3).

$ file-roller --version 2>/dev/null
firejail version 0.9.73

file-roller 43.1, Copyright © 2001-2012 Free Software Foundation, Inc.

@rusty-snake rusty-snake reopened this Jan 26, 2024
@rusty-snake rusty-snake added the bug Something isn't working label Jan 26, 2024
@kmille
Copy link
Author

kmille commented Jan 27, 2024
edited by kmk3
Loading

Thanks for the explanation! Not sure what you mean with the regression thing. I tried quiet, there is still an issue:

What I'm actually trying to do is (I guess ocrmypdf calls tesseract --version):

kmille@linbox:tmp ocrmypdf test.pdf 123.pdf
                                                                                                                                                                                                                                __init__.py:277
The program 'tesseract' could not be executed or was not found on your
system PATH.

                                                                                                                                                                                                                                __init__.py:263
On systems with the aptitude package manager (Debian, Ubuntu), try these
commands:
    sudo apt update
    sudo apt install tesseract-ocr

On RPM-based systems (Red Hat, Fedora), try this command:
    sudo dnf install tesseract-ocr

The program 'tesseract' did not report its version. Message was:                                                                                                                                                                 __main__.py:69
Reading profile /etc/firejail/tesseract.profile
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
 Found AVX2
 Found AVX
 Found FMA
 Found SSE4.1
 Found OpenMP 201511
 Found libarchive 3.7.2 zlib/1.3 liblzma/5.4.4 bz2lib/1.0.8 liblz4/1.9.4 libzstd/1.5.5
 Found libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0

So now, there is still this one line Reading profile /etc/firejail/tesseract.profile.

Expected output:

kmille@linbox:tmp tesseract --version
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
 Found AVX2
 Found AVX
 Found FMA
 Found SSE4.1
 Found OpenMP 201511
 Found libarchive 3.7.2 zlib/1.3 liblzma/5.4.4 bz2lib/1.0.8 liblz4/1.9.4 libzstd/1.5.5
 Found libcurl/8.5.0 OpenSSL/3.2.0 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh2/1.11.0 nghttp2/1.58.0

@rusty-snake
Copy link
Collaborator

rusty-snake commented Jan 27, 2024
edited by glitsj16
Loading

Firejail profiles are imperative, quiet takes effect from the time it is read. If quiet is not the first command in a profile, everything before it may produces some output. Related: #3503

~/.config/firejail/tesseract.profile:

quiet
include ${CFG}/tesseract.profile

kmk3 added a commit to kmk3/firejail that referenced this issue Jan 28, 2024
@kmk3
bugfix: print version to stderr on startup
101b08c 
Unlike the rest of the normal startup output (which goes to stderr), the
version number is being printed to stdout, which makes it harder to
ignore all of firejail's output.  Example:

    $ firejail --noprofile /usr/bin/true --version 2>/dev/null
    firejail version 0.9.73

    true (GNU coreutils) 9.4
    Copyright (C) 2023 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Written by Jim Meyering.

So make the normal startup version output go to stderr and keep the
other occurrences (such as in `firejail --version`) going to stdout, to
make it easier to grep things in the output.

Added on commit f019f0e ("Print version on startup for
firejail/firecfg", 2023-05-11) / PR netblue30#5829.

Reported by @rusty-snake[1].

[1] netblue30#6171 (comment)
@kmk3 kmk3 mentioned this issue Jan 28, 2024
Merged
@kmk3 kmk3 changed the title --version shows version of firejail and not of the actual program tesseract output contains firejail messages Jan 28, 2024
kmk3 added a commit to kmk3/firejail that referenced this issue Jan 28, 2024
@kmk3
tesseract.profile: add quiet
a3b28b5 
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`).  Including messages from firejail in the
output may break the parsing, so remove them.

Fixes netblue30#6171.

Reported-by: @kmille
@kmk3
Copy link
Collaborator

kmk3 commented Jan 28, 2024

@kmille on Jan 26:

Hey, I'm using firejail on Arch Linux. My problem: --version shows version
of firejail and not of the actual program (and/or some additional debug
output).

It does show the version of the program. From your log:

What I expect:

kmille@linbox:~ /usr/bin/evince --version
GNOME Document Viewer 45.0

What I get

kmille@linbox:~ evince --version         
Reading profile /etc/firejail/evince.profile
[...]
firejail version 0.9.73

[...]
Child process initialized in 231.19 ms
GNOME Document Viewer 45.0

Parent is shutting down, bye...

GNOME Document Viewer 45.0

The firejail version is just part of the normal firejail output.

evince is a GUI program (and is not used as a CLI as far as I know), so it is
not quiet by default.

This is working as intended.

@kmille on Jan 27:

I tried quiet, there is still an issue:

What I'm actually trying to do is (I guess ocrmypdf calls tesseract --version):

kmille@linbox:tmp ocrmypdf test.pdf 123.pdf
                                                                                                                                                                                                                                __init__.py:277
The program 'tesseract' could not be executed or was not found on your
system PATH.
[...]
The program 'tesseract' did not report its version. Message was:                                                                                                                                                                 __main__.py:69
Reading profile /etc/firejail/tesseract.profile
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
[...]

So now, there is still this one line Reading profile /etc/firejail/tesseract.profile.

Expected output:

kmille@linbox:tmp tesseract --version
tesseract 5.3.4
 leptonica-1.84.1
  libgif 5.2.1 : libjpeg 8d (libjpeg-turbo 3.0.1) : libpng 1.6.40 : libtiff 4.6.0 : zlib 1.3 : libwebp 1.3.2 : libopenjp2 2.5.0
[...]

So it seems that the actual issue is that tesseract is a CLI program but its
profile does not contain quiet. That can be easily fixed.

@kmk3 kmk3 mentioned this issue Jan 28, 2024
Merged
kmk3 added a commit to kmk3/firejail that referenced this issue Jan 31, 2024
@kmk3
bugfix: print version to stderr on startup
ebc9662 
Unlike the rest of the normal startup output (which goes to stderr), the
version number is being printed to stdout, which makes it harder to
ignore all of firejail's output.  Example:

    $ firejail --noprofile /usr/bin/true --version 2>/dev/null
    firejail version 0.9.73

    true (GNU coreutils) 9.4
    Copyright (C) 2023 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Written by Jim Meyering.

So make the normal startup version output go to stderr and keep the
other occurrences (such as in `firejail --version`) going to stdout, to
make it easier to grep things in the output.

Added on commit f019f0e ("Print version on startup for
firejail/firecfg", 2023-05-11) / PR netblue30#5829.

Reported by @rusty-snake[1].

[1] netblue30#6171 (comment)
kmk3 added a commit that referenced this issue Jan 31, 2024
@kmk3
bugfix: print version to stderr on startup (#6172)
fcde0cb 
Unlike the rest of the normal startup output (which goes to stderr), the
version number is being printed to stdout, which makes it harder to
ignore all of firejail's output.  Example:

    $ firejail --noprofile /usr/bin/true --version 2>/dev/null
    firejail version 0.9.73

    true (GNU coreutils) 9.4
    Copyright (C) 2023 Free Software Foundation, Inc.
    License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.

    Written by Jim Meyering.

So make the normal startup version output go to stderr and keep the
other occurrences (such as in `firejail --version`) going to stdout, to
make it easier to grep things in the output.

Added on commit f019f0e ("Print version on startup for
firejail/firecfg", 2023-05-11) / PR #5829.

Reported by @rusty-snake[1].

[1] #6171 (comment)
kmk3 added a commit that referenced this issue Jan 31, 2024
@kmk3
tesseract.profile: add quiet (#6173)
bb45aa5 
Tesseract is a CLI program and its output may be parsed by other
programs (such as `ocrmypdf`).  Including messages from firejail in the
output may break the parsing, so remove them.

Fixes #6171.

Reported-by: @kmille
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

tesseract.profile: add quiet kmk3/firejail
3 participants
@kmille @kmk3 @rusty-snake