Bug 397399

Summary: Firefox plasma-browser-integration crashes with apparmor profiles enforced
Product: [Plasma] plasma-browser-integration Reporter: Mark <markotahal>
Component: FirefoxAssignee: Kai Uwe Broulik <kde>
Status: CONFIRMED ---    
Severity: normal CC: fabian, mss, thepowersauce
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
URL: https://gitlab.com/apparmor/apparmor/-/merge_requests/1115
See Also: https://bugs.kde.org/show_bug.cgi?id=475786
https://bugs.kde.org/show_bug.cgi?id=481568
Latest Commit: Version Fixed In:
Attachments: AppArmor message after starting FF, browser-integration crash

Description Mark 2018-08-12 13:59:46 UTC 
Ubuntu 18.04.1, up to date. 
Latest firefox, plasma-browser-integration, apparmor with FF profile enabled. 

I get this crash after starting FF: 
..that browser-integration was denied x (execute) right. Quite obviously from the POV of apparmor. 

I think browser-integration needs to provide its own profile to apparmor that will override this, or cooperate with Firefox that provide theirs for ubuntu.
Comment 1 Mark 2018-08-12 14:05:42 UTC 
Created attachment 114416 [details]
AppArmor message after starting FF, browser-integration crash
Comment 2 Fabian Vogt 2018-08-13 08:24:00 UTC 
I don't see how we can ship a profile in pbi which allows firefox to execute it - firefox' profile denies execution of anything except of whitelisted executables.

This is an issue with the upstream apparmor profile and currently we can't fix it without changes in there. Can you file a bug upstream?
Comment 3 Christoph Feck 2018-09-05 03:28:45 UTC 
Upstream at Firefox or AppArmor?
Comment 4 Fabian Vogt 2018-09-05 06:49:14 UTC 
(In reply to Christoph Feck from comment #3)
> Upstream at Firefox or AppArmor?

Upstream at apparmor, that's where the profile comes from: https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
Comment 5 M. Kaye 2019-08-21 07:10:23 UTC 
Comment on attachment 114416 [details]
AppArmor message after starting FF, browser-integration crash

>Profile: /usr/lib/firefox/firefox{,*[^s][^h]}
>Operation: ptrace
>Denied: trace
>Logfile: /var/log/audit/audit.log
>For more information, please see:
>https://wiki.ubuntu.com/DebuggingApparmor 
>Profile: /usr/lib/firefox/firefox{,*[^s][^h]}
>Operation: exec
>Name: /usr/bin/plasma-browser-integration-host
>Denied: x
Comment 6 Malte S. Stretz 2023-10-18 09:45:20 UTC 
I opened a merge request upstream at https://gitlab.com/apparmor/apparmor/-/merge_requests/1115

As a workaround one can add the following line (including the trailing comma) to /etc/apparmor.d/local/usr.bin.firefox:

  /usr/bin/plasma-browser-integration-host Cx -> sanitized_helper,
Comment 7 Malte S. Stretz 2024-02-20 10:03:19 UTC 
*** Bug 481568 has been marked as a duplicate of this bug. ***