Closed jhnc closed 4 years ago
Can you show a sample config to enable withExEditorHost?
If I understand correctly, sudo aa-complain usr.bin.firebox
will enable any apps?
If so, I don't think we should recommend that way.
Sorry, I don't know much about apparmor or what config will allow withExEditorHost
to run.
I don't think debian/ubuntu ship with firefox sandboxed. /usr/share/doc/firefox/README.Debian
says:
If your system uses AppArmor, please note that the shipped profile is disabled
by default.
So it seems the situation is normally aa-disable
already. If someone has done aa-enable usr.bin.firefox
, they may (like me) just need the hint that it could be what is causing withExEditorHost
(also widevine
and other things) not to work.
If we're going to document it, we need a specific solution.
I think you should not provide a tutorial on how to configure apparmor. The default is for apparmor to be disabled for firefox so I think your documentation should just say something like:
If you have enabled apparmor for your web-browser, ensure the profile allows the
withexeditorhost.sh
script to be executed
There is probably no "specific solution" that is guaranteed to work for everyone using apparmor; the profile amendment required will depend on several factors. However, on my system, with aa-enforce
I get logs containing:
[...] apparmor="DENIED" operation="exec" profile="firefox" name="/home/jhnc/.config/withexeditorhost/config/firefox/withexeditorhost.sh" [...] requested_mask="x" denied_mask="x" [...]
and it seems it may be enough for me to amend my profile to include:
owner @{HOME}/.config/withexeditorhost/config/firefox/withexeditorhost.sh Ux,
This is not a bug with
withExEditorHost
but perhaps a note can be added to the documentation:On at least Ubuntu 18.04, the apparmor config for firefox may prevent
withExEditorHost
from being run.A workaround is to amend the apparmor config, or to disable it with:
sudo aa-complain usr.bin.firefox