Open KOLANICH opened 2 years ago
Might be intentionally and not a regression.
Also, in this pull request, aa_change_onexec is replaced by aa_stack_onexec that prevents transition from more-restricted domain to less-restricted domain, and also allows transition with "No New Privileges" restriction enabled.
I'd like to ask, is the issue related to the custom AppArmor support, or with specific AppArmor profile? Can Firefox be run with firejail-default or unconfined profile? If it's running under custom AppArmor profile, are there related AppArmor denial messages in the audit journal?
I've built Firejail from source today, and now I'm running Firefox under Firejail just fine. However, I use a custom AppArmor profile I've written myself (in my case, Firefox runs under firefox//&firejail-default AppArmor domain), and the AppArmor policy may differ between systems. Therefore, it may be an issue with AppArmor denying something important for a browser. For example, it may deny ptrace and signals due to security context mismatch, as well as some D-Bus access (if it's also mediated by AppArmor).
--apparmor
(including usr.bin.firefox
used in Ubuntu) doesn't result in any positive changes`apparmor="DENIED" operation="file_lock" profile="firefox" name="~/.cache/mesa_shader_cache/0f/hash.tmp" pid=1047295 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
Allowing this dir in firefox aa profile doesn't help.
However, I use a custom AppArmor profile I've written myself (in my case, Firefox runs under firefox//&firejail-default
Same here if I use
apparmor firefox
or, alternatively,
apparmor /etc/apparmor.d/firefox
in my firefox.local
.
In other words, it's not working as intended. My custom AA profile is only used with ignore apparmor
.
Note also that I've added include <abstractions/base.d/firejail-base>
to my firefox AA profile. See here.
I think that, in order to figure out the reason of a bug, we need to know exactly what is blocked by AppArmor that is needed by Firefox. You can find it in the audit log.
Alright, this is the profile that I use (note that this profile is using a modified abstraction nameservice2 -- I've made it because of execution rules conflict). Also, there is a xattr attachment -- you may need to remove it or set the extended attribute in order for this profile to attach correctly (as far as I know, it only affects automatic profile attachment and doesn't affect named transitions).
Description
7f3b6c19a0a87bfd240af7c0c9d61ae907668ce6 (#5274) has resulted in firefox being broken on Kubuntu 21.10 (impish).
apparmor-profiles
andapparmor-profiles-extra
are installed.and resolution of the conflict mitigate the issue.
Steps to Reproduce
Steps to reproduce the behavior
firejail
from the latest git with apparmor support, install itfirefox
and see it crashedExpected behavior
Actual behavior
master
Behavior without a profile
_What changed calling
LC_ALL=C firejail --noprofile /path/to/program
in a terminal?_Environment
Checklist
/usr/bin/vlc
) "fixes" it).https://github.com/netblue30/firejail/issues/1139
)browser-allow-drm yes
/browser-disable-u2f no
infirejail.config
to allow DRM/U2F in browsers.--profile=PROFILENAME
to set the right profile. (Only relevant for AppImages) - not applicable