>At the moment we recommend granting the capability in the profile and letting firefox setup its sandbox.
why do not ubuntu developers add it? (before they make it other way.) >Unfortunately this means you can't guarantee the rest of the program isn't doing things it shouldn't. what it can do using this capability, without using any other additional apparmor allow rules? can you give any examples? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1861408 Title: firefox apparmor messages Status in apparmor package in Ubuntu: New Status in firefox package in Ubuntu: New Bug description: firefox version 72.0.1 64 bit, 72.0.1+linuxmint1+tricia , linux mint 19.3. i see there is newer ubuntu version in https://www.ubuntuupdates.org/package/ubuntu_mozilla_security/bionic/main/base/firefox , 72.0.2+build1-0ubuntu0.18.04.1 , but its changes are not for apparmor. i have not found a page for firefox bugs in linux mint sites, so i belive i should report here. but i have also asked about that in linux mint's irc and then github. i have enabled apparmor for firefox and see these types of messages in syslog: Jan 28 18:43:33 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[735]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.111' (uid=1000 pid=1922 comm="/usr/lib/firefox/firefox " label="unconfined") Jan 28 18:44:36 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5525.077960] audit: type=1400 audit(1580226276.440:27): apparmor="DENIED" operation="capable" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=15948 comm="firefox" capability=21 capname="sys_admin" Jan 28 18:44:37 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5526.471731] audit: type=1107 audit(1580226277.832:28): pid=735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/RealtimeKit1" interface="org.freedesktop.DBus.Properties" member="Get" mask="send" name="org.freedesktop.RealtimeKit1" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1320 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="ListMonitorImplementations" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported" mask="send" name=":1.35" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1385 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="ListMounts2" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:47 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mounttracker" interface="org.gtk.vfs.MountTracker" member="LookupMount" mask="send" name=":1.10" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1262 peer_label="unconfined" Jan 28 18:44:48 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[735]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.119' (uid=1000 pid=15948 comm="/usr/lib/firefox/firefox " label="/usr/lib/firefox/firefox{,*[^s][^h]} (enforce)") Jan 28 18:44:48 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 5536.783313] audit: type=1107 audit(1580226288.143:34): pid=735 uid=103 auid=4294967295 ses=4294967295 msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name=":1.120" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=16177 peer_label="unconfined" Jan 28 18:45:02 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1181]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" mask="send" name="ca.desrt.dconf" pid=15948 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1370 peer_label="unconfined" Jan 28 21:51:30 dinar-HP-Pavilion-g7-Notebook-PC kernel: [10131.880788] audit: type=1400 audit(1580237490.777:123): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/dinar/.cache/mesa_shader_cache/index" pid=19720 comm="firefox" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000 these appeared while saving a file: Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1151]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" mask="send" name="ca.desrt.dconf" pid=1584 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1301 peer_label="unconfined" Jan 30 11:08:28 dinar-HP-Pavilion-g7-Notebook-PC kernel: [ 464.049675] audit: type=1400 audit(1580371708.871:38): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/dinar/.local/share/gvfs-metadata/home" pid=1584 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 these appeared while runned "firefox -p": Jan 30 11:41:23 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[1151]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Notify" name=":1.21" mask="receive" pid=1584 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=1301 peer_label="unconfined" Jan 30 11:42:07 dinar-HP-Pavilion-g7-Notebook-PC dbus-daemon[762]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus- org.freedesktop.hostname1.service' requested by ':1.90' (uid=1000 pid=2892 comm="xed /home/dinar/?????????????? ????????/??????????" label="unconfined") To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1861408/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
