User Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0

Steps to reproduce:

After opening Snap Firefox-ESR Version 115.11.0esr (64-bit), I was alerted by the system apparmor-notify, then ran the following on the cli console:

cat /var/log/kern.log |grep apparmor

Actual results:

# cat /var/log/kern.log |grep apparmor
2024-05-26T06:53:18.762970-04:00 media-server-01 kernel: [131569.947809] audit: type=1400 audit(1716720798.758:59): apparmor="DENIED" operation="capable" profile="/snap/snapd/21761/usr/lib/snapd/snap-confine" pid=7272 comm="snap-confine" capability=12  capname="net_admin"
2024-05-26T06:53:18.762973-04:00 media-server-01 kernel: [131569.948535] audit: type=1400 audit(1716720798.758:60): apparmor="DENIED" operation="capable" profile="/snap/snapd/21761/usr/lib/snapd/snap-confine" pid=7272 comm="snap-confine" capability=38  capname="perfmon"
2024-05-26T06:53:19.394916-04:00 media-server-01 kernel: [131570.583194] audit: type=1400 audit(1716720799.390:61): apparmor="DENIED" operation="open" profile="snap-update-ns.firefox" name="/usr/local/share/" pid=7298 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2024-05-26T06:53:22.155140-04:00 media-server-01 kernel: [131573.343099] audit: type=1400 audit(1716720802.150:62): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/edu1023/snap/firefox/common/.mozilla/firefox/k2rlaebe.default-esr/user.js" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2024-05-26T06:53:26.922933-04:00 media-server-01 kernel: [131578.109024] audit: type=1400 audit(1716720806.918:63): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/edu1023/snap/firefox/common/.mozilla/firefox/k2rlaebe.default-esr/pkcs11.txt" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2024-05-26T06:53:26.922978-04:00 media-server-01 kernel: [131578.109563] audit: type=1400 audit(1716720806.918:64): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/edu1023/snap/firefox/common/.mozilla/firefox/k2rlaebe.default-esr/pkcs11.txt" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
root@media-server-01:/home/edu1023# cat /var/log/kern.log |grep apparmor
2024-05-26T06:53:18.762970-04:00 media-server-01 kernel: [131569.947809] audit: type=1400 audit(1716720798.758:59): apparmor="DENIED" operation="capable" profile="/snap/snapd/21761/usr/lib/snapd/snap-confine" pid=7272 comm="snap-confine" capability=12  capname="net_admin"
2024-05-26T06:53:18.762973-04:00 media-server-01 kernel: [131569.948535] audit: type=1400 audit(1716720798.758:60): apparmor="DENIED" operation="capable" profile="/snap/snapd/21761/usr/lib/snapd/snap-confine" pid=7272 comm="snap-confine" capability=38  capname="perfmon"
2024-05-26T06:53:19.394916-04:00 media-server-01 kernel: [131570.583194] audit: type=1400 audit(1716720799.390:61): apparmor="DENIED" operation="open" profile="snap-update-ns.firefox" name="/usr/local/share/" pid=7298 comm="5" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
2024-05-26T06:53:22.155140-04:00 media-server-01 kernel: [131573.343099] audit: type=1400 audit(1716720802.150:62): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/edu1023/snap/firefox/common/.mozilla/firefox/k2rlaebe.default-esr/user.js" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2024-05-26T06:53:26.922933-04:00 media-server-01 kernel: [131578.109024] audit: type=1400 audit(1716720806.918:63): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/edu1023/snap/firefox/common/.mozilla/firefox/k2rlaebe.default-esr/pkcs11.txt" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2024-05-26T06:53:26.922978-04:00 media-server-01 kernel: [131578.109563] audit: type=1400 audit(1716720806.918:64): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/home/edu1023/snap/firefox/common/.mozilla/firefox/k2rlaebe.default-esr/pkcs11.txt" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
2024-05-26T07:29:52.267035-04:00 media-server-01 kernel: [133763.475686] audit: type=1400 audit(1716722992.261:65): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=7272 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Expected results:

Firefox should not be attempting access to critical system files.

The Bugbug bot thinks this bug should belong to the 'Core::Audio/Video: Playback' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

That is the wrong component

maybe update your bugbot to use an GPT AI?

Why does the mouse-over on the bugbot show an email that cannot be emailed to?

Comment on attachment 9404006 [details]
Screenshot Whwn i tried to email the listed bugbot email on the bug report

I was emailing the bugbot to ask why it was assigned to audio video when the bug report clearly shows it's a security issue.

what is mozilla.tld ???

Hello! Thank you for submitting this issue I have tried to reproduce the issue on my end but unfortunately I wasn't able to with firefox 128.0a1(2024-06-04) on Ubuntu 22.04.
Could you please answer the following questions in order to further investigate this issue?

1. Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
2. Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
3. Do you have any addons installed? If yes could you please list them?

:lissyx, would you mind directing this report to the right people / helping triage this further? Fx::General doesn't really have expertise for this type of issue.

It's even likely an upstream issue? /etc/fstab i dont think we have anything in our code that accesses it

Amin, are you aware of anything around snap that may trigger access to /etc/fstab ? We have no code doing so.

(In reply to Negritas Sergiu, Desktop QA from comment #7)

Hello! Thank you for submitting this issue I have tried to reproduce the issue on my end but unfortunately I wasn't able to with firefox 128.0a1(2024-06-04) on Ubuntu 22.04.
Could you please answer the following questions in order to further investigate this issue?

1. Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
2. Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
3. Do you have any addons installed? If yes could you please list them?

The reporter mentionned ESR 115 and not nightly 128, can you verify against the correct version ?

I see User Agent: Mozilla/5.0 (X11; Linux aarch64; rv:109.0) Gecko/20100101 Firefox/115.0 are you reproducing the issue on an aarch64 build as well? Or is it just your system for accessing bugzilla that is aarch64 ?

Could you share about:support of the build reproducing the issue ?

The pkcs11.txt and user.js AVC denials were because those files were owned by the admin root user but allowed read access to everyone else. When I changed the ownership of both of those files to the firefox user the AVC denial notifications went away.

The /etc/fstab is still an issue. Firefox should not be looking at those files.

(In reply to Jeffrey G. from comment #13)

The pkcs11.txt and user.js AVC denials were because those files were owned by the admin root user but allowed read access to everyone else. When I changed the ownership of both of those files to the firefox user the AVC denial notifications went away.

The /etc/fstab is still an issue. Firefox should not be looking at those files.

As I said there is no code in firefox that tries to read that.

I suspect a MITM Attack. Probably a TLA or some other high level agency. I am a theoretical physicist and I keep my browser on TLS_AES_256_GCM_SHA384 only, refusing sites that don't support it, and yet they still manage to hack my browser anyway.

TLA means Three-Letter_Agency

I guess if you have concerns about security a good first step would be to upgrade to ESR 128 now that it is available, though it's not yet the default stable on Snap, you can use sudo snap refresh --channel=esr/candidate/128 firefox to upgrade to it.

I have changed the OS to latest Debian Bookworm kernel and snapd package. I have also updated to the latest Firefox snap: 115.13.0esr (64-bit). I don't have a lot of proof but looking at the logs, I believe the hackers were escaping the snap container via the pipewire sound system. I then removed pipewire with wireplumber and installed pulse audio.

After installing pulseaudio there was another incident. I caught one of the hackers red-handed when I started seeing outputs from an unknown (hidden) terminal sending outputs to my screen while my browser was still open. I tried to shutdown the browser via the terminal only to find myself unable to send any commands through my terminal. I had to ssh in from a different system in order to kill -9 the firefox browser. After that all the outputs from his hidden terminal stopped. I have since removed all sound systems from my linux install. I have not noticed any hacks after that.

today: (snap firefox 115.13):

uname -a

Linux raspberrypi 6.6.31+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1 (2024-05-29) aarch64 GNU/Linux

journalctl |grep apparmor |grep firefox

Jul 18 04:45:26 raspberrypi audit[107290]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/etc/fstab" pid=107290 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 18 04:53:38 raspberrypi audit[490786]: AVC apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/jg1023/.mozilla/firefox/uv1m6bz5.default-release/cert9.db" pid=490786 comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
Jul 18 04:53:38 raspberrypi audit[490786]: AVC apparmor="ALLOWED" operation="file_lock" class="file" profile="libreoffice-soffice" name="/home/jg1023/.mozilla/firefox/uv1m6bz5.default-release/cert9.db" pid=490786 comm="soffice.bin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
Jul 18 04:53:38 raspberrypi audit[490786]: AVC apparmor="ALLOWED" operation="open" class="file" profile="libreoffice-soffice" name="/home/jg1023/.mozilla/firefox/uv1m6bz5.default-release/key4.db" pid=490786 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
Jul 18 04:53:38 raspberrypi audit[490786]: AVC apparmor="ALLOWED" operation="file_lock" class="file" profile="libreoffice-soffice" name="/home/jg1023/.mozilla/firefox/uv1m6bz5.default-release/key4.db" pid=490786 comm="soffice.bin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000

journalctl |grep apparmor |grep firefox

Jul 19 00:02:25 raspberrypi audit[107290]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/etc/fstab" pid=107290 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 19 00:02:25 raspberrypi audit[107290]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/etc/fstab" pid=107290 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jul 19 00:02:25 raspberrypi audit[107290]: AVC apparmor="DENIED" operation="open" class="file" profile="snap.firefox.firefox" name="/etc/fstab" pid=107290 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

This is on a new install with latest Debian patches / packages

You just report that something within the Firefox process on your Aarch64 build Snap is trying to read /etc/fstab. Please note I dont know the level of support of Snap on Debian, especially on that platform. I reverified latest Ubuntu 24.04 with ESR on Pi4 and there's no such access. Either it's a bug on debian / snap intergation or related to the rpi4 build (debian or raspbian?), or it's an extension. Either way, not something in our code.

Did you notice they targeted the cert9.db and the key4.db files? Why is that?

I am using Debian Bookworm on a raspberry pi 4B with 8gb ram.

They also used libreoffice to read files (cert9.db) and the key4.db on the profile. They can only do this while the browser is open. But it could be a snap container issue as well.

I am using the pkcs11.txt file because the MITM attack is forcing a TLS downgrade on all the websites I visit. They are overiding my settings in about:config so the only way I could stop them was to implement enterprise system cryptographic policies using the nss tools and pkcs11.txt files with a user.js file.

(In reply to Jeffrey G. from comment #23)

Did you notice they targeted the cert9.db and the key4.db files? Why is that?

From debian mailing lists and libreoffice docs, it looks to be expected: https://linux.debian.bugs.dist.narkive.com/1ivnno4h/bug-975951-libreoffice-tries-to-access-files-of-firefox-profiles-apparmor this is used by LibreOffice's Digital Signature.

Should I consult the offline llama3 opensource LLM on how to harden my firefox profile? Is it safe to harden those files? I may reinstall my system to harden it some more. Before I do that is there anything you need from me to investigate this further?

Wow! LibreOffice using information a an browser profile for cryptographic signatures? Why haven't I seen this error message before, especially as long as I have had libreoffice? Why now?

(In reply to Jeffrey G. from comment #29)

Wow! LibreOffice using information a an browser profile for cryptographic signatures? Why haven't I seen this error message before, especially as long as I have had libreoffice? Why now?

For sure this has been here for a long time, and it's not really surprising, Firefox coming with its own root certificate database, other software have a good incentive to make use of it.

(In reply to Jeffrey G. from comment #28)

Should I consult the offline llama3 opensource LLM on how to harden my firefox profile? Is it safe to harden those files? I may reinstall my system to harden it some more. Before I do that is there anything you need from me to investigate this further?

Well, if you trust more a LLM that will generate plausible text vs myself, be my guest. At some point, you should just run it under gdb and backtrace the caller, this way you will know for sure what is triggering this access.

Of course I would prefer you. That sound like a great idea! I will postpone my reinstall and see if we can catch these people.

We may even uncover a zero-day.

Using the GNU Debugger on a live MITM attack should expose how they are getting into the system. I am not very familar with gdb, but what breakpoints if any do I use?

Hello! I have tried to reproduce this issue with firefox 115.13.0 ESR on Ubuntu 22.04 but without any luck on my end. I will add the QA-not-reproducible tag for this issue.

Have a nice day!

Unable to repro and no other report, this is likely a system-specific issue. Please reopen with more info if this is still happening