for firefox 107.0.1 in linux mint 20.3 based on Ubuntu 20.04, when task
manager is opened, this rule is needed:
owner @{PROC}/[0-9]*/task/[0-9]*/comm r,
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.laun
messages when opening a file:
several lines of type
Jul 8 09:28:31 dinar-comp kernel: [436272.154664] audit: type=1400
audit(1594189711.176:1784): apparmor="ALLOWED" operation="open" profile
="libreoffice-soffice" name= pid=194987 comm="pool-soffice"
requested_mask="r" denied_mask="r" fsuid=
i modified it to this:
owner @{libo_user_dirs}/{,**/}lu??*.tmp rwk, #Temporary file
used when saving
and reloaded profile with this
sudo apparmor_parser -r -T -W
/etc/apparmor.d/usr.lib.libreoffice.program.soffice.bin
and the messages (of the last type) disappeared.
--
You received th
messages, while starting firefox, after updating ubuntu to 20.10:
Jan 11 23:26:48 dinar-comp kernel: [ 181.634648] audit: type=1400
audit(1610396808.475:44): apparmor="DENIED" operation="open" profile="firefox"
name="/proc/2003/cgroup" pid=2003 comm="firefox" requested_mask="r"
denied_mask="r"
i think i should say: does not work. i cannot test that computer now.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to alsa-driver in Ubuntu.
https://bugs.launchpad.net/bugs/1004829
Title:
[GA-MA74GMT-S2, Realtek ALC887-VD, Pink Mic, Fr
mic connected to front is not working with this motherboard in ubuntu
20.04.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to alsa-driver in Ubuntu.
https://bugs.launchpad.net/bugs/1004829
Title:
[GA-MA74GMT-S2, Realtek ALC887-VD, Pink
after update to 76.0.1, fontconfig messages started again to appear on every
page opening.
i added
deny @{HOME}/.{,cache/}fontconfig/** w,
to abstractions/fonts, reloaded profile, and that notifications stopped to
appear.
--
You received this bug notification because you are a member of Desktop
Public bug reported:
May 24 17:02:54 dinar-comp kernel: [ 6432.118240] audit: type=1400
audit(1590328974.037:195): apparmor="DENIED" operation="capable"
profile="/usr/sbin/cups-browsed" pid=27786 comm="cups-browsed"
capability=23 capname="sys_nice"
this messages started to appear after upgrade u
python message after update to ubuntu 20.04 :
May 29 08:54:00 dinar-comp kernel: [ 369.424679] audit: type=1400
audit(1590731640.601:54): apparmor="DENIED" operation="file_mmap" profile="fire
fox//lsb_release" name="/usr/bin/python3.8" pid=2939 comm="lsb_release"
requested_mask="r" denied_mask="
and
Feb 3 18:05:11 dinar-HP-Pavilion-g7-Notebook-PC kernel: [83143.894148]
audit: type=1400 audit(1612364711.925:597): apparmor="ALLOWED"
operation="open" profile="libreoffice-soffice" name="/proc/version"
pid=45709 comm="soffice.bin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
--
You
this appeared on libreoffice 6.4.6.2 on linux mint 20
(1:6.4.6-0ubuntu0.20.04.1):
Feb 3 12:30:34 dinar-HP-Pavilion-g7-Notebook-PC kernel: [79901.149664] audit:
type=1400 audit(1612344634.103:584): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/usr/share/zoneinfo-icu/4
appeared when opening a file from a manually mounted partition:
May 6 14:59:12 dinar-comp kernel: [544099.237323] audit: type=1400
audit(1588766352.217:3081): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/run/user/1000/ICEauthority" pid=6886 comm="fire
i changed /usr/bin/python3.[0-6] mr, to /usr/bin/python3.[0-7] mr, and
the python message disappeared while starting firefox.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1861408
Titl
i said on feb 4:
"dbus_method_call messages still appear in logs, while saving. i do not know
why they are not reported by aa-notify."
i made this report on apparmor site on march 7:
https://gitlab.com/apparmor/apparmor/-/issues/81
"aa-notify does not show messages about dbus"
** Bug watch added:
message when switching to read mode:
Feb 26 13:13:13 dinar-HP-Pavilion-g7-Notebook-PC kernel: [64008.165294] audit:
type=1400 audit(1582711993.444:302): apparmor="DENIED" operation="exec"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/usr/bin/speech-dispatcher" pid=30443 comm=737065656368
i have reenabled the capability rules ans added these to them, also from
the chromium profile:
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pid}/gid_map w,
.
i have prepared dbus rules:
dbus send
bus=system
path=/org/freedesktop/RealtimeKi
what is ubuntu's policy for updating this profile? it looks like package
maintainers are not updating this profile on every package update. why?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net
this is fixed in nemo 4.4.2 (cinnamon fork). i am also going to check
this in mate fork soon.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nautilus in Ubuntu.
https://bugs.launchpad.net/bugs/669882
Title:
nautilus unexpextedly chan
this is also fixed in caja 1.22.2 (mate fork).
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to nautilus in Ubuntu.
https://bugs.launchpad.net/bugs/669882
Title:
nautilus unexpextedly changes modification time when moving files to
oth
seems these are links to browse the profiles online:
https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10
https://git.launchpad.net/apparmor/tree/profiles/apparmor.d/abstractions
--
You received this bug notification because you are a me
i have simplified all of these messages, i hope this is helpful:
sys_admin
dbus_method_call path="/org/freedesktop/RealtimeKit1" member="Get"
name="org.freedesktop.RealtimeKit1"
dbus_method_call path="/org/gtk/vfs/Daemon" member="ListMonitorImplementations"
dbus_method_call path="/org/gtk/Private/
** Package changed: firefox (Ubuntu) => apparmor (Ubuntu)
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/18
i modified /etc/apparmor.d/abstractions/fonts by adding w to
owner @{HOME}/.{,cache/}fontconfig/ r,
and replaced ff apparmor profile with "sudo apparmor_parser -r -T -W
/etc/apparmor.d/usr.bin.firefox".
then i tried to open a page, and i got these:
Feb 3 21:26:26 dinar-Lenovo-G580 kernel: [140
i added w to
owner @{HOME}/.{,cache/}fontconfig/** mrl,
in /etc/apparmor.d/abstractions/fonts
and after profile replace, frequent messages stopped.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.
i think
Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 464.049675]
audit: type=1400 audit(1580371708.871:38): apparmor="DENIED"
operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/dinar/.local/share/gvfs-metadata/home" pid=1584 comm="pool"
requested_mask="r" de
i have added these lines:
in /etc/apparmor.d/abstractions/gnome :
@{HOME}/.local/share/gvfs-metadata/** r,
in /etc/apparmor.d/abstractions/xdg-desktop :
owner @{HOME}/.cache/mesa_shader_cache/** rw,
and messages (i use aa-notify) when saving disappeared.
dbus_method_call messages still appear
Public bug reported:
libreoffice accesses firefox's cert8.db and key3.db, i have found this from
apparmor log messages.
i googled "libreoffice cert8.db key3.db" and have found out that seems
libreoffice does this by design. see
https://bugs.documentfoundation.org/show_bug.cgi?id=119811 ,
https
Feb 6 20:53:48 dinar-Lenovo-G580 kernel: [104675.599346] audit: type=1400
audit(1581011628.880:900): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice"
name="/home/dinar/.mozilla/firefox/sge95l3o.default/cert8.db" pid=16630
comm="soffice.bin" requested_mask="w" denied_mask="w" f
Public bug reported:
i started today an empty libreoffice writer and see 5 messages of this
type:
Feb 13 15:33:04 dinar-Lenovo-G580 kernel: [14684.517380] audit:
type=1400 audit(1581597184.725:87): apparmor="ALLOWED" operation="open"
profile="libreoffice-soffice" name="/usr/share/drirc.d/00-mesa-
Public bug reported:
i opened libreoffice writer, then, after some time, clicked a document,
to open it in libreoffice, and i see these messages in syslog:
Feb 13 16:24:49 dinar-Lenovo-G580 kernel: [17788.979570] audit: type=1400
audit(1581600289.824:108): apparmor="ALLOWED" operation="connect"
Public bug reported:
i have reported 3 bugs for apparmor's libreoffice profile:
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1863097
https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1863103
i am afraid i mak
i think that that means that apparmor profile lags behind libreoffice
and should be updated.
if it is by design, than there could be comments about that, and it is
possible to remove the logs by "deny" keywords.
that messages are bad because they use space in syslog making it harder
to read, and
i asked about sys_admin capability and got some answers:
https://groups.google.com/forum/#!topic/mozilla.dev.platform/UK4nm7MtTxQ
(i wanted to ask in firefox-dev mailing list but the dev-platform list
was said about as more appropriate).
--
You received this bug notification because you are a me
>At the moment we recommend granting the capability in the profile and
letting firefox setup its sandbox.
why do not ubuntu developers add it? (before they make it other way.)
>Unfortunately this means you can't guarantee the rest of the program
isn't doing things it shouldn't.
what it can do us
i added these lines to ff profile:
#copied from abstractions/lightdm_chromium-browser
capability sys_admin, # for sandbox to change namespaces
capability sys_chroot, # fod sandbox to chroot to a safe directory
capability setgid, # for sandbox to drop privileges
capability setu
i have some questions and wishes about rules that are in the profile:
# so browsing directories works
/ r,
/**/ r,
what if comment these out and allow / and owner @{HOME}/** , instead of
these? does firefox need other directory listings? maybe i will try.
i see /usr/ r, /etc/ r, /opt/ r, @
also there are /sys/devices/system/cpu/ r,
/etc/firefox*/ r,
/etc/xulrunner-2.0*/ r,
/etc/gre.d/ r,
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1861408
Title:
firefox apparm
after firefox restart these appeared:
Feb 24 09:30:04 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 141.932834] audit:
type=1400 audit(1582525804.452:27): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/1888/uid_map"
pid=1888 comm=495043204C61756E6368
/ r,
/**/ r,
is not enough. because thumbnails are not shown. much better would be to use a
separate program as a helper application, while it can read all files but it is
very simple and can only open a file by gui mouse click, and cannot connect
internet.
--
You received this bug notificat
i added to usr.lib.libreoffice.program.soffice.bin:
/usr/share/drirc.d/*r,
owner @{HOME}/.cache/mesa_shader_cache/**rw,
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libreoffice in Ubuntu.
https://bugs.launchpad.net/bugs
to
"
i added w to
owner @{HOME}/.{,cache/}fontconfig/** mrl,
"
:
cboltz said in apparmor irc channel:
I'd recommend _not_ to allow writing to ~/.cache/fontconfig/ because apps could
in theory poison that cache
actually we recently (intentionally) removed write permissions in
abstractions/fonts
appears when pressing ctrl+s:
Apr 17 17:13:48 dinar-comp kernel: [81128.012319] audit: type=1400
audit(1587132828.960:765): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/mount/utab" pid=4596
comm="firefox" requested_mask="r" denied_mask="r" fsuid=10
Linux Mint 20.1 Ulyssa
Firefox 89.0
after update, i got ff 89, i have messages like this in syslog, on every
start of firefox:
Jun 20 15:24:23 dinar-Lenovo-G580 wpa_supplicant[680]: wlp2s0:
CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-80 noise=-95 txrate=43300
Jun 20 15:25:21 dinar-Lenovo-G580 kerne
43 matches
Mail list logo