[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apparmor problem.

On Sat, Apr 9, 2022 at 5:46 AM George <gpdsbe+debian@mailbox.org> wrote:
Hi!
Im trying to make a profile for firefox-esr.

I used aa-genprof to create it and then aa-logprof to update it.
I also use apparmor-notify to get error messages.

The problem is that I get constant apparmor messages like the
following:

Apparmor Message
Profile /usr/lib/firefox-esr/firefox-esr
Operation: file_lock
Name: /home/gpred/.mozilla/firefox/8i0h8b60.default-esr/-
webappsstore.sqlite
Denied: wk
Logfile: /var/log/kern.log

I run aa-logprof but it doesnt seem to detect the denied command. It
doesnt show me the option to allow it,deny it, etc. I also tried to
clear the kern.log and syslog files but after a while I have the same
problem.

Any ideas?

My reading is that firefox access to the file labelled as "Name:" is failing.
It's failing because firefox wants to obtain a lock on that file but can't.

In other words:
 Name: /home/gpred/.mozilla/firefox/8i0h8b60.default-esr/-
webappsstore.sqlite

It's trying to create a lock for the file with that name, and lock creation failed.
Could be because firefox lacks permissions to that file. Or because your login id
lacks permissions to it. Or because another process holds a lock on it already.

My firefox profile


# Last Modified: Sat Apr  9 12:18:47 2022
#include <tunables/global>

/usr/lib/firefox-esr/firefox-esr flags=(complain) {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/evince>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/openssl>
  #include <abstractions/postfix-common>
  #include <abstractions/python>
  #include <abstractions/totem>
  #include <abstractions/ubuntu-browsers.d/ubuntu-integration>
  #include <abstractions/ubuntu-konsole>

  deny /home/*/AppData/** rw,

  capability sys_admin,

  signal send set=kill peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/firefox-esr,
  signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/firefox-esr,
  signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/plugin-container,

  /etc/firefox-esr/firefox-esr.js r,
  /etc/mailcap r,
  /etc/mime.types r,
  /proc/devices r,
  /proc/driver/nvidia/params r,
  /proc/filesystems r,
  /proc/modules r,
  /sys/devices/pci0000:00/0000:00:00.0/class r,
  /sys/devices/pci0000:00/0000:00:00.0/device r,
  /sys/devices/pci0000:00/0000:00:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/class r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/device r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_device r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/class r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/device r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/class r,
  /sys/devices/pci0000:00/0000:00:01.0/device r,
  /sys/devices/pci0000:00/0000:00:01.0/vendor r,
  /sys/devices/pci0000:00/0000:00:02.0/class r,
  /sys/devices/pci0000:00/0000:00:02.0/device r,
  /sys/devices/pci0000:00/0000:00:02.0/vendor r,
  /sys/devices/pci0000:00/0000:00:04.0/class r,
  /sys/devices/pci0000:00/0000:00:04.0/device r,
  /sys/devices/pci0000:00/0000:00:04.0/vendor r,
  /sys/devices/pci0000:00/0000:00:08.0/class r,
  /sys/devices/pci0000:00/0000:00:08.0/device r,
  /sys/devices/pci0000:00/0000:00:08.0/vendor r,
  /sys/devices/pci0000:00/0000:00:12.0/class r,
  /sys/devices/pci0000:00/0000:00:12.0/device r,
  /sys/devices/pci0000:00/0000:00:12.0/vendor r,
  /sys/devices/pci0000:00/0000:00:14.0/class r,
  /sys/devices/pci0000:00/0000:00:14.0/device r,
  /sys/devices/pci0000:00/0000:00:14.0/vendor r,
  /sys/devices/pci0000:00/0000:00:14.2/class r,
  /sys/devices/pci0000:00/0000:00:14.2/device r,
  /sys/devices/pci0000:00/0000:00:14.2/vendor r,
  /sys/devices/pci0000:00/0000:00:15.0/class r,
  /sys/devices/pci0000:00/0000:00:15.0/device r,
  /sys/devices/pci0000:00/0000:00:15.0/vendor r,
  /sys/devices/pci0000:00/0000:00:16.0/class r,
  /sys/devices/pci0000:00/0000:00:16.0/device r,
  /sys/devices/pci0000:00/0000:00:16.0/vendor r,
  /sys/devices/pci0000:00/0000:00:17.0/class r,
  /sys/devices/pci0000:00/0000:00:17.0/device r,
  /sys/devices/pci0000:00/0000:00:17.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/class r,
  /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/device r,
  /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1b.0/class r,
  /sys/devices/pci0000:00/0000:00:1b.0/device r,
  /sys/devices/pci0000:00/0000:00:1b.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/class r,
  /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/device r,
  /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1c.0/class r,
  /sys/devices/pci0000:00/0000:00:1c.0/device r,
  /sys/devices/pci0000:00/0000:00:1c.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.0/class r,
  /sys/devices/pci0000:00/0000:00:1f.0/device r,
  /sys/devices/pci0000:00/0000:00:1f.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.3/class r,
  /sys/devices/pci0000:00/0000:00:1f.3/device r,
  /sys/devices/pci0000:00/0000:00:1f.3/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.4/class r,
  /sys/devices/pci0000:00/0000:00:1f.4/device r,
  /sys/devices/pci0000:00/0000:00:1f.4/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.5/class r,
  /sys/devices/pci0000:00/0000:00:1f.5/device r,
  /sys/devices/pci0000:00/0000:00:1f.5/vendor r,
  /sys/devices/system/cpu/cpu0/cache/index2/size r,
  /sys/devices/system/cpu/cpu0/cache/index3/size r,
  /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
  /sys/devices/system/cpu/present r,
  /sys/devices/system/memory/block_size_bytes r,
  /usr/bin/chrome-gnome-shell mrix,
  /usr/bin/lsb_release mrix,
  /usr/bin/python3.9 ix,
  /usr/bin/python3.9 r,
  /usr/lib/firefox-esr/firefox-esr mrix,
  /usr/lib/firefox-esr/plugin-container mrix,
  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
  /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache r,
  /var/lib/flatpak/exports/share/icons/hicolor/index.theme r,
  owner /home/*/.cache/fontconfig/* r,
  owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/** rw,
  owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/.startup-
incomplete w,
  owner
/home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f


87001cad/f35e6a48c63c96b3.bin rwk,
  owner
/home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f


87001cad/f35e6a48c63c96b3.toc rwk,
  owner /home/*/.config/dconf/user r,
  owner /home/*/.config/mimeapps.list r,
  owner /home/*/.config/pulse/cookie rk,
  owner /home/*/.local/share/applications/mimeinfo.cache r,
  owner /home/*/.mozilla/firefox/** rwk,
  owner /proc/*/cgroup r,
  owner /proc/*/comm r,
  owner /proc/*/gid_map w,
  owner /proc/*/maps r,
  owner /proc/*/mountinfo r,
  owner /proc/*/mounts r,
  owner /proc/*/setgroups w,
  owner /proc/*/smaps r,
  owner /proc/*/stat r,
  owner /proc/*/statm r,
  owner /proc/*/status r,
  owner /proc/*/task/*/comm rw,
  owner /proc/*/task/*/stat r,
  owner /proc/*/uid_map w,
  owner /run/user/1000/ICEauthority r,
  owner /usr/lib/firefox-esr/fonts/** rw,
  owner /home/*/Downloads/** rw,
  owner /home/*/** r,

}



Reply to: