475786 – backport required: plasma-browser-integration does not work in firefox due to apparmor

Bug 475786 - backport required: plasma-browser-integration does not work in firefox due to apparmor

Summary: backport required: plasma-browser-integration does not work in firefox due to...

Status:	REPORTED

Alias:	None

Product:	neon
Classification:	KDE Neon
Component:	Packages User Edition (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Neon Bugs

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-10-18 08:28 UTC by Malte S. Stretz
Modified:	2024-02-20 10:05 UTC (History)
CC List:	3 users (show)

See Also:	397399 481568
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Malte S. Stretz 2023-10-18 08:28:12 UTC

SUMMARY
The root issue was already filed as bug 397399 where the result was "This is an issue with the upstream apparmor profile and currently we can't fix it without changes in there." While the application itself can't fix it Neon is in a different position and it should be able to drop in an override which allows the execution of /usr/bin/plasma-browser-integration-host

I think (but haven tested it yet) that this should be possible by dropping a file into /etc/apparmor.d/abstractions/kde.d/

STEPS TO REPRODUCE
1. Start firefox
2. Install /usr/bin/plasma-browser-integration-host
3. Go the the addons' preferences and notice the "Failed to connect to native host" error message
4. Verify that the package plasma-browser-integration is installed
5. Go to about:debugging#/runtime/this-firefox
6. Click on "Inspect" for the Plasma Integration plugin
7. Look at console tab, notice the error message "Not auto-restarting host as we haven't received any message from it before. Check that it's working/installed correctly"
8. Google wildly and find pointers to apparmor
9. Finally look at something like `journalctl --since '1 hour ago' | grep plasma-browser-integration-host` and notice lines like "Okt 18 09:58:52 localhost audit[20833]: AVC apparmor="DENIED" operation="exec" class="file" profile="firefox" name="/usr/bin/plasma-browser-integration-host" pid=20833 comm=444F4D20576F726B6572 requested_mask="x" denied_mask="x" fsuid=1000 ouid=0"

OBSERVED RESULT
Plasma Browser Integrations do not work out of the box

EXPECTED RESULT
They should work

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Neon User Edition 5.27
(available in About System)
KDE Plasma Version: 5.27.8
KDE Frameworks Version: 5.110.0
Qt Version: 5.15.11

ADDITIONAL INFORMATION

Comment 1 Malte S. Stretz 2023-10-18 08:41:34 UTC

I made this work by appending the following line (including the trailing comma) to /etc/apparmor.d/abstractions/ubuntu-browsers.d/kde where I think it belongs:

/usr/bin/plasma-browser-integration-host Cx -> sanitized_helper,

For the record: The relevant inclusion tree looks like this:

/etc/apparmor.d/usr.bin.firefox
  -> /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox
    -> /etc/apparmor.d/abstractions/ubuntu-browsers.d/kde
      -> /etc/apparmor.d/abstractions/kde
        -> /etc/apparmor.d/abstractions/kde.d/*
-> /etc/apparmor.d/local/usr.bin.firefox

Comment 2 Malte S. Stretz 2024-02-20 10:03:58 UTC

This change should be backported from upstream to the KDE Neon AppArmor packages: https://gitlab.com/apparmor/apparmor/-/merge_requests/1115