Closed Bug 1918003 Opened 11 months ago Closed 11 months ago

Firefox AppArmor's profile doesn't allow the user to open file-links (e.g. PDF) nor speech-dispatcher to be executed in Ubuntu

Categories

(Firefox Build System :: Third Party Packaging, defect)

Product:
Firefox Build System
Component:
Third Party Packaging
Version:
Firefox 130
Platform:
x86_64
Linux
Type:
defect

Tracking

(firefox132 fixed)

Status:
RESOLVED FIXED
Milestone:
132 Branch
Tracking Flags:
Tracking Status
firefox132 --- fixed

People

(Reporter: c, Assigned: gerard-majax)

References

(
URL
)

Details

Attachments

(1 file)

Bug 1918003 - Remove stale AppArmor config from former Canonical package r?jcristau!
48 bytes, text/x-phabricator-request
Details | Review

Steps to reproduce:

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:130.0) Gecko/20100101 Firefox/130.0
1.- Update Firefox to version 130.0
2.- Download a PDF file from a website
3.- Open the downloaded file using Firefox

Actual results:

A dialog box with the following message is displayed "Open the file link?". After pressing the "Choose application" button another dialog box appears with a empty list of applications to choose from.

Expected results:

Start the correct application via MimeType.

Component: Untriaged → File Handling
OS: Unspecified → Linux
Hardware: Unspecified → x86_64

The issue seems to be caused by the contents of the AppArmor profile file (/etc/apparmor.d/usr.bin.firefox) as the following log entries appeared after attempting to perform the aforementioned operation :

[...] audit: type=1107 audit(...): pid=... uid=... auid=... ses=... subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="..." pid=... label="firefox" peer_pid=.. peer_label="unconfined"

[...] audit: type=1107 audit(...): pid=... uid=... auid=... ses=... subj=unconfined msg='apparmor="DENIED" operation="dbus_method_call" bus="system" path="/org/freedesktop/hostname1" interface="org.freedesktop.DBus.Properties" member="GetAll" mask="send" name="..." pid=... label="firefox" peer_pid=... peer_label="unconfined"

[...] audit: type=1400 audit(...): apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop" pid=... comm="firefox-bin" requested_mask="x" denied_mask="x" fsuid=... ouid=...

[ ...] audit: type=1400 audit(...): apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/usr/lib/x86_64-linux-gnu/glib-2.0/gio-launch-desktop" pid=... comm="firefox-bin" requested_mask="x" denied_mask="x" fsuid=... ouid=...

Component: File Handling → Untriaged

Firefox was installed using .deb package from Mozilla's APT repository (https://packages.mozilla.org/apt)

Summary: Firefox version 130.0 doesn't open file-links (e.g. PDF) in Ubuntu → Firefox AppArmor's profile doesn't allow the user to open file-links (e.g. PDF) in Ubuntu
Summary: Firefox AppArmor's profile doesn't allow the user to open file-links (e.g. PDF) in Ubuntu → Firefox AppArmor's profile doesn't allow the user to open file-links (e.g. PDF) nor speech-dispatcher to be executed in Ubuntu

(not sure if this is the right component, if not please move)

Component: Untriaged → Security: Process Sandboxing
Product: Firefox → Core
Component: Security: Process Sandboxing → Third Party Packaging
Product: Core → Firefox Build System
Assignee: nobody → lissyx+mozillians

This is weird. There's no /etc/apparmor.d/usr.bin.firefox shipped from Ubuntu to my knowledge, and I dont see it in the deb package we produce.
Without more details on the setup (distro, version, about:support) this is going to be hard to diagnose. The shared log is incomplete and thus also not shedding any light on the issue

Flags: needinfo?(c)

dpkg -S /etc/apparmor.d/usr.bin.firefox should tell you which package provided it. Nor my 24.04 laptop or 22.04 VM have that file

Ok, i see that file on 18.04. Unfortunately, it's EOL'd on Canonical side, and AppArmor is not something we can workaround. Can you confirm you're running 18.04 and:

$ dpkg -S /etc/apparmor.d/usr.bin.firefox 
firefox: /etc/apparmor.d/usr.bin.firefox
$ apt-cache policy firefox
firefox:
  Installé : 113.0.2+build1-0ubuntu0.18.04.1
  Candidat : 113.0.2+build1-0ubuntu0.18.04.1
 Table de version :
 *** 113.0.2+build1-0ubuntu0.18.04.1 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     59.0.2+build1-0ubuntu1 500
        500 http://fr.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

Ok, so installed the package of 130 on 1804 using mozilla's repo, and indeed i still have the file, but i still dont see it coming from our debian package. I'm wondering if it's just a leftover from the original canonical package.

Flags: needinfo?(jlorenzo)

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Codename: noble

$ dpkg -L firefox
/.
/usr
/usr/bin
/usr/lib
/usr/lib/firefox
/usr/lib/firefox/libmozavcodec.so
/usr/lib/firefox/removed-files
/usr/lib/firefox/libxul.so
/usr/lib/firefox/libplds4.so
/usr/lib/firefox/precomplete
/usr/lib/firefox/firefox-bin.sig
/usr/lib/firefox/firefox.sig
/usr/lib/firefox/libnssckbi.so
/usr/lib/firefox/updater.ini
/usr/lib/firefox/libxul.so.sig
/usr/lib/firefox/is-packaged-app
/usr/lib/firefox/libipcclientcerts.so
/usr/lib/firefox/icons
/usr/lib/firefox/icons/updater.png
/usr/lib/firefox/libgkcodecs.so
/usr/lib/firefox/libmozavutil.so
/usr/lib/firefox/libmozsqlite3.so
/usr/lib/firefox/liblgpllibs.so
/usr/lib/firefox/distribution
/usr/lib/firefox/distribution/distribution.ini
/usr/lib/firefox/omni.ja
/usr/lib/firefox/libsoftokn3.so
/usr/lib/firefox/browser
/usr/lib/firefox/browser/chrome
/usr/lib/firefox/browser/chrome/icons
/usr/lib/firefox/browser/chrome/icons/default
/usr/lib/firefox/browser/chrome/icons/default/default48.png
/usr/lib/firefox/browser/chrome/icons/default/default32.png
/usr/lib/firefox/browser/chrome/icons/default/default128.png
/usr/lib/firefox/browser/chrome/icons/default/default64.png
/usr/lib/firefox/browser/chrome/icons/default/default16.png
/usr/lib/firefox/browser/omni.ja
/usr/lib/firefox/browser/features
/usr/lib/firefox/browser/features/webcompat-reporter@mozilla.org.xpi
/usr/lib/firefox/browser/features/webcompat@mozilla.org.xpi
/usr/lib/firefox/browser/features/pictureinpicture@mozilla.org.xpi
/usr/lib/firefox/browser/features/formautofill@mozilla.org.xpi
/usr/lib/firefox/browser/features/screenshots@mozilla.org.xpi
/usr/lib/firefox/firefox
/usr/lib/firefox/glxtest
/usr/lib/firefox/libmozwayland.so
/usr/lib/firefox/update-settings.ini
/usr/lib/firefox/libplc4.so
/usr/lib/firefox/pingsender
/usr/lib/firefox/firefox-bin
/usr/lib/firefox/updater
/usr/lib/firefox/libmozgtk.so
/usr/lib/firefox/fonts
/usr/lib/firefox/fonts/TwemojiMozilla.ttf
/usr/lib/firefox/libmozsandbox.so
/usr/lib/firefox/defaults
/usr/lib/firefox/defaults/pref
/usr/lib/firefox/defaults/pref/channel-prefs.js
/usr/lib/firefox/defaults/pref/package-prefs.js
/usr/lib/firefox/application.ini
/usr/lib/firefox/libsmime3.so
/usr/lib/firefox/platform.ini
/usr/lib/firefox/libnss3.so
/usr/lib/firefox/libssl3.so
/usr/lib/firefox/libfreeblpriv3.so
/usr/lib/firefox/dependentlibs.list
/usr/lib/firefox/crashreporter
/usr/lib/firefox/libnspr4.so
/usr/lib/firefox/gmp-clearkey
/usr/lib/firefox/gmp-clearkey/0.1
/usr/lib/firefox/gmp-clearkey/0.1/manifest.json
/usr/lib/firefox/gmp-clearkey/0.1/libclearkey.so.sig
/usr/lib/firefox/gmp-clearkey/0.1/libclearkey.so
/usr/lib/firefox/libnssutil3.so
/usr/lib/firefox/minidump-analyzer
/usr/lib/firefox/vaapitest
/usr/share
/usr/share/icons
/usr/share/icons/hicolor
/usr/share/icons/hicolor/64x64
/usr/share/icons/hicolor/64x64/apps
/usr/share/icons/hicolor/16x16
/usr/share/icons/hicolor/16x16/apps
/usr/share/icons/hicolor/128x128
/usr/share/icons/hicolor/128x128/apps
/usr/share/icons/hicolor/32x32
/usr/share/icons/hicolor/32x32/apps
/usr/share/icons/hicolor/48x48
/usr/share/icons/hicolor/48x48/apps
/usr/share/doc
/usr/share/doc/firefox
/usr/share/doc/firefox/changelog.gz
/usr/share/applications
/usr/share/applications/firefox.desktop
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/firefox.1.gz
/usr/bin/firefox
/usr/share/icons/hicolor/64x64/apps/firefox.png
/usr/share/icons/hicolor/16x16/apps/firefox.png
/usr/share/icons/hicolor/128x128/apps/firefox.png
/usr/share/icons/hicolor/32x32/apps/firefox.png
/usr/share/icons/hicolor/48x48/apps/firefox.png
/etc/firefox/syspref.js
/etc/apport/native-origins.d/firefox
/etc/apport/blacklist.d/firefox
/etc/apparmor.d/usr.bin.firefox

Flags: needinfo?(c)

$ dpkg -S /etc/apparmor.d/usr.bin.firefox
firefox: /etc/apparmor.d/usr.bin.firefox

$ apt-cache policy firefox
firefox:
Instalados: 130.0build2
Candidato: 130.0.1build1
Tabla de versión:
[...]
*** 130.0~build2 1000
1000 https://packages.mozilla.org/apt mozilla/main amd64 Packages
100 /var/lib/dpkg/status

Well thanks, this simplifies the problem. On 24.04 it's certain that you should not have that file:

$ dpkg -L apparmor |grep firefox
/etc/apparmor.d/firefox
$ cat /etc/apparmor.d/firefox 
# This profile allows everything and only exists to give the
# application a name instead of having the label "unconfined"

abi <abi/4.0>,
include <tunables/global>

profile firefox /usr/lib/firefox{,-esr,-beta,-devedition,-nightly}/firefox{,-esr,-bin} flags=(unconfined) {
  userns,

  # Site-specific additions and overrides. See local/README for details.
  include if exists <local/firefox>
}

This AppArmor profile was explicitely designed to fit also our package (some context in https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844).

So I'm more convinced your /etc/apparmor.d/usr.bin.firefox is just a leftover from upgrading something from Ubuntu's firefox package (or PPA?) to our deb and something missed cleanup.

Before you change anything, I'd like if you can capture about:support and share it so I can verify something.

Then please verify you have /etc/apparmor.d/firefox. Then get rid (make a copy, just in case?) of /etc/apparmor.d/usr.bin.firefox, restart apparmor (sudo systemctl restart apparmor.service) and your firefox should not break and even fix your problems.

Flags: needinfo?(c)

There is no/etc/apparmor.d/firefox file:

$ ls -al /etc/apparmor.d | grep firefox
-rw-r--r-- 1 root root 8000 sep 16 08:20 usr.bin.firefox

Flags: needinfo?(c)

(In reply to Rigoberto Calleja from comment #12)

There is no/etc/apparmor.d/firefox file:

$ ls -al /etc/apparmor.d | grep firefox
-rw-r--r-- 1 root root 8000 sep 16 08:20 usr.bin.firefox

There should be, on 24.04:

alex@portable-alex:~/tmp$ ll /etc/apparmor.d/firefox
-rw-r--r-- 1 root root 396 mai   13 09:23 /etc/apparmor.d/firefox
alex@portable-alex:~/tmp$ dpkg -S /etc/apparmor.d/firefox
apparmor: /etc/apparmor.d/firefox
alex@portable-alex:~/tmp$ apt-cache policy apparmor
apparmor:
  Installé : 4.0.1really4.0.0-beta3-0ubuntu0.1
  Candidat : 4.0.1really4.0.1-0ubuntu0.24.04.3
 Table de version :
     4.0.1really4.0.1-0ubuntu0.24.04.3 500 (phased 20%)
        500 http://fr.archive.ubuntu.com/ubuntu noble-updates/main amd64 Packages
 *** 4.0.1really4.0.0-beta3-0ubuntu0.1 100
        100 /var/lib/dpkg/status
     4.0.0-beta3-0ubuntu3 500
        500 http://fr.archive.ubuntu.com/ubuntu noble/main amd64 Packages

Please try to reinstall with sudo apt reinstall apparmor and then disable the usr.bin.firefox and restat apparmor

Flags: needinfo?(c)

backed-up and deleted /etc/apparmor.d/usr.bin.firefox
updated apparmor (/etc/apparmor.d/firefox was installed)
uninstalled and reinstalled firefox

/etc/apparmor.d/firefox comes from apparmor package
$ dpkg -L apparmor | grep firefox
/etc/apparmor.d/firefox

firefox package no longer contains /etc/apparmor.d/usr.bin.firefox
$ dpkg -L firefox | grep apparmor
$

$ apt-cache policy firefox
firefox:
Instalados: 130.0.1build1
Candidato: 130.0.1build1
Tabla de versión:
*** 130.0.1~build1 1000
1000 https://packages.mozilla.org/apt mozilla/main amd64 Packages
100 /var/lib/dpkg/status

Opening file-links and speech-dispatcher now works

Flags: needinfo?(c)
Flags: needinfo?(jlorenzo)

(In reply to Rigoberto Calleja from comment #15)

updated apparmor (/etc/apparmor.d/firefox was installed)

Do you mean you reinstalled or there was an update? If the latter can you look in /var/log/dpkg.log so we can know which version it upgraded from/to?

Good to know it fixed. We're not sure how we can fix that on the package side itself, but even if we had a fix your system was still in an unexpected state by missing /etc/apparmor.d/firefox (except if you were on a version of the package that was not yet bundling it, but the release of 24.04 had it, so I'm surprised)

Flags: needinfo?(c)

Do you mean you reinstalled or there was an update? If the latter can you look in /var/log/dpkg.log so we can know which version it upgraded from/to?
There was an apparmor update:

$ cat /var/log/dpkg.log | grep apparmor
...
2024-09-20 10:45:58 upgrade apparmor:amd64 4.0.1really4.0.0-beta3-0ubuntu0.1 4.0.1really4.0.1-0ubuntu0.24.04.3
...
2024-09-20 10:46:03 status unpacked apparmor:amd64 4.0.1really4.0.1-0ubuntu0.24.04.3
2024-09-20 10:47:30 conffile /etc/apparmor.d/firefox install

Good to know it fixed. We're not sure how we can fix that on the package side itself, but even if we had a fix your system was still in an unexpected state by missing /etc/apparmor.d/firefox (except if you were on a version of the package that was not yet bundling it, but the release of 24.04 had it, so I'm surprised)

Both /etc/apparmor.d/firefox and /etc/apparmor.d/usr.bin.firefox were present in my system when I noticed the issue, then I made a back-up of the first file and deleted it.

Flags: needinfo?(c)

(In reply to Rigoberto Calleja from comment #17)

[...]

Both /etc/apparmor.d/firefox and /etc/apparmor.d/usr.bin.firefox were present in my system when I noticed the issue, then I made a back-up of the first file and deleted it.

Ok so there's no weird migration bug in fact.

root@37f8add9fe74:~# wget http://portable-alex.home:9000/firefox-132.0a1.en-US.linux-x86_64.deb
--2024-09-25 18:46:45--  http://portable-alex.home:9000/firefox-132.0a1.en-US.linux-x86_64.deb
Resolving portable-alex.home (portable-alex.home)... 192.168.1.81, 2a01:cb00:8834:1300:8a13:af8f:4454:e3bf, 2a01:cb00:8834:1300:d2b7:68b5:7e83:a8b3, ...
Connecting to portable-alex.home (portable-alex.home)|192.168.1.81|:9000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 101554876 (97M) [application/vnd.debian.binary-package]
Saving to: 'firefox-132.0a1.en-US.linux-x86_64.deb'

firefox-132.0a1.en-US.linux-x86_64.deb                      100%[=========================================================================================================================================>]  96.85M   588MB/s    in 0.2s    

2024-09-25 18:46:45 (588 MB/s) - 'firefox-132.0a1.en-US.linux-x86_64.deb' saved [101554876/101554876]

root@37f8add9fe74:~# dpkg -i --force-all firefox-132.0a1.en-US.linux-x86_64.deb 
Selecting previously unselected package firefox.
(Reading database ... 26092 files and directories currently installed.)
Preparing to unpack firefox-132.0a1.en-US.linux-x86_64.deb ...
Unpacking firefox (132.0a1~20240925141221) ...
dpkg: firefox: dependency problems, but configuring anyway as you requested:
 firefox depends on libasound2t64 (>= 1.0.27); however:
  Package libasound2t64 is not installed.
 firefox depends on libatk1.0-0t64 (>= 1.12.4); however:
  Package libatk1.0-0t64 is not installed.
 firefox depends on libc6 (>= 2.34); however:
  Version of libc6:amd64 on system is 2.31-0ubuntu9.16.
 firefox depends on libgdk-pixbuf-2.0-0 (>= 2.22.0); however:
  Package libgdk-pixbuf-2.0-0 is not installed.
 firefox depends on libglib2.0-0t64 (>= 2.38.0); however:
  Package libglib2.0-0t64 is not installed.
 firefox depends on libgtk-3-0t64 (>= 3.13.7); however:
  Package libgtk-3-0t64 is not installed.
 firefox depends on libnspr4 (>= 2:4.12); however:
  Package libnspr4 is not installed.
 firefox depends on libnss3 (>= 2:3.94); however:
  Package libnss3 is not installed.
 firefox depends on libx11-xcb1 (>= 2:1.8.7); however:
  Version of libx11-xcb1:amd64 on system is 2:1.6.9-2ubuntu1.6.

Setting up firefox (132.0a1~20240925141221) ...
update-alternatives: using /usr/bin/firefox to provide /usr/bin/gnome-www-browser (gnome-www-browser) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/gnome-www-browser.1.gz because associated file /usr/share/man/man1/firefox.1.gz (of link group gnome-www-browser) doesn't exist
update-alternatives: using /usr/bin/firefox to provide /usr/bin/x-www-browser (x-www-browser) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/x-www-browser.1.gz because associated file /usr/share/man/man1/firefox.1.gz (of link group x-www-browser) doesn't exist
Removing obsolete conffile /etc/apparmor.d/usr.bin.firefox ...
Processing triggers for mime-support (3.64ubuntu1) ...
Processing triggers for hicolor-icon-theme (0.17-2) ...
(reverse-i-search)`r': dpkg -i --force-all fi^Cfox-132.0a1.en-US.linux-x86_64.deb 
(reverse-i-search)`ls -': find /etc/ -name "usr.bin.firefox" | xargs ^C -hal
root@37f8add9fe74:~# ll /etc/apparmor.d/usr.bin.firefox*
ls: cannot access '/etc/apparmor.d/usr.bin.firefox*': No such file or directory
Pushed by alissy@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5fabfb573bd9 Remove stale AppArmor config from former Canonical package r=jcristau

https://hg.mozilla.org/mozilla-central/rev/5fabfb573bd9

Status: UNCONFIRMED → RESOLVED
Closed: 11 months ago
status-firefox132: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 132 Branch

Also reported upstream so maybe they can handle it correctly on their side as well: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2083064

URL: https://bugs.launchpad.net/ubuntu/+so...
Duplicate of this bug: 1956549
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: