Hello.
I apologize, once again, for such a bad bug report, but I'm in a hurry
(I just want to help, because there could be some issues with a new
Firefox version - problems, that could appear after update. Just like in
my case etc.) Anyway, there is a one entry in log files that makes me
confused, because there is not so many informations that could help
create a proper rule. Here is the log entry (appeared about 4, 5 times):
✗ apparmor="DENIED" operation="connect"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/tmp/.X11-unix/X0"
pid=4643 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
ouid=0
As I already mentioned, "abstractions/X" file contains rule related with
"/tmp/.X11-unix/X0" and "connect" operation. However, there is also
"type" and "peer" options (see report; last rule) - which is not in the
log entry! So, it seems, that such rule is wrong... but Firefox started
to work normally.
Anyway, I would like to ask if there can/should be used something like
this - instead of a rule in bug report:
# Explicitly allow 'connect' unix permission
unix (connect),
(NOTE: chromium-browser profile also contains a few "unix" - but not
with 'connect' option - and "capability" rules) What do you think? Which
one solution is better:
- use the last rule mentioned in bug report (please note, that there is "rw"
access for "/tmp/.X11-unix/X0" socket because of 'requested{,denied}_mask');
- allow only 'connect' unix permission (see this post);
Or maybe it should be only something like this? But that is just an idea. Crazy
idea:
/tmp/.X11-unix/X[0-9]* r,
Thanks. I'm sorry once again.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1770600
Title:
Firefox v60: does not work after updating, many "DENIED" log entries.
Status in firefox package in Ubuntu:
New
Bug description:
Hello.
Today, Firefox has been updated to v60. After first start there was so
many problems: with new tab (errors), Sandbox option (one new option
with 'false' value). There were so many issues. No website was
working, I can not click on anything, there was no menu bar and so on.
Firefox main windows has been resized etc.
Anyway, there was also a lot of "DENIED" entries in a log files. Here
are the AppArmor rules, that helped and now Firefox works okay. Maybe
it will help someone too?
# apparmor="DENIED" operation="capable"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}" comm="firefox"capability=21
# capname="sys_admin"
#
capability sys_admin,
# apparmor="DENIED" operation="capable"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}" comm="firefox"
# capability=19 capname="sys_ptrace"
#
capability sys_ptrace,
# apparmor="DENIED" operation="capable"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}" comm="Gecko_IOThread"
# capability=18 capname="sys_chroot"
#
capability sys_chroot,
# NOTE: what about an "owner" prefix?
#
# apparmor="DENIED" operation="open"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/4137/uid_map"
# comm="Gecko_IOThread" requested_mask="w" denied_mask="w"
# fsuid=1000 ouid=1000
#
@{PROC}/@{pid}/uid_map w,
# NOTE: what about an "owner" prefix?
#
# apparmor="DENIED" operation="open"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/4282/gid_map"
# comm="Gecko_IOThread" requested_mask="w" denied_mask="w"
# fsuid=1000 ouid=1000
#
@{PROC}/@{pid}/gid_map w,
# NOTE: what about an "owner" prefix?
#
# apparmor="DENIED" operation="open"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/pro /4282/setgroups"
# comm="Gecko_IOThread" requested_mask="w" denied_mask="w"
# fsuid=1000 ouid=1000
#
@{PROC}/@{pid}/setgroups w,
# NOTE: what about an "owner" prefix?
#
# apparmor="DENIED" operation="dbus_bind" bus="session"
# name="org.mozilla.firefox.WAJxENJayq__" mask="bind"
# label="/usr/lib/firefox/firefox{,*[^s][^h]}"
#
dbus bind bus=session name=org.mozilla.firefox.*,
# NOTE: this rule can be found, for example, in "abstractions/X" file.
# However, there is "r" in 'requested{,denied}_mask" - for '/tmp/.X11-unix/'
# - in log entries, so I added "r" - and now it's "rw".
#
# apparmor="DENIED" operation="connect"
# profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
# name="/tmp/.X11-unix/X0" comm="firefox" requested_mask="r" denied_mask="r"
# fsuid=1000 ouid=0
#
/tmp/.X11-unix/* rw,
unix (connect, receive, send)
type=stream
peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
Can someone check if these rules are okay? With above rules, Firefox
v60 is working okay again: web browsing, new tabs etc. There are also
some "segfaults" error in log files - together with "DENIED" rules.
Here are some of them (there is a bug report on Launchpad about
"libxul"):
✗ [ 3051.788218] Gecko_IOThread[4770]: segfault at 0 ip aef1b0de sp aeb1a550
error 6 in libxul.so[aebed000+66fd000]
✗ Gecko_IOThread[4795]: segfault at 0 ip aef1b0de sp aeb1a550 error 6 in
libxul.so[aebed000+66fd000]
I hope, that above rules will help other users who will have an issues
with a new Firefox release. Here are some technical informations:
● Firefox: v60.0 (32-bit)
● Linux kernel: 4.4.0-125-generic
● Release: 16.04 LTS
Thanks, best regards.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1770600/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
