Ubuntu 18.04.1, up to date. Latest firefox, plasma-browser-integration, apparmor with FF profile enabled. I get this crash after starting FF: ..that browser-integration was denied x (execute) right. Quite obviously from the POV of apparmor. I think browser-integration needs to provide its own profile to apparmor that will override this, or cooperate with Firefox that provide theirs for ubuntu.
Created attachment 114416 [details] AppArmor message after starting FF, browser-integration crash
I don't see how we can ship a profile in pbi which allows firefox to execute it - firefox' profile denies execution of anything except of whitelisted executables. This is an issue with the upstream apparmor profile and currently we can't fix it without changes in there. Can you file a bug upstream?
Upstream at Firefox or AppArmor?
(In reply to Christoph Feck from comment #3) > Upstream at Firefox or AppArmor? Upstream at apparmor, that's where the profile comes from: https://gitlab.com/apparmor/apparmor/blob/master/profiles/apparmor/profiles/extras/usr.lib.firefox.firefox
Comment on attachment 114416 [details] AppArmor message after starting FF, browser-integration crash >Profile: /usr/lib/firefox/firefox{,*[^s][^h]} >Operation: ptrace >Denied: trace >Logfile: /var/log/audit/audit.log >For more information, please see: >https://wiki.ubuntu.com/DebuggingApparmor >Profile: /usr/lib/firefox/firefox{,*[^s][^h]} >Operation: exec >Name: /usr/bin/plasma-browser-integration-host >Denied: x
I opened a merge request upstream at https://gitlab.com/apparmor/apparmor/-/merge_requests/1115 As a workaround one can add the following line (including the trailing comma) to /etc/apparmor.d/local/usr.bin.firefox: /usr/bin/plasma-browser-integration-host Cx -> sanitized_helper,
*** Bug 481568 has been marked as a duplicate of this bug. ***