Ubuntu
firefox package

  1. Bug #2046844
  2. Comment #11

Comment 11 for bug 2046844

Revision history for this message
Aaron Rainbolt (arraybolt3) wrote (last edit ):

I can't seem to get the xattr solution to work. I'm trying it on a normal binary and it's failing like so:

# Contents of /etc/apparmor.d/falkon
abi <abi/4.0>,
include <tunables/global>

profile falkon xattrs=(security.apparmor=falkon) flags=(unconfined) {
  userns,
  include if exists <local/falkon>
}

# setfattr command
user@user-standardpc:/usr/bin$ sudo setfattr -n security.apparmor -v falkon /usr/bin/falkon

# make sure the attribute is set
user@user-standardpc:/usr/bin$ getfattr -n security.apparmor /usr/bin/falkon
getfattr: Removing leading '/' from absolute path names
# file: usr/bin/falkon
security.apparmor="falkon"

# attempt to launch
user@user-standardpc:/usr/bin$ /usr/bin/falkon
[3967:3967:1220/095728.818079:FATAL:credentials.cc(125)] Check failed: . : Permission denied (13)
Trace/breakpoint trap (core dumped)

#checking the logs
user@user-standardpc:/usr/bin$ journalctl -n100
...
Dec 20 09:57:28 user-standardpc kernel: audit: type=1400 audit(1703084248.814:826): apparmor="DENIED" operation="userns_create" class="namespace" info="User namespace creation restricted" error=-13 profile="unconfined" pid=3967 comm="falkon" requested="userns_create" denied="userns_create"
Dec 20 09:57:37 user-standardpc kernel: traps: falkon[3967] trap int3 ip:7f3ae85d7b13 sp:7ffe61e8b700 error:0 in libQt5WebEngineCore.so.5.15.15[7f3ae63b4000+6931000]
...

The solution that involves spelling out the absolute path to the file does work.