Closed Bug 1849961 Opened 8 months ago Closed 1 month ago

Ubuntu 23.04: Firefox snap cannot use openjdk documentation because resources are hosted outside of allowed snap sandbox

Categories

(Firefox Build System :: Third Party Packaging, defect)

Product:
Firefox Build System
Component:
Third Party Packaging
Version:
Firefox 116
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: vladimir.petko, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

firefox-snap-info.txt
1.05 KB, text/plain
Details
test.png
183.83 KB, image/png
Details
Attached file firefox-snap-info.txt

Steps to reproduce:

  1. Install firefox snap 116.0.3-2
    snap install firefox
  2. Install openjdk-21 documentation
    sudo apt install openjdk-21-doc
  3. Browse API documentation
    firefox /usr/share/doc/openjdk-21-doc/api/index.html

Actual results:

The search bar is inactive
Console contains
Loading failed for the <script> with source “file:///usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js”.

$ls -l /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
lrwxrwxrwx 1 root root 43 Mar 17 13:31 /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js -> ../../../../javascript/jquery/jquery.min.js

cat /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js
prints the file contents

Downloaded version of firefox opens documentation with active search bar and no javascript errors
/tmp/firefox/firefox /usr/share/doc/openjdk-21-doc/api/index.html

Expected results:

Firefox snap should be able to follow symlink and correctly load OpenJDK API documentation.

Hello! I have tried to reproduce the issue with firefox 118.0a1(2023-08-25) on Ubuntu 22.04, unfortunately I wasn't able to reproduce the issue on my end. Could you please answer the following questions in order to further investigate this issue.

  1. Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
  2. Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
  3. Do you have any addons installed? If yes could you please list them?
Flags: needinfo?(vladimir.petko)

Hi,

Latest version of firefox downloaded from the site works fine.

This bug relates to the snap version of firefox that does not have sufficient permissions to follow symlinks.
Please install firefox via snap install firefox (see steps to reproduce).

Best Regards,
Vladimir.

Flags: needinfo?(vladimir.petko)

The Bugbug bot thinks this bug should belong to the 'Firefox Build System::Third Party Packaging' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Third Party Packaging
Product: Firefox → Firefox Build System

Hello Vladimir! I have installed firefox with snap install but on the second step I can't install the program. Could you please provide a video or a screen shot with the issue?

Thank you!

Flags: needinfo?(vladimir.petko)
Attached image test.png
Flags: needinfo?(vladimir.petko)

Please use sudo apt install openjdk-17-doc as the second step (see screenshot).

The severity field is not set for this bug.
:gerard-majax, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(lissyx+mozillians)

Vladimir, please refer to your colleagues.

Flags: needinfo?(lissyx+mozillians) → needinfo?(vladimir.petko)

This is just another case of directory being blocked by snap sandbox

Blocks: snap-sandbox

Looks like this is another case https://bugzilla.mozilla.org/show_bug.cgi?id=1768303#c12

Flags: needinfo?(seb128)
Flags: needinfo?(bandali)

Right, it seems another case of directory not available from within the sandbox, we should perhaps consider allowing read access to /usr/share/doc

Flags: needinfo?(seb128)
Status: UNCONFIRMED → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1768303
Resolution: --- → DUPLICATE

(In reply to seb128 from comment #11)

Right, it seems another case of directory not available from within the sandbox, we should perhaps consider allowing read access to /usr/share/doc

/usr/share/doc is already allowed: https://github.com/snapcore/snapd/blob/4dba256bd08383a966d414a75e8ffbd5e172b355/interfaces/builtin/system_packages_doc.go#L88-L92

Status: RESOLVED → REOPENED
No longer duplicate of bug: 1768303
Ever confirmed: true
Resolution: DUPLICATE → ---

Ok, the problem is that the symlink is outside what is allowed:

$ alex@portable-alex:~$ realpath /usr/share/doc/openjdk-21-jre-headless/api/script-dir/jquery-3.6.1.min.js 
/usr/share/javascript/jquery/jquery.min.js

I'm not really sure what we can do there ...

There isn't really a solution there until snapd or portal provide a framework to be able to access the content of random directories outide of the confinement space...

There is a merge request for allowing /usr/share/javascript/jquery/, https://github.com/snapcore/snapd/pull/13130.

See Also: → https://github.com/snapcore/snapd/pull/13130
Summary: Ubuntu 23.04: Firefox snap does not follow local symlinks → Ubuntu 23.04: Firefox snap cannot use openjdk documentation because resources are hosted outside of allowed snap sandbox

(In reply to Nathan Teodosio :nteodosio from comment #16)

There is a merge request for allowing /usr/share/javascript/jquery/, https://github.com/snapcore/snapd/pull/13130.

it should now be merged soon

Merged and will get fixed when snapd 2.62 gets released: https://github.com/snapcore/snapd/pull/13130

Status: REOPENED → RESOLVED
Closed: 6 months ago1 month ago
Flags: needinfo?(vladimir.petko)
Flags: needinfo?(bandali)
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: