Has anyone observed any undesirable behavior from Firefox when access to these mount-related DBus services is denied?
It's not clear to me why Firefox is even calling these in the first place, and given that mounts can include NFS servers and the like, I'd just as soon deny this access if there's no good reason for it. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1553712 Title: usr.bin.firefox apparmor profile blocks access to mounttracker Status in firefox package in Ubuntu: Confirmed Bug description: When I launch Firefox with apparmor enabled, I get the following errors: Mar 6 13:21:19 tigreraye dbus[2570]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo" mask="send" name=":1.46" pid=6604 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=2781 peer_label="unconfined" Mar 6 17:31:04 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported" mask="send" name=":1.71" pid=4480 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4327 peer_label="unconfined" Mar 6 17:31:04 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts" mask="send" name=":1.43" pid=4480 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4206 peer_label="unconfined" Mar 6 17:31:04 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount" mask="send" name=":1.43" pid=4480 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4206 peer_label="unconfined" Mar 6 18:47:12 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="List" mask="send" name=":1.76" pid=13082 label="/usr/lib/firefox/firMar 6 19:31:11 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveChanged" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:32:10 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeAdded" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" efox{,*[^s][^h]}" peer_pid=4333 peer_label="unconfined" Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountPreUnmount" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeChanged" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountChanged" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:43:24 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountRemoved" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:43:25 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeRemoved" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:43:28 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveDisconnected" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:43:35 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveConnected" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 19:53:42 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountAdded" name=":1.49" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4246 peer_label="unconfined" Mar 6 20:57:28 tigreraye dbus[4030]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="Mounted" name=":1.43" mask="receive" pid=13082 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=4206 peer_label="unconfined" Adding the following lines to the apparmor profile fixes the issue: dbus send bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMountableInfo", dbus send bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts", dbus send bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount", dbus receive bus=session path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="Mounted", dbus send bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported", dbus send bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="List", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveChanged", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveDisconnected", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="DriveConnected", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeAdded", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeRemoved", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="VolumeChanged", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountPreUnmount", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountChanged", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountRemoved", dbus receive bus=session path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="MountAdded", To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1553712/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
