ASong5
commented
8 months ago Just out of curiosity, I decided to reinstall the snap version of firefox, and firenvim seems to work fine on it. I was under the impression it wouldn't work, so that was odd... I ran sudo aa-status and the snap version of firefox is indeed running an enforced apparmor profile. The audit logs I was getting before had to do with oom_score_adj: 2024-01-22T22:31:30.484611-05:00 user kernel: [42244.264590] audit: type=1400 audit(1705980690.479:2735): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/49463/oom_score_adj" pid=48647 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000. I'm not well-versed with apparmor and it's inner-workings, but I thought that the profile listed in this message would be the name of the actual profile as shown in the output of sudo aa-status, though no profile governing either versions of firefox goes by /etc/apparmor.d/firefox/. Hopefully someone more knowledgeable can provide some insight, but I figured I'd throw in some of my observations to maybe spark an idea for you or anyone else.
As far as preemptive detection goes, maybe making a call to aa-status and checking if firefox is running an enforced profile would suffice? I'm not entirely sure, but it seems like installing firefox straight from the mozilla site makes firefox run an unconfined profile anyways.
As found in https://github.com/glacambre/firenvim/issues/1583 , Ubuntu's default AppArmor profile will prevent Firefox from running the firenvim script. There might be a quick and dirty way to figure out this is going to happen and warn the user about it.