Open Bug 1838978 Opened 1 year ago Updated 6 months ago

Standalone install of Firefox runs native messaging but PPA version does not

Categories

(Core :: Widget: Gtk, defect, P3)

Product:
Core
Component:
Widget: Gtk
Version:
Firefox 114
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: randy, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

Steps to reproduce:

I am using 1Password and it has a native messaging component that enables the browser extension to communicate with the desktop application:

$ cat ~/.mozilla/native-messaging-hosts/com.1password.1password.json 
{
  "name": "com.1password.1password",
  "description": "1Password BrowserSupport",
  "path": "/opt/1Password/1Password-BrowserSupport",
  "type": "stdio",
  "allowed_extensions": [
    "{0a75d802-9aed-41e7-8daa-24c067386e82}",
    "{25fc87fa-4d31-4fee-b5c1-c32a7844c063}",
    "{d634138d-c276-4fc8-924b-40a0ea21d284}"
  ]
}

I have installed the standalone (extracted .tar) file version of Firefox to my /shared folder. When that version is running, Firefox calls the 1pass binary per the manifest above:

$ sudo forkstat | grep BrowserSupport
[sudo] password for rsyring: 
18:53:32 clone  183925 parent          /opt/1Password/1Password-BrowserSupport /home/rsyring/.mozilla/native-messaging-hosts/com.1password.1password.json {d634138d-c276-4fc8-924b-40a0ea21d284} 
18:53:32 clone  189746 thread          /opt/1Password/1Password-BrowserSupport /home/rsyring/.mozilla/native-messaging-hosts/com.1password.1password.json {d634138d-c276-4fc8-924b-40a0ea21d284}

I also have installed the PPA version of Firefox from https://launchpad.net/~mozillateam/+archive/ubuntu/ppa. When that version of Firefox runs, the 1Password-BrowserSupport executable is never called.

The versions of Firefox are identical:

$ /usr/bin/firefox --version
Mozilla Firefox 114.0.1

$ /shared/apps/firefox/firefox --version
Mozilla Firefox 114.0.1

User agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

Also trying to get help at: https://discourse.mozilla.org/t/native-messaging-not-working-with-ppa-version-but-does-work-with-standalone-what-gives/120381

The second user agent is: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.0

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Gtk
Product: Firefox → Core

That looks like a packaging bug if Mozilla binaries works and PPA one doesn't. I don't think that's Snap, correct?

Priority: -- → P3

Also AFAIK Ubuntu is moving to Snap so I wonder if PPA repository is maintained then.

This turned out to be an AppArmor issue:

[236482.484994] audit: type=1400 audit(1687180387.804:3851): apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/opt/1Password/1Password-BrowserSupport" pid=1384607 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

I don't know if there is something Firefox could do to surface this error and make it more clear what is going on but it would have been helpful to see something in the browser console indicating failures to execute a native messaging binary.

Same problem with version 121 installed from https://launchpad.net/~mozillateam/+archive/ubuntu/ppa.
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0

Workaround

Lot of time was spent on investigating same issue with my native messaging host in FF...
Here is some fast steps to make sure that the problem is in AppArmor:

  1. sudo aa-notify -s 1 -v | grep -B 2 -A 2 <file name with your native messaging host> -- if you see no output you can try to run without grep. AppArmor denial output will be something like that:
Profile: firefox
Operation: exec
Name: <path to your NMH>
Denied: x
Logfile: /var/log/audit/audit.log
  1. If problem is in AppArmor you can solve it by giving FF rights to execute your NMH bin. Just add <path to dir with your NMH>/** mrux, (with comma; r - read, m - load to memory and execute, ux - run new process without control by parent's AA profile) to /etc/apparmor.d/local/usr.bin.firefox. For productive ones:
echo "<path to dir with your NMH>/** mrux," | sudo tee -a /etc/apparmor.d/local/usr.bin.firefox > /dev/null)) && sudo aa-enforce usr.bin.firefox
You need to log in before you can comment on or make changes to this bug.