Ubuntu
firefox package

Apparmor blocking FF to access org.gtk.vfs.Daemon and Mount

Bug #1660287 reported by Thomas Mayer
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
New
Undecided
Unassigned

Bug Description

Taken from syslog:

Jan 30 11:12:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="GetConnection" mask="send" name=":1.77" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3444 peer_label="unconfined"
Jan 30 11:12:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="GetConnection" mask="send" name=":1.77" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3444 peer_label="unconfined"
Jan 30 11:12:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="GetConnection" mask="send" name=":1.262" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=17827 peer_label="unconfined"
Jan 30 11:12:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mount/1" interface="org.gtk.vfs.Mount" member="QueryInfo" mask="send" name=":1.77" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3444 peer_label="unconfined"
Jan 30 11:12:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mount/1" interface="org.gtk.vfs.Mount" member="Enumerate" mask="send" name=":1.77" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3444 peer_label="unconfined"
Jan 30 11:12:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mount/1" interface="org.gtk.vfs.Mount" member="Enumerate" mask="send" name=":1.262" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=17827 peer_label="unconfined"
Jan 30 11:12:29 lat61 gnome-session[3140]: (firefox:18514): Gtk-WARNING **: Failed to fetch network locations: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.501" (uid=1000 pid=18514 comm="/usr/lib/firefox/firefox ") interface="org.gtk.vfs.Mount" member="Enumerate" error name="(unset)" requested_reply="0" destination=":1.262" (uid=1000 pid=17827 comm="/usr/lib/gvfs/gvfsd-network --spawner :1.8 /org/gt")
Jan 30 11:12:34 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/Daemon" interface="org.gtk.vfs.Daemon" member="GetConnection" mask="send" name=":1.77" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3444 peer_label="unconfined"
Jan 30 11:12:34 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/vfs/mount/1" interface="org.gtk.vfs.Mount" member="QueryInfo" mask="send" name=":1.77" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3444 peer_label="unconfined"

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: firefox 51.0.1+build2-0ubuntu0.16.04.1
ProcVersionSignature: Ubuntu 4.4.0-59.80-generic 4.4.35
Uname: Linux 4.4.0-59-generic x86_64
AddonCompatCheckDisabled: False
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/pcmC0D0c: thomas 3175 F...m pulseaudio
 /dev/snd/pcmC0D0p: thomas 3175 F...m pulseaudio
 /dev/snd/controlC0: thomas 3175 F.... pulseaudio
BuildID: 20170125172221
Channel: Unavailable
CurrentDesktop: GNOME-Flashback:Unity
Date: Mon Jan 30 11:23:58 2017
Extensions: extensions.sqlite corrupt or missing
ForcedLayersAccel: False
IfupdownConfig:
 # interfaces(5) file used by ifup(8) and ifdown(8)
 auto lo
 iface lo inet loopback
IncompatibleExtensions: Unavailable (corrupt or non-existant compatibility.ini or extensions.sqlite)
InstallationDate: Installed on 2014-11-29 (793 days ago)
InstallationMedia: Ubuntu 14.04.1 LTS "Trusty Tahr" - Release amd64 (20140722.2)
IpRoute:
 default via 192.168.178.1 dev wlan0 proto static metric 600
 169.254.0.0/16 dev docker0 scope link metric 1000 linkdown
 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
 192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
 192.168.178.0/24 dev wlan0 proto kernel scope link src 192.168.178.22 metric 600
Locales: extensions.sqlite corrupt or missing
PrefSources: prefs.js
Profiles: Profile0 (Default) - LastVersion=51.0.1/20170125172221 (In use)
RunningIncompatibleAddons: False
SourcePackage: firefox
Themes: extensions.sqlite corrupt or missing
UpgradeStatus: Upgraded to xenial on 2016-06-15 (228 days ago)
dmi.bios.date: 12/06/2013
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A16
dmi.board.name: 023HKR
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 9
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA16:bd12/06/2013:svnDellInc.:pnLatitudeE5510:pvr0001:rvnDellInc.:rn023HKR:rvrA00:cvnDellInc.:ct9:cvr:
dmi.product.name: Latitude E5510
dmi.product.version: 0001
dmi.sys.vendor: Dell Inc.

Revision history for this message
Thomas Mayer (thomas303) wrote :
Revision history for this message
Thomas Mayer (thomas303) wrote :

This issue can be mitigated by adding the following lines to FF's apparmor profile:

  dbus (send)
       bus=session
       interface=org.gtk.vfs.Daemon,
  dbus (send)
       bus=session
       interface=org.gtk.vfs.Mount,

I've uploaded a patch named VERSION 5 at https://bugs.launchpad.net/bugs/1659988 which contains these lines.

Revision history for this message
Thomas Mayer (thomas303) wrote :

There's more:

  dbus (send)
       bus=session
       interface=org.gnome.GConf.Database,
  dbus (send)
       bus=session
       interface=org.gtk.Private.RemoteVolumeMonitor,
  dbus (send)
       bus=session
       interface=org.freedesktop.DBus,
  dbus (receive, send)
       bus=session
       interface=ca.desrt.dconf.Writer,

mitigate syslog entries which occur when I click the file upload dialog at https://uploadfiles.io/:

Jan 30 11:24:31 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gnome/GConf/Database/0" interface="org.gnome.GConf.Database" member="LookupExtended" mask="send" name="org.gnome.GConf" pid=18514 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3192 peer_label="unconfined" info="No such file or directory"

Jan 30 11:55:55 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/gtk/Private/RemoteVolumeMonitor" interface="org.gtk.Private.RemoteVolumeMonitor" member="IsSupported" mask="send" name=":1.38" pid=25377 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3226 peer_label="unconfined"

Jan 30 12:08:15 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="StartServiceByName" mask="send" name="org.freedesktop.DBus" pid=25377 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_label="unconfined" info="No such file or directory"

ca.desrt.dconf.Writer receive:
Jan 30 12:14:29 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_signal" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Notify" name=":1.30" mask="receive" pid=25377 label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_pid=3201 peer_label="unconfined"

ca.desrt.dconf.Writer send:
Jan 30 11:12:36 lat61 gnome-session[3140]: (firefox:18514): dconf-WARNING **: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.501" (uid=1000 pid=18514 comm="/usr/lib/firefox/firefox ") interface="ca.desrt.dconf.Writer" member="Change" error name="(unset)" requested_reply="0" destination="ca.desrt.dconf" (uid=1000 pid=3201 comm="/usr/lib/dconf/dconf-service ")

Will be part of VERSION 6 of the patch at https://bugs.launchpad.net/bugs/1659988

Revision history for this message
Thomas Mayer (thomas303) wrote :

ca.desrt.dconf.Writer also needs receive:

Jan 30 13:32:08 lat61 dbus[3005]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/ca/desrt/dconf/Writer/user" interface="ca.desrt.dconf.Writer" member="Change" name=":1.578" mask="receive" pid=3201 label="unconfined" peer_pid=7811 peer_label="/usr/lib/firefox/firefox{,*[^s][^h]}" peer_info="No such file or directory"

Revision history for this message
Thomas Mayer (thomas303) wrote :

I've uploaded a patch named VERSION 6 at https://bugs.launchpad.net/bugs/1659988 which all changes I suggested in this ticket so far.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.