Ubuntu
linux package

Non-flatpak Firefox-based browsers crash with kernel 6.8.0-11-generic in 24.04

Bug #2056297 reported by cipricus
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
New
Undecided
Unassigned

Bug Description

All details are to be found in my previous bug report (https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2056190).

Given that simply reverting to kernel 6.5.0-17-generic fixes the problem, the bug seems to be with the 6.8.0 kernel. Therefore I'm posting this.

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linux-image-6.8.0-11-generic 6.8.0-11.11
ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
Uname: Linux 6.8.0-11-generic x86_64
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CRDA: N/A
CasperMD5CheckResult: pass
CurrentDesktop: KDE
Date: Wed Mar 6 09:49:36 2024
InstallationDate: Installed on 2023-10-04 (154 days ago)
InstallationMedia: Kubuntu 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220419)
MachineType: Sony Corporation VPCSB2P9E
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-6.8.0-11-generic root=UUID=0dbb7177-a759-43f8-86d2-53e3253805d5 ro quiet splash vt.handoff=7
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions:
 linux-restricted-modules-6.8.0-11-generic N/A
 linux-backports-modules-6.8.0-11-generic N/A
 linux-firmware 20240202.git36777504-0ubuntu1
SourcePackage: linux
UpgradeStatus: Upgraded to noble on 2024-03-04 (2 days ago)
dmi.bios.date: 11/16/2011
dmi.bios.release: 20.85
dmi.bios.vendor: INSYDE
dmi.bios.version: R2085H4
dmi.board.asset.tag: N/A
dmi.board.name: VAIO
dmi.board.vendor: Sony Corporation
dmi.board.version: N/A
dmi.chassis.asset.tag: N/A
dmi.chassis.type: 10
dmi.chassis.vendor: Sony Corporation
dmi.chassis.version: N/A
dmi.ec.firmware.release: 20.85
dmi.modalias: dmi:bvnINSYDE:bvrR2085H4:bd11/16/2011:br20.85:efr20.85:svnSonyCorporation:pnVPCSB2P9E:pvrC609DJQ5:rvnSonyCorporation:rnVAIO:rvrN/A:cvnSonyCorporation:ct10:cvrN/A:skuN/A:
dmi.product.family: VAIO
dmi.product.name: VPCSB2P9E
dmi.product.sku: N/A
dmi.product.version: C609DJQ5
dmi.sys.vendor: Sony Corporation

See original description
Revision history for this message
cipricus (cipricus) wrote :
cipricus (cipricus)
description: updated
Revision history for this message
Matthew Ruffell (mruffell) wrote :

Hi cipricus,

This is a security feature working as intended. Ubuntu recently decided to disable unprivileged access to user namespaces. You can find more information it about it here:

https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
https://discourse.ubuntu.com/t/spec-unprivileged-user-namespace-restrictions-via-apparmor-in-ubuntu-23-10/37626
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046844

It was included (but turned off in 23.10). In 24.04, it has been turned on.

We have been adding apparmor profiles for most packaged applications. Saying that, firefox downloaded from tarballs or other places don't come with an apparmor profile, so the mitigation isn't relaxed for them.

You can enable user namespaces by either making a apparmor profile for your firefox installs, making sure the directory where firefox is installed is correct in the profile, or by just enabling user namespaces for your system. There is instructions to do this in the first blog link.

Thanks,
Matthew

Revision history for this message
John Johansen (jjohansen) wrote :

Hi cipricus,

can you specify how and where your firefox was installed? We are trying to support multiple variations including downloading directly from mozilla if it is installed to the standard location?

mruffell is correct in his assessment that this is due to firefox not correctly handling user namespace mediation. This can be seen in your dmesg with the following messages

[ 69.033622] audit: type=1400 audit(1709714939.278:138): apparmor="AUDIT" operation="userns_create" class="namespace" info="Userns create - transitioning profile" profile="unconfined" pid=2922 comm=495043204C61756E6368 requested="userns_create" target="unprivileged_userns"
[ 69.037108] audit: type=1400 audit(1709714939.282:139): apparmor="DENIED" operation="capable" class="cap" profile="unprivileged_userns" pid=2982 comm=53616E64626F7820466F726B6564 capability=21 capname="sys_admin"

Unfortunately firefox does not handle the error returned when it tries an operation that require sys_admin capability gracefully resulting in the crash.

mruffell has already provided all the relevant links so I will just supplement that information

1. The recommended way is updating the firefox profile in /etc/apparmor.d/firefox by adding the location you have firefox installed, and then reloading the profile with sudo apparmor_parser -r /etc/apparmor.d/firefox

2. You can disable user namespaces, this will keep firefox from trying to use them as part of ts sandbox https://lwn.net/Articles/673597/

3. the least recommended way to fix this is you can disable the finer grained user namespace restrictions as outlined in https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces

Revision history for this message
John Johansen (jjohansen) wrote :

I will add here as well that we have an update of the firefox profile coming that supports the /opt/firefox/firefox location used as the default install for the firefox downloaded directly from mozilla.org

Revision history for this message
Chris Halse Rogers (raof) wrote : Proposed package upload rejected

An upload of apparmor to noble-proposed has been rejected from the upload queue for the following reason: "dpkg-source: warning: diff 'apparmor-4.0.1/debian/patches/ubuntu/profiles-fix-wike-profile-location-to-apparmor.d.patch' doesn't contain any patch - you can't rename files in a diff!".

Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello cipricus, or anyone else affected,

Accepted apparmor into noble-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/4.0.1-0ubuntu0.24.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-noble to verification-done-noble. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-noble. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-noble
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.