Various sandbox denials with firefox snap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Snappy |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I'm trying to package Firefox as a snap, and ran into errors with "Bad system calls". Initially, I hit this error:
Jun 27 18:09:05 catlee-VirtualBox kernel: [ 2232.006313] audit: type=1326 audit(146706534
According to scmp_sys_resolver, syscall 317 is the seccomp call.
Once I edit /var/lib/
Jun 27 18:19:20 catlee-VirtualBox kernel: [ 2846.651653] audit: type=1326 audit(146706596
syscall 272 corresponds to unshare. If I add unshare to the seccomp profile, then Firefox no longer aborts on startup with a bad system call. (It's not starting completely, but I haven't figured out why yet)
tags: | added: snapd-interface |
I managed to start it with the following permissions added to /var/lib/ snapd/seccomp/ profiles/ snap.firefox. firefox:
seccomp
unshare
setpriority
When I try to load a website I a lot of errors like these:
= AppArmor = "snap.firefox. firefox" name="/ proc/2952/ smaps" pid=2952 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 /@{pid} /smaps'
Time: Jun 28 20:59:17
Log: apparmor="DENIED" operation="open" profile=
File: /proc/2952/smaps (read)
Suggestion:
* adjust program to not access '@{PROC}
= AppArmor = "snap.firefox. firefox" name="/ dev/shm/ org.chromium. S4ccxx" pid=3003 comm=5765622043 6F6E74656E74 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 org.chromium. S4ccxx (write) snap.$SNAP_ NAME.*
Time: Jun 28 20:59:52
Log: apparmor="DENIED" operation="mknod" profile=
File: /dev/shm/
Suggestion:
* adjust program to create files and directories in /dev/shm/
= AppArmor = "snap.firefox. firefox" name="/ proc/2952/ mountinfo" pid=2972 comm=4361636865 3220492F4F requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000 mountinfo (read) /@{pid} /mountinfo'
Time: Jun 28 21:04:20
Log: apparmor="DENIED" operation="open" profile=
File: /proc/2952/
Suggestion:
* adjust program to not access '@{PROC}