On Sat, Apr 9, 2022 at 5:46 AM George <gpdsbe+deb...@mailbox.org> wrote:
> Hi!
> Im trying to make a profile for firefox-esr.
>
> I used aa-genprof to create it and then aa-logprof to update it.
> I also use apparmor-notify to get error messages.
>
> The problem is that I get constant apparmor messages like the
> following:
>
> Apparmor Message
> Profile /usr/lib/firefox-esr/firefox-esr
> Operation: file_lock
> Name: /home/gpred/.mozilla/firefox/8i0h8b60.default-esr/-
> webappsstore.sqlite
> Denied: wk
> Logfile: /var/log/kern.log
>
> I run aa-logprof but it doesnt seem to detect the denied command. It
> doesnt show me the option to allow it,deny it, etc. I also tried to
> clear the kern.log and syslog files but after a while I have the same
> problem.
>
> Any ideas?
>
My reading is that firefox access to the file labelled as "Name:" is
failing.
It's failing because firefox wants to obtain a lock on that file but can't.
In other words:
Name: /home/gpred/.mozilla/firefox/8i0h8b60.default-esr/-
webappsstore.sqlite
It's trying to create a lock for the file with that name, and lock creation
failed.
Could be because firefox lacks permissions to that file. Or because your
login id
lacks permissions to it. Or because another process holds a lock on it
already.
My firefox profile
>
>
> # Last Modified: Sat Apr 9 12:18:47 2022
> #include <tunables/global>
>
> /usr/lib/firefox-esr/firefox-esr flags=(complain) {
> #include <abstractions/X>
> #include <abstractions/audio>
> #include <abstractions/base>
> #include <abstractions/evince>
> #include <abstractions/nameservice>
> #include <abstractions/nvidia>
> #include <abstractions/openssl>
> #include <abstractions/postfix-common>
> #include <abstractions/python>
> #include <abstractions/totem>
> #include <abstractions/ubuntu-browsers.d/ubuntu-integration>
> #include <abstractions/ubuntu-konsole>
>
> deny /home/*/AppData/** rw,
>
> capability sys_admin,
>
> signal send set=kill peer=/usr/lib/firefox-esr/firefox-esr//null-
> /usr/lib/firefox-esr/firefox-esr,
> signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
> /usr/lib/firefox-esr/firefox-esr,
> signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
> /usr/lib/firefox-esr/plugin-container,
>
> /etc/firefox-esr/firefox-esr.js r,
> /etc/mailcap r,
> /etc/mime.types r,
> /proc/devices r,
> /proc/driver/nvidia/params r,
> /proc/filesystems r,
> /proc/modules r,
> /sys/devices/pci0000:00/0000:00:00.0/class r,
> /sys/devices/pci0000:00/0000:00:00.0/device r,
> /sys/devices/pci0000:00/0000:00:00.0/vendor r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/class r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/device r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_device r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_vendor r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/vendor r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/class r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/device r,
> /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/vendor r,
> /sys/devices/pci0000:00/0000:00:01.0/class r,
> /sys/devices/pci0000:00/0000:00:01.0/device r,
> /sys/devices/pci0000:00/0000:00:01.0/vendor r,
> /sys/devices/pci0000:00/0000:00:02.0/class r,
> /sys/devices/pci0000:00/0000:00:02.0/device r,
> /sys/devices/pci0000:00/0000:00:02.0/vendor r,
> /sys/devices/pci0000:00/0000:00:04.0/class r,
> /sys/devices/pci0000:00/0000:00:04.0/device r,
> /sys/devices/pci0000:00/0000:00:04.0/vendor r,
> /sys/devices/pci0000:00/0000:00:08.0/class r,
> /sys/devices/pci0000:00/0000:00:08.0/device r,
> /sys/devices/pci0000:00/0000:00:08.0/vendor r,
> /sys/devices/pci0000:00/0000:00:12.0/class r,
> /sys/devices/pci0000:00/0000:00:12.0/device r,
> /sys/devices/pci0000:00/0000:00:12.0/vendor r,
> /sys/devices/pci0000:00/0000:00:14.0/class r,
> /sys/devices/pci0000:00/0000:00:14.0/device r,
> /sys/devices/pci0000:00/0000:00:14.0/vendor r,
> /sys/devices/pci0000:00/0000:00:14.2/class r,
> /sys/devices/pci0000:00/0000:00:14.2/device r,
> /sys/devices/pci0000:00/0000:00:14.2/vendor r,
> /sys/devices/pci0000:00/0000:00:15.0/class r,
> /sys/devices/pci0000:00/0000:00:15.0/device r,
> /sys/devices/pci0000:00/0000:00:15.0/vendor r,
> /sys/devices/pci0000:00/0000:00:16.0/class r,
> /sys/devices/pci0000:00/0000:00:16.0/device r,
> /sys/devices/pci0000:00/0000:00:16.0/vendor r,
> /sys/devices/pci0000:00/0000:00:17.0/class r,
> /sys/devices/pci0000:00/0000:00:17.0/device r,
> /sys/devices/pci0000:00/0000:00:17.0/vendor r,
> /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/class r,
> /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/device r,
> /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/vendor r,
> /sys/devices/pci0000:00/0000:00:1b.0/class r,
> /sys/devices/pci0000:00/0000:00:1b.0/device r,
> /sys/devices/pci0000:00/0000:00:1b.0/vendor r,
> /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/class r,
> /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/device r,
> /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/vendor r,
> /sys/devices/pci0000:00/0000:00:1c.0/class r,
> /sys/devices/pci0000:00/0000:00:1c.0/device r,
> /sys/devices/pci0000:00/0000:00:1c.0/vendor r,
> /sys/devices/pci0000:00/0000:00:1f.0/class r,
> /sys/devices/pci0000:00/0000:00:1f.0/device r,
> /sys/devices/pci0000:00/0000:00:1f.0/vendor r,
> /sys/devices/pci0000:00/0000:00:1f.3/class r,
> /sys/devices/pci0000:00/0000:00:1f.3/device r,
> /sys/devices/pci0000:00/0000:00:1f.3/vendor r,
> /sys/devices/pci0000:00/0000:00:1f.4/class r,
> /sys/devices/pci0000:00/0000:00:1f.4/device r,
> /sys/devices/pci0000:00/0000:00:1f.4/vendor r,
> /sys/devices/pci0000:00/0000:00:1f.5/class r,
> /sys/devices/pci0000:00/0000:00:1f.5/device r,
> /sys/devices/pci0000:00/0000:00:1f.5/vendor r,
> /sys/devices/system/cpu/cpu0/cache/index2/size r,
> /sys/devices/system/cpu/cpu0/cache/index3/size r,
> /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
> /sys/devices/system/cpu/present r,
> /sys/devices/system/memory/block_size_bytes r,
> /usr/bin/chrome-gnome-shell mrix,
> /usr/bin/lsb_release mrix,
> /usr/bin/python3.9 ix,
> /usr/bin/python3.9 r,
> /usr/lib/firefox-esr/firefox-esr mrix,
> /usr/lib/firefox-esr/plugin-container mrix,
> /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
> /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache r,
> /var/lib/flatpak/exports/share/icons/hicolor/index.theme r,
> owner /home/*/.cache/fontconfig/* r,
> owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/** rw,
> owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/.startup-
> incomplete w,
> owner
> /home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f
>
>
> 87001cad/f35e6a48c63c96b3.bin rwk,
> owner
> /home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f
>
>
> 87001cad/f35e6a48c63c96b3.toc rwk,
> owner /home/*/.config/dconf/user r,
> owner /home/*/.config/mimeapps.list r,
> owner /home/*/.config/pulse/cookie rk,
> owner /home/*/.local/share/applications/mimeinfo.cache r,
> owner /home/*/.mozilla/firefox/** rwk,
> owner /proc/*/cgroup r,
> owner /proc/*/comm r,
> owner /proc/*/gid_map w,
> owner /proc/*/maps r,
> owner /proc/*/mountinfo r,
> owner /proc/*/mounts r,
> owner /proc/*/setgroups w,
> owner /proc/*/smaps r,
> owner /proc/*/stat r,
> owner /proc/*/statm r,
> owner /proc/*/status r,
> owner /proc/*/task/*/comm rw,
> owner /proc/*/task/*/stat r,
> owner /proc/*/uid_map w,
> owner /run/user/1000/ICEauthority r,
> owner /usr/lib/firefox-esr/fonts/** rw,
> owner /home/*/Downloads/** rw,
> owner /home/*/** r,
>
> }
>
>
>
>
