search

asamuzaK / withExEditorHost

Native messaging host for withExEditor
MIT License
33 stars 8 forks source link

ubuntu 18.04 apparmor firefox config breaks withExEditorHost #86

Closed jhnc closed 4 years ago

jhnc commented 4 years ago

This is not a bug with withExEditorHost but perhaps a note can be added to the documentation:

On at least Ubuntu 18.04, the apparmor config for firefox may prevent withExEditorHost from being run.

A workaround is to amend the apparmor config, or to disable it with: sudo aa-complain usr.bin.firefox

asamuzaK commented 4 years ago

Can you show a sample config to enable withExEditorHost?

If I understand correctly, sudo aa-complain usr.bin.firebox will enable any apps? If so, I don't think we should recommend that way.

jhnc commented 4 years ago

Sorry, I don't know much about apparmor or what config will allow withExEditorHost to run.

I don't think debian/ubuntu ship with firefox sandboxed. /usr/share/doc/firefox/README.Debian says:

If your system uses AppArmor, please note that the shipped profile is disabled
by default.

So it seems the situation is normally aa-disable already. If someone has done aa-enable usr.bin.firefox, they may (like me) just need the hint that it could be what is causing withExEditorHost (also widevine and other things) not to work.

asamuzaK commented 4 years ago

If we're going to document it, we need a specific solution.

jhnc commented 4 years ago

I think you should not provide a tutorial on how to configure apparmor. The default is for apparmor to be disabled for firefox so I think your documentation should just say something like:

If you have enabled apparmor for your web-browser, ensure the profile allows the withexeditorhost.sh script to be executed

There is probably no "specific solution" that is guaranteed to work for everyone using apparmor; the profile amendment required will depend on several factors. However, on my system, with aa-enforce I get logs containing:

[...] apparmor="DENIED" operation="exec" profile="firefox" name="/home/jhnc/.config/withexeditorhost/config/firefox/withexeditorhost.sh" [...] requested_mask="x" denied_mask="x" [...]

and it seems it may be enough for me to amend my profile to include:

  owner @{HOME}/.config/withexeditorhost/config/firefox/withexeditorhost.sh Ux,