Firefox uses cap sys_admin to set up its sandbox, which is extremely unfortunate but required on linux to be able to set up the user_namespace, do the chroot etc. Current the LSM and user namespaces don't interact as well as they should.
AppArmor can NOT properly determine the policy namespace that it should be in with the user_namespace after firefox enters its sandbox. This result in the cap_sys admin messages This is a known problem and we are working on it. At the moment we recommend granting the capability in the profile and letting firefox setup its sandbox. Unfortunately this means you can't guarantee the rest of the program isn't doing things it shouldn't. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1861408 Title: firefox apparmor messages Status in apparmor package in Ubuntu: New Status in firefox package in Ubuntu: New Bug description: firefox version 72.0.1 64 bit, 72.0.1+linuxmint1+tricia , linux mint 19.3. i see there is newer ubuntu version in https://www.ubuntuupdates.org/package/ubuntu_mozilla_security/bionic/main/base/firefox , 72.0.2+build1-0ubuntu0.18.04.1 , but its changes are not for apparmor. i have not found a page for firefox bugs in linux mint sites, so i belive i should report here. but i have also asked about that in linux mint's irc and then github. i have enabled apparmor for firefox and see these types of messages in syslog: Jan 28 18:43:33 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[735]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.111' (uid=1000 pid=1922 comm="/usr/lib/firefox/firefox " label="unconfined") Jan 28 18:44:36 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5525.077960] audit: type=1400 audit(1580226276.440:27): apparmor="DENIED" operation="capable" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=15948 comm="firefox" capability=21 capname="sys_admin" Jan 28 18:44:37 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5526.471731] audit: type=1107 audit(1580226277.832:28): pid=735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1320 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported" mask="send" name=":1.35" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1385 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts2" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:48 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[735]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.119' (uid=1000 pid=15948 comm="/usr/lib/firefox/firefox " label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") Jan 28 18:44:48 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5536.783313] audit: type=1107 audit(1580226288.143:34): pid=735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.120" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=16177 peer_label="unconfined" Jan 28 18:45:02 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" mask="send" name="ca.desrt.dconf" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1370 peer_label="unconfined" Jan 28 21:51:30 dinar-HP-Pavilion-g7-Notebook-PC kernel: [10131.880788] audit: type=1400 audit(1580237490.777:123): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/dinar/.cache/mesa_shader_cache/index" pid=19720 comm="firefox" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 these appeared while saving a file: Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1151]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" mask="send" name="ca.desrt.dconf" pid=1584 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1301 peer_label="unconfined" Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 464.049675] audit: type=1400 audit(1580371708.871:38): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/dinar/.local/share/gvfs-metadata/home" pid=1584 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 these appeared while runned "firefox -p": Jan 30 11:41:23 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1151]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Notify" name=":1.21" mask="receive" pid=1584 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1301 peer_label="unconfined" Jan 30 11:42:07 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[762]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.90' (uid=1000 pid=2892 comm="xed /home/dinar/?????????????? ????????/??????????" label="unconfined") To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1861408/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
