Hi!
Just posting this here because I’m not sure this is a bug. Clean KDE Neon install, Firefox freezes when loading some pages (Gmail, Booking.com). The tab just freezes, sometimes the whole Firefox. The crash reporter fails to collect the info to report. Other browsers works good.
After disabling the apparmor service, it works. Then I removed the Firefox apparmor profile, enable the service again and works.
Description: KDE neon 5.27
Release: 22.04
[ 27.663210] audit: type=1400 audit(1695524097.643:74): apparmor="DENIED" operation="capable" class="cap" profile="firefox" pid=1719 comm="firefox" capability=21 capname="sys_admin"
[ 27.758068] audit: type=1400 audit(1695524097.739:75): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.758074] audit: type=1400 audit(1695524097.739:76): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.758083] audit: type=1400 audit(1695524097.739:77): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.758091] audit: type=1400 audit(1695524097.739:78): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.762352] audit: type=1400 audit(1695524097.743:79): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.762361] audit: type=1400 audit(1695524097.743:80): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.762387] audit: type=1400 audit(1695524097.743:81): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.762395] audit: type=1400 audit(1695524097.743:82): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=1744 comm="glxtest" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[ 27.765671] audit: type=1400 audit(1695524097.747:83): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/1719/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 36.811688] kauditd_printk_skb: 25 callbacks suppressed
[ 36.811697] audit: type=1107 audit(1695524106.791:109): pid=782 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal" bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="UserRemoved" name=":1.14" mask="receive" pid=1719 label="firefox" peer_pid=814 peer_label="unconfined"
[ 36.811697] exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
[ 40.646935] audit: type=1400 audit(1695524110.627:110): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/1880/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 40.680982] audit: type=1400 audit(1695524110.663:111): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/1880/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 40.681913] audit: type=1400 audit(1695524110.663:112): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/2314/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 40.681950] audit: type=1400 audit(1695524110.663:113): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/2315/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 40.681988] audit: type=1400 audit(1695524110.663:114): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/2318/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 40.690851] audit: type=1400 audit(1695524110.671:115): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/2235/oom_score_adj" pid=1719 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000
[ 330.214911] audit: type=1400 audit(1695524400.148:116): apparmor="DENIED" operation="capable" class="cap" profile="/usr/sbin/cupsd" pid=47262 comm="cupsd" capability=12 capname="net_admin"
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/firefox
#include <tunables/global>
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-unity7-base>
#include <abstractions/ubuntu-unity7-launcher>
#include <abstractions/dbus-accessibility-strict>
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/arp r,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
dbus (send)
bus=system
path=/org/freedesktop/NetworkManager
member=state,
dbus (receive)
bus=system
path=/org/freedesktop/NetworkManager,
# used by third_party/rust/audio_thread_priority
dbus (send)
bus=system
path=/org/freedesktop/RealtimeKit1,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/mimeinfo.cache r,
/var/lib/snapd/desktop/applications/*.desktop r,
owner /tmp/** m,
owner /var/tmp/** m,
owner /{,var/}run/shm/shmfd-* rw,
owner /{dev,run}/shm/org.{chromium,mozilla}.* rwk,
owner /{dev,run}/shm/wayland.mozilla.ipc.[0-9]* rw,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# let the shell know we launched something
dbus (send)
bus=session
interface=org.gtk.gio.DesktopAppInfo
member=Launched,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# firefox specific
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/firefox-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts firefox and firefox.sh is used
@{MOZ_LIBDIR}/** ixr,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/ r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
@{PROC}/sys/vm/overcommit_memory r,
# prevent crash LP: #1931602
/sys/devices/pci[0-9]*/**/{uevent,resource,irq,class} r,
/sys/devices/platform/**/uevent r,
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
/sys/devices/pci*/**/{,subsystem_}device r,
/sys/devices/pci*/**/{,subsystem_}vendor r,
/sys/devices/system/node/node[0-9]*/meminfo r,
owner @{HOME}/.cache/thumbnails/** rw,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# per-user firefox configuration
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
owner @{HOME}/.gnome2/firefox* rwk,
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
owner @{HOME}/.cache/mozilla/firefox/** rw,
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.config/dconf/user w,
owner /{,var/}run/user/*/dconf/user w,
dbus (send)
bus=session
path=/org/gnome/GConf/Server
member=GetDefaultDatabase
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify}
peer=(label=unconfined),
dbus (send)
bus=session
path=/org/gtk/vfs/mounttracker
interface=org.gtk.vfs.MountTracker
member=ListMountableInfo
peer=(label=unconfined),
# Allow access to xdg-desktop-portal and xdg-document-portal (LP: #1974449)
dbus (receive, send)
bus=session
interface=org.freedesktop.portal.*
path=/org/freedesktop/portal/{desktop,documents}{,/**}
peer=(label=unconfined),
dbus (receive, send)
bus=session
interface=org.freedesktop.DBus.Properties
path=/org/freedesktop/portal/{desktop,documents}{,/**}
peer=(label=unconfined),
# Allow remote control when running on Wayland
dbus (send)
bus=session
path=/org/freedesktop/DBus
interface=org.freedesktop.DBus
member=RequestName
peer=(name=org.freedesktop.DBus),
dbus (bind)
bus=session
name=org.mozilla.firefox.*,
dbus (send, receive)
bus=session
path=/org/mozilla/firefox/Remote
interface=org.mozilla.firefox
member=OpenURL
peer=(label=firefox),
# gnome-session
dbus (send)
bus=session
path=/org/gnome/SessionManager
interface=org.gnome.SessionManager
member={Inhibit,Uninhibit}
peer=(label=unconfined),
# unity screen API
dbus (send)
bus=system
interface="org.freedesktop.DBus.Introspectable"
path="/com/canonical/Unity/Screen"
member="Introspect"
peer=(label=unconfined),
dbus (send)
bus=system
interface="com.canonical.Unity.Screen"
path="/com/canonical/Unity/Screen"
member={keepDisplayOn,removeDisplayOnRequest}
peer=(label=unconfined),
# freedesktop.org ScreenSaver
dbus (send)
bus=session
path=/{,org/freedesktop/,org.gnome/}Screen{s,S}aver
interface=org.freedesktop.ScreenSaver
member={Inhibit,UnInhibit,SimulateUserActivity}
peer=(label=unconfined),
# gnome, kde and cinnamon screensaver
dbus (send)
bus=session
path=/{,ScreenSaver}
interface=org.{gnome.ScreenSaver,kde.screensaver,cinnamon.ScreenSaver}
member=SimulateUserActivity
peer=(label=unconfined),
# UPower
dbus (send)
bus=system
path=/org/freedesktop/UPower
interface=org.freedesktop.UPower
member=EnumerateDevices
peer=(label=unconfined),
# File browser
dbus (send)
bus=session
interface=org.freedesktop.FileManager1
path=/org/freedesktop/FileManager1
member=ShowItems,
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
/usr/bin/lsb_release Cxr -> lsb_release,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/lsb_release r,
/bin/dash ixr,
/usr/bin/dpkg-query ixr,
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
/usr/share/distro-info/*.csv r,
/var/lib/dpkg/** r,
/usr/local/lib/python3.[0-9]/dist-packages/ r,
/usr/bin/ r,
/usr/bin/python3.[0-9] mr,
# file_inherit
deny /tmp/gtalkplugin.log w,
}
# Addons
#include <abstractions/ubuntu-browsers.d/firefox>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox>
}
I don’t really know how to fix the apparmor profile, but it’s the default one… and it’s not working, at least on my setup.
Is this a bug?