Snappy

Various sandbox denials with firefox snap

Bug #1597113 reported by Catlee on 2016-06-28

This bug report is a duplicate of: Bug #1586547: allow browsers to use user namespaces in its sandbox. Edit Remove

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	Snappy	Confirmed	Undecided	Unassigned

Bug Description

I'm trying to package Firefox as a snap, and ran into errors with "Bad system calls". Initially, I hit this error:

Jun 27 18:09:05 catlee-VirtualBox kernel: [ 2232.006313] audit: type=1326 audit(1467065345.849:5624): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=6968 comm="firefox" exe="/snap/firefox/100003/firefox/firefox" sig=31 arch=c000003e syscall=317 compat=0 ip=0x7fd78dd0ac19 code=0x0

According to scmp_sys_resolver, syscall 317 is the seccomp call.

Once I edit /var/lib/snapd/seccomp/profiles/snap.firefox.firefox and add 'seccomp' to the file, I get another bad system call:

Jun 27 18:19:20 catlee-VirtualBox kernel: [ 2846.651653] audit: type=1326 audit(1467065960.194:5625): auid=4294967295 uid=1000 gid=1000 ses=4294967295 pid=7244 comm="firefox" exe="/snap/firefox/100003/firefox/firefox" sig=31 arch=c000003e syscall=272 compat=0 ip=0x7f868ad65c19 code=0x0

syscall 272 corresponds to unshare. If I add unshare to the seccomp profile, then Firefox no longer aborts on startup with a bad system call. (It's not starting completely, but I haven't figured out why yet)

Tags:

Revision history for this message

Rail Aliiev (rail) wrote on 2016-06-29:

I managed to start it with the following permissions added to /var/lib/snapd/seccomp/profiles/snap.firefox.firefox:

seccomp
unshare
setpriority

When I try to load a website I a lot of errors like these:

= AppArmor =
Time: Jun 28 20:59:17
Log: apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/proc/2952/smaps" pid=2952 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/2952/smaps (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/smaps'

= AppArmor =
Time: Jun 28 20:59:52
Log: apparmor="DENIED" operation="mknod" profile="snap.firefox.firefox" name="/dev/shm/org.chromium.S4ccxx" pid=3003 comm=57656220436F6E74656E74 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
File: /dev/shm/org.chromium.S4ccxx (write)
Suggestion:
* adjust program to create files and directories in /dev/shm/snap.$SNAP_NAME.*

= AppArmor =
Time: Jun 28 21:04:20
Log: apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/proc/2952/mountinfo" pid=2972 comm=43616368653220492F4F requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
File: /proc/2952/mountinfo (read)
Suggestion:
* adjust program to not access '@{PROC}/@{pid}/mountinfo'

Jamie Strandboge (jdstrand) on 2016-06-29

tags:

added: snapd-interface

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-06-29:

'seccomp' is allowed as of snapd 2.0.9. 'setpriority' is bug #1580968 and bug #1577520 and we'll be able to allow it in snapd 2.0.11. /dev/shm/org.chromium.S4ccxx is bug #1577514 (which you can fix in your code now if you adjust the path to be /dev/shm/snap.firefox.XXXXXX'. Soon you'll be able to redirect the path as described in the bug). 'unshare' is bug #1586547 and is being investigated (in the meantime, you could disable userns in your build).

@{PROC}/@{pid}/smaps I'll get fixed up for snapd 2.0.11 (2.0.10 is already cut for release).

/proc/2952/mountinfo is likely just noise but you can also add 'mount-observe' to your plugs.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-06-29:

Since this bug is actually many different bugs that are all being tracked, I'm going to mark this as a duplicate of bug #1586547 (unshare) for somewhat arbitrary reasons.

Thanks for your report!

Changed in snappy:
status:	New → Confirmed
summary:	- seccomp system call denied + Various sandbox denials with firefox snap

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-06-29:

Lastly, in case you didn't know, you can use '--devmode' to install the snap without applying the security sandbox, which should unblock the development of the snap.

Revision history for this message

Rail Aliiev (rail) wrote on 2016-06-29:

Thank! It works fine in --devmode, but te idea was to make it sanboxed.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-06-29:

@Rail - glad to hear you are unblocked.

FYI, looks like I was able to get the smaps denial fixed in time for snapd 2.0.10 which should be released very soon and available in Ubuntu in the coming days.

Revision history for this message

Rail Aliiev (rail) wrote on 2016-06-29:

\o/

thank you!

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2016-08-05:

FYI, seccomp is allowed now by default and we're implementing a 'browser' interface (there is a PR now) that will allow firefox to, among other things, use 'unshare'.

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1586547 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.