search

netblue30 / firejail

Linux namespaces and seccomp-bpf sandbox
https://firejail.wordpress.com
GNU General Public License v2.0
5.82k stars 567 forks source link

firefox: dmesg: apparmor="DENIED" name="/opt/Firefox/update.test" #5872

Open Gerenuk opened 1 year ago

Gerenuk commented 1 year ago

Firefox with firejail seems to function normally, but I see error messages in dmesg:

audit: type=1400 audit: apparmor="DENIED" operation="mknod" class="file" profile="firejail-default" name="/opt/Firefox/update.test" pid=1379 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This appears 3 times and does not repeat more when I restart firefox (with or without profile). I guess it's some type of update test that Firefox performs. /opt/Firefox is my firefox directory and update.test does usually not exist.

I do not know if this impacts functionality of the update check. It's a minor issue, but I thought there shouldn't be stray error messages in dmesg and hopefully this is a small fix.

(firejail 0.9.72)

glitsj16 commented 1 year ago

How do you usually install your Firefox? And what OS is this?

Indeed, very likely this is Firefox' updater trying to write into /optFirefox/update.test. Usually, when installing Firefox via native OS package manager, its app-internal updating fuctionality is disabled. Hence our default AppArmor profile only supports executing files under /opt:

https://github.com/netblue30/firejail/blob/fbd53a8f8cf91f6285e96a7c458f30798947c238/etc/apparmor/firejail-default#L98

Even if you wanted to, your user doesn't have the needed privileges to install pending updates to /opt/Firefox. Or at least they shouldn't have. So instead of messing with AppArmor options, to me it would make more sense to never allow such update checks in the first place (when running from under /opt). Could be as simple as setting app.update.auto to false in about:config.

If you disable FF auto-update, do you still get those messages? If for some reason you don't want to disable that, does appending a line like the one below to your /etc/apparmor.d/local/firejail-default stops those messages from showing up in dmesg? PLEASE NOTE that after making changes to anything under /etc/apparmor.d it's best to do a full reboot and let AppArmor refresh its cache. Not doing so could give incorrect results.

[...]
/opt/Firefox/update.test rw,

If that's too restrictive, try

[...]
/opt/Firefox/** rw,

Depending on the results of your testing we can make a more informed decision on adding to/fixing our default AppArmor files later on. Thanks for reporting!

Gerenuk commented 1 year ago

Usually I have a script which downloads the new binary from Mozilla and puts it into /opt/Firefox. I'm using Manjaro Linux, but not their Firefox package.

Using the first line /opt/Firefox/update.test rw, would give dmesg message

audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/Firefox/updates/" pid=1529 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

and an error in Firefox when it tries to update.

Using the second line /opt/Firefox/** rw, makes Firefox update successfully, but weirdly I still get another dmesg error message

audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/update.test/" pid=1531 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Of course I would prefer to add such custom modification to ~/.config/firejail/... somehow instead of /etc.

I'm actually not sure if I want Firefox to automatically update itself, but I definitely want Firefox to tell me about new updates. And while that worked before, ideally I also do not see error messages in dmesg.

glitsj16 commented 1 year ago

Using the second line /opt/Firefox/** rw, makes Firefox update successfully, but weirdly I still get another dmesg error message audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/update.test/" pid=1531 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

The error message shows that your Firefox tries to create /opt/update.test/, which isn't covered by the new /opt/Firefox/** rw, rule. So you'll have to allow that too:

/opt/update.test rw,
/opt/Firefox/** rw,
/opt/update.test/** rw,

Of course I would prefer to add such custom modification to ~/.config/firejail/... somehow instead of /etc.

That's not possible. Apparmor only accepts such overrides from /etc/apparmor.d/local/firefox-default, which expands /etc/apparmor.d/firejail-default automatically. If you install Firejail via pacman from Manjaro's repositories these customizations will survive future Firejail upgrades via the backup configuration.

Please test these rules again and report back. You can use Firefox' internal configuration to only have it show you available updates without automatically installing those. If you could implement this 'new Firefox upgrade available' logic into your shell script it would simplify things.

Gerenuk commented 1 year ago

With these 3 lines there are no more dmesg audit messages anymore. Thanks! I know how to reconfigure things now. I'll will probably set Firefox to check for updates, but not perform them. And I'll play with these 3 lines to remove all dmesg audit messages.

I think it would be better to not allow the whole Firefox directory, as it's the whole point of security to restrict access.