I can not speak to specifics but there are a lot of potential reason's a packager (not firefox specific) might not be updating the profile.
- They don't use the profile / or maybe apparmor. (package maintainership evolves and not everyone who might even be aware of it without digging in) - The auto package tests don't report a failure. This could be the tests aren't set up to use apparmor or just that they don't have a specific test for a change. Packagers are often very busy and won't dig into an update unless there are problems being reported. - The packager can be using a different kernel version which results in apparmor or the kernel/apparmor having different features being used. Yes they should be testing on a given release but there are HWE kernels and upstream kernel builds that users may be using that are different from what the packager tests on. - Testing didn't show up an issue, but a different config or usage pattern that a user has will show up an issue. - The packager is not familiar with apparmor and can't or at least doesn't feel compfortable updating the profile. - The upstream packager tries to maintain a single profile version for all releases of a package. Eg. FF 71 is released on multiple distro versions (xenial, bionic, ...) each of those distros have different kernels and the application will use different features and apparmor presents different features. - AppArmor does not provide adequate means to distribute/use a single profile version across multiple releases when the features required are significantly different. I am not arguing that the profile should not be updated, just providing some reasons for why it might not be. Ideally it should be tested, and updated if necessary with every release especially when the profile is part of the package. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1861408 Title: firefox apparmor messages Status in apparmor package in Ubuntu: New Status in firefox package in Ubuntu: New Bug description: firefox version 72.0.1 64 bit, 72.0.1+linuxmint1+tricia , linux mint 19.3. i see there is newer ubuntu version in https://www.ubuntuupdates.org/package/ubuntu_mozilla_security/bionic/main/base/firefox , 72.0.2+build1-0ubuntu0.18.04.1 , but its changes are not for apparmor. i have not found a page for firefox bugs in linux mint sites, so i belive i should report here. but i have also asked about that in linux mint's irc and then github. i have enabled apparmor for firefox and see these types of messages in syslog: Jan 28 18:43:33 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[735]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.111' (uid=1000 pid=1922 comm="/usr/lib/firefox/firefox " label="unconfined") Jan 28 18:44:36 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5525.077960] audit: type=1400 audit(1580226276.440:27): apparmor="DENIED" operation="capable" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=15948 comm="firefox" capability=21 capname="sys_admin" Jan 28 18:44:37 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5526.471731] audit: type=1107 audit(1580226277.832:28): pid=735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1320 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported" mask="send" name=":1.35" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1385 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts2" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:48 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[735]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.119' (uid=1000 pid=15948 comm="/usr/lib/firefox/firefox " label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") Jan 28 18:44:48 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5536.783313] audit: type=1107 audit(1580226288.143:34): pid=735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.120" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=16177 peer_label="unconfined" Jan 28 18:45:02 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" mask="send" name="ca.desrt.dconf" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1370 peer_label="unconfined" Jan 28 21:51:30 dinar-HP-Pavilion-g7-Notebook-PC kernel: [10131.880788] audit: type=1400 audit(1580237490.777:123): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/dinar/.cache/mesa_shader_cache/index" pid=19720 comm="firefox" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 these appeared while saving a file: Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1151]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" mask="send" name="ca.desrt.dconf" pid=1584 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1301 peer_label="unconfined" Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 464.049675] audit: type=1400 audit(1580371708.871:38): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/dinar/.local/share/gvfs-metadata/home" pid=1584 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 these appeared while runned "firefox -p": Jan 30 11:41:23 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1151]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Notify" name=":1.21" mask="receive" pid=1584 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1301 peer_label="unconfined" Jan 30 11:42:07 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[762]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.90' (uid=1000 pid=2892 comm="xed /home/dinar/?????????????? ????????/??????????" label="unconfined") To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1861408/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
