for firefox 107.0.1 in linux mint 20.3 based on Ubuntu 20.04, when task
manager is opened, this rule is needed:
owner @{PROC}/[0-9]*/task/[0-9]*/comm r,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
Linux Mint 20.1 Ulyssa
Firefox 89.0
after update, i got ff 89, i have messages like this in syslog, on every
start of firefox:
Jun 20 15:24:23 dinar-Lenovo-G580 wpa_supplicant[680]: wlp2s0:
CTRL-EVENT-SIGNAL-CHANGE above=0 signal=-80 noise=-95 txrate=43300
Jun 20 15:25:21 dinar-Lenovo-G580
messages, while starting firefox, after updating ubuntu to 20.10:
Jan 11 23:26:48 dinar-comp kernel: [ 181.634648] audit: type=1400
audit(1610396808.475:44): apparmor="DENIED" operation="open" profile="firefox"
name="/proc/2003/cgroup" pid=2003 comm="firefox" requested_mask="r"
mic connected to front is not working with this motherboard in ubuntu
20.04.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to alsa-driver in Ubuntu.
https://bugs.launchpad.net/bugs/1004829
Title:
[GA-MA74GMT-S2, Realtek
i think i should say: does not work. i cannot test that computer now.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to alsa-driver in Ubuntu.
https://bugs.launchpad.net/bugs/1004829
Title:
[GA-MA74GMT-S2, Realtek ALC887-VD,
python message after update to ubuntu 20.04 :
May 29 08:54:00 dinar-comp kernel: [ 369.424679] audit: type=1400
audit(1590731640.601:54): apparmor="DENIED" operation="file_mmap" profile="fire
fox//lsb_release" name="/usr/bin/python3.8" pid=2939 comm="lsb_release"
requested_mask="r"
after update to 76.0.1, fontconfig messages started again to appear on every
page opening.
i added
deny @{HOME}/.{,cache/}fontconfig/** w,
to abstractions/fonts, reloaded profile, and that notifications stopped to
appear.
--
You received this bug notification because you are a member of Ubuntu
i said on feb 4:
"dbus_method_call messages still appear in logs, while saving. i do not know
why they are not reported by aa-notify."
i made this report on apparmor site on march 7:
https://gitlab.com/apparmor/apparmor/-/issues/81
"aa-notify does not show messages about dbus"
** Bug watch
i changed /usr/bin/python3.[0-6] mr, to /usr/bin/python3.[0-7] mr, and
the python message disappeared while starting firefox.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
appeared when opening a file from a manually mounted partition:
May 6 14:59:12 dinar-comp kernel: [544099.237323] audit: type=1400
audit(1588766352.217:3081): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/run/user/1000/ICEauthority" pid=6886
appears when pressing ctrl+s:
Apr 17 17:13:48 dinar-comp kernel: [81128.012319] audit: type=1400
audit(1587132828.960:765): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/mount/utab" pid=4596
comm="firefox" requested_mask="r" denied_mask="r"
to
"
i added w to
owner @{HOME}/.{,cache/}fontconfig/** mrl,
"
:
cboltz said in apparmor irc channel:
I'd recommend _not_ to allow writing to ~/.cache/fontconfig/ because apps could
in theory poison that cache
actually we recently (intentionally) removed write permissions in
abstractions/fonts
Public bug reported:
in netcat-openbsd manpage, port argument description is not good. it is
this:
"port can be a specified as a numeric port number, or as a service name.
Ports may be specified in a range of the form nn-mm. In general, a
destination port must be specified, unless the -U option
seems these are links to browse the profiles online:
https://bazaar.launchpad.net/~mozillateam/firefox/firefox.focal/view/head:/debian/usr.bin.firefox.apparmor.14.10
https://git.launchpad.net/apparmor/tree/profiles/apparmor.d/abstractions
--
You received this bug notification because you are a
what is ubuntu's policy for updating this profile? it looks like package
maintainers are not updating this profile on every package update. why?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
i have reenabled the capability rules ans added these to them, also from
the chromium profile:
owner @{PROC}/@{pid}/setgroups w,
owner @{PROC}/@{pid}/uid_map w,
owner @{PROC}/@{pid}/gid_map w,
.
i have prepared dbus rules:
dbus send
bus=system
message when switching to read mode:
Feb 26 13:13:13 dinar-HP-Pavilion-g7-Notebook-PC kernel: [64008.165294] audit:
type=1400 audit(1582711993.444:302): apparmor="DENIED" operation="exec"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/usr/bin/speech-dispatcher" pid=30443
/ r,
/**/ r,
is not enough. because thumbnails are not shown. much better would be to use a
separate program as a helper application, while it can read all files but it is
very simple and can only open a file by gui mouse click, and cannot connect
internet.
--
You received this bug
after firefox restart these appeared:
Feb 24 09:30:04 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 141.932834] audit:
type=1400 audit(1582525804.452:27): apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/proc/1888/uid_map"
pid=1888
also there are /sys/devices/system/cpu/ r,
/etc/firefox*/ r,
/etc/xulrunner-2.0*/ r,
/etc/gre.d/ r,
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1861408
Title:
i have some questions and wishes about rules that are in the profile:
# so browsing directories works
/ r,
/**/ r,
what if comment these out and allow / and owner @{HOME}/** , instead of
these? does firefox need other directory listings? maybe i will try.
i see /usr/ r, /etc/ r, /opt/ r,
i added these lines to ff profile:
#copied from abstractions/lightdm_chromium-browser
capability sys_admin, # for sandbox to change namespaces
capability sys_chroot, # fod sandbox to chroot to a safe directory
capability setgid, # for sandbox to drop privileges
capability
>At the moment we recommend granting the capability in the profile and
letting firefox setup its sandbox.
why do not ubuntu developers add it? (before they make it other way.)
>Unfortunately this means you can't guarantee the rest of the program
isn't doing things it shouldn't.
what it can do
i asked about sys_admin capability and got some answers:
https://groups.google.com/forum/#!topic/mozilla.dev.platform/UK4nm7MtTxQ
(i wanted to ask in firefox-dev mailing list but the dev-platform list
was said about as more appropriate).
--
You received this bug notification because you are a
i have added these lines:
in /etc/apparmor.d/abstractions/gnome :
@{HOME}/.local/share/gvfs-metadata/** r,
in /etc/apparmor.d/abstractions/xdg-desktop :
owner @{HOME}/.cache/mesa_shader_cache/** rw,
and messages (i use aa-notify) when saving disappeared.
dbus_method_call messages still
i think
Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 464.049675]
audit: type=1400 audit(1580371708.871:38): apparmor="DENIED"
operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/dinar/.local/share/gvfs-metadata/home" pid=1584 comm="pool"
requested_mask="r"
i added w to
owner @{HOME}/.{,cache/}fontconfig/** mrl,
in /etc/apparmor.d/abstractions/fonts
and after profile replace, frequent messages stopped.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
i modified /etc/apparmor.d/abstractions/fonts by adding w to
owner @{HOME}/.{,cache/}fontconfig/ r,
and replaced ff apparmor profile with "sudo apparmor_parser -r -T -W
/etc/apparmor.d/usr.bin.firefox".
then i tried to open a page, and i got these:
Feb 3 21:26:26 dinar-Lenovo-G580 kernel:
** Package changed: firefox (Ubuntu) => apparmor (Ubuntu)
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
29 matches
Mail list logo