netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.84k stars 569 forks source link

Regression: custom apparmor profile support resulted in broken Firefox #5462

Open KOLANICH opened 2 years ago

KOLANICH commented 2 years ago

Description

7f3b6c19a0a87bfd240af7c0c9d61ae907668ce6 (#5274) has resulted in firefox being broken on Kubuntu 21.10 (impish).

apparmor-profiles and apparmor-profiles-extra are installed.

git revert 7f3b6c19a0a87bfd240af7c0c9d61ae907668ce6

and resolution of the conflict mitigate the issue.

Steps to Reproduce

Steps to reproduce the behavior

  1. build firejail from the latest git with apparmor support, install it
  2. run firefox and see it crashed
  3. revert the commit, build, install
  4. enjoy working Firefox

Expected behavior

Actual behavior

Behavior without a profile

_What changed calling LC_ALL=C firejail --noprofile /path/to/program in a terminal?_

--- nopr.log    2022-11-09 00:00:00.000000000 +0300
+++ crash.log   2022-11-09 00:00:00.000000000 +0300
@@ -1,4 +1,8 @@
+Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
 Parent pid AAAAA, child pid BBBBB
+Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
+Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
+Warning: cleaning all supplementary groups
 Child process initialized in nn.mm ms
 ATTENTION: default value of option mesa_glthread overridden by environment.
 libEGL warning: MESA-LOADER: failed to retrieve device information
@@ -8,9 +12,14 @@
 libGL error: MESA-LOADER: failed to open amdgpu: /usr/lib/dri/amdgpu_dri.so: cannot open shared object file: No such file or directory (search paths /usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
 libGL error: failed to load driver: amdgpu
 ATTENTION: default value of option mesa_glthread overridden by environment.
+[Socket 82, IPC I/O Child] WARNING: Message needs unreceived descriptors channel:7ff11c694ef0 message-type:9109529 header()->num_handles:1 num_fds:0 fds_i:0: file /build/firefox-DSRShT/firefox-102.0+build2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:477
 libEGL warning: MESA-LOADER: failed to retrieve device information

 ATTENTION: default value of option mesa_glthread overridden by environment.
-libEGL warning: MESA-LOADER: failed to retrieve device information
+[Child 124, IPC I/O Child] WARNING: Message needs unreceived descriptors channel:7f30c0393570 message-type:3866642 header()->num_handles:1 num_fds:0 fds_i:0: file /build/firefox-DSRShT/firefox-102.0+build2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:477
+Exiting due to channel error.
+ExceptionHandler::GenerateDump cloned child 131
+ExceptionHandler::SendContinueSignalToChild sent continue signal to child
+ExceptionHandler::WaitForContinueSignal waiting for continue signal...

-ATTENTION: default value of option mesa_glthread overridden by environment.
+Parent is shutting down, bye...

--- ok.log  2022-11-09 00:00:00.000000000 +0300
+++ crash.log   2022-11-09 00:00:00.000000000 +0300
@@ -5,11 +5,21 @@
 Warning: cleaning all supplementary groups
 Child process initialized in nn.mm ms
 ATTENTION: default value of option mesa_glthread overridden by environment.
+libEGL warning: MESA-LOADER: failed to retrieve device information
+
 ATTENTION: default value of option mesa_glthread overridden by environment.
+libGL error: MESA-LOADER: failed to retrieve device information
+libGL error: MESA-LOADER: failed to open amdgpu: /usr/lib/dri/amdgpu_dri.so: cannot open shared object file: No such file or directory (search paths /usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
+libGL error: failed to load driver: amdgpu
 ATTENTION: default value of option mesa_glthread overridden by environment.
+[Socket 82, IPC I/O Child] WARNING: Message needs unreceived descriptors channel:7ff11c694ef0 message-type:9109529 header()->num_handles:1 num_fds:0 fds_i:0: file /build/firefox-DSRShT/firefox-102.0+build2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:477
+libEGL warning: MESA-LOADER: failed to retrieve device information
+
 ATTENTION: default value of option mesa_glthread overridden by environment.
-Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
-Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
-ATTENTION: default value of option mesa_glthread overridden by environment.
-ATTENTION: default value of option mesa_glthread overridden by environment.
+[Child 124, IPC I/O Child] WARNING: Message needs unreceived descriptors channel:7f30c0393570 message-type:3866642 header()->num_handles:1 num_fds:0 fds_i:0: file /build/firefox-DSRShT/firefox-102.0+build2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:477
+Exiting due to channel error.
+ExceptionHandler::GenerateDump cloned child 131
+ExceptionHandler::SendContinueSignalToChild sent continue signal to child
+ExceptionHandler::WaitForContinueSignal waiting for continue signal...

+Parent is shutting down, bye...

--- ok.log  2022-11-09 00:00:00.000000000 +0300
+++ nopr.log    2022-11-09 00:00:00.000000000 +0300
@@ -1,15 +1,16 @@
-Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
 Parent pid AAAAA, child pid BBBBB
-Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
-Seccomp list in: !chroot, check list: @default-keep, prelist: unknown,
-Warning: cleaning all supplementary groups
 Child process initialized in nn.mm ms
 ATTENTION: default value of option mesa_glthread overridden by environment.
+libEGL warning: MESA-LOADER: failed to retrieve device information
+
 ATTENTION: default value of option mesa_glthread overridden by environment.
+libGL error: MESA-LOADER: failed to retrieve device information
+libGL error: MESA-LOADER: failed to open amdgpu: /usr/lib/dri/amdgpu_dri.so: cannot open shared object file: No such file or directory (search paths /usr/lib/x86_64-linux-gnu/dri:\$${ORIGIN}/dri:/usr/lib/dri, suffix _dri)
+libGL error: failed to load driver: amdgpu
 ATTENTION: default value of option mesa_glthread overridden by environment.
+libEGL warning: MESA-LOADER: failed to retrieve device information
+
 ATTENTION: default value of option mesa_glthread overridden by environment.
-Missing chrome or resource URL: resource://gre/modules/UpdateListener.jsm
-Missing chrome or resource URL: resource://gre/modules/UpdateListener.sys.mjs
-ATTENTION: default value of option mesa_glthread overridden by environment.
-ATTENTION: default value of option mesa_glthread overridden by environment.
+libEGL warning: MESA-LOADER: failed to retrieve device information

+ATTENTION: default value of option mesa_glthread overridden by environment.

Environment

firejail version 0.9.71

Compile time support:
    - always force nonewprivs support is disabled
    - AppArmor support is enabled
    - AppImage support is enabled
    - chroot support is enabled
    - D-BUS proxy support is enabled
    - file transfer support is enabled
    - firetunnel support is disabled
    - IDS support is disabled
    - networking support is enabled
    - output logging is enabled
    - overlayfs support is disabled
    - private-home support is enabled
    - private-cache and tmpfs as user enabled
    - SELinux support is disabled
    - user namespace support is enabled
    - X11 sandboxing support is enabled

Checklist

rusty-snake commented 2 years ago

Might be intentionally and not a regression.

Also, in this pull request, aa_change_onexec is replaced by aa_stack_onexec that prevents transition from more-restricted domain to less-restricted domain, and also allows transition with "No New Privileges" restriction enabled.

ChrysoliteAzalea commented 2 years ago

I'd like to ask, is the issue related to the custom AppArmor support, or with specific AppArmor profile? Can Firefox be run with firejail-default or unconfined profile? If it's running under custom AppArmor profile, are there related AppArmor denial messages in the audit journal?

ChrysoliteAzalea commented 2 years ago

I've built Firejail from source today, and now I'm running Firefox under Firejail just fine. However, I use a custom AppArmor profile I've written myself (in my case, Firefox runs under firefox//&firejail-default AppArmor domain), and the AppArmor policy may differ between systems. Therefore, it may be an issue with AppArmor denying something important for a browser. For example, it may deny ptrace and signals due to security context mismatch, as well as some D-Bus access (if it's also mediated by AppArmor).

KOLANICH commented 2 years ago
  1. Providing profiles via --apparmor (including usr.bin.firefox used in Ubuntu) doesn't result in any positive changes
  2. There is the following line in the dmesg

`apparmor="DENIED" operation="file_lock" profile="firefox" name="~/.cache/mesa_shader_cache/0f/hash.tmp" pid=1047295 comm="firefox:disk$0" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

Allowing this dir in firefox aa profile doesn't help.

curiosityseeker commented 2 years ago

However, I use a custom AppArmor profile I've written myself (in my case, Firefox runs under firefox//&firejail-default

Same here if I use

apparmor firefox

or, alternatively,

apparmor /etc/apparmor.d/firefox

in my firefox.local.

In other words, it's not working as intended. My custom AA profile is only used with ignore apparmor.

Note also that I've added include <abstractions/base.d/firejail-base> to my firefox AA profile. See here.

ChrysoliteAzalea commented 2 years ago

I think that, in order to figure out the reason of a bug, we need to know exactly what is blocked by AppArmor that is needed by Firefox. You can find it in the audit log.

ChrysoliteAzalea commented 2 years ago

Alright, this is the profile that I use (note that this profile is using a modified abstraction nameservice2 -- I've made it because of execution rules conflict). Also, there is a xattr attachment -- you may need to remove it or set the extended attribute in order for this profile to attach correctly (as far as I know, it only affects automatic profile attachment and doesn't affect named transitions).

firefoxprofile.tar.gz