Closed Bug 1956549 Opened 6 months ago Closed 6 months ago

apparmor warnings oom_score_adj

Categories

(Firefox Build System :: Third Party Packaging, defect)

Product:
Firefox Build System
Component:
Third Party Packaging
Version:
Firefox 136
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1918003

People

(Reporter: matkoniecz, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0

Steps to reproduce:

I installed firefox via sudo add-apt-repository ppa:mozillateam/ppa on Ubuntu 2404

I used firefox a bit and run sudo dmesg

Actual results:

dmesg is filled with [ 9149.120185] audit: type=1400 audit(1741179598.366:5202): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/12151/oom_score_adj" pid=6192 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 and similar

Expected results:

no apparmor violation

note: I am unsure where bug in that Firefox version should be reported.

I tried https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2100945 already

The Bugbug bot thinks this bug should belong to the 'Core::Widget: Gtk' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Widget: Gtk
Product: Firefox → Core
Blocks: snap
Priority: -- → P3

(In reply to Mateusz Konieczny from comment #0)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0

Steps to reproduce:

I installed firefox via sudo add-apt-repository ppa:mozillateam/ppa on Ubuntu 2404

I used firefox a bit and run sudo dmesg

Actual results:

dmesg is filled with [ 9149.120185] audit: type=1400 audit(1741179598.366:5202): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/12151/oom_score_adj" pid=6192 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 and similar

Expected results:

no apparmor violation

This is not mozilla package nor snap

Nathan do you know who works on that PPA?

No longer blocks: snap
Component: Widget: Gtk → Third Party Packaging
Flags: needinfo?(nathan.teodosio)
Product: Core → Firefox Build System

The product::component has been changed since the backlog priority was decided, so we're resetting it.
For more information, please visit BugBot documentation.

Priority: P3 → --

I just saw the upstream issue

Flags: needinfo?(nathan.teodosio)

Isnt this an apparmor rule issue ?

Flags: needinfo?(seb128)
Flags: needinfo?(nathan.teodosio)

I have seen cases where there was upgrade issue around apparmor profiles you may want to check everything in /etc/apparmor.d regarding Firefox to be ok, I remember we had to hack to remove one file like usr.bin.firefox that was a left over of older versions

Flags: needinfo?(matkoniecz)

I suppose this is SetProcessPriority failing.

Apparmor allows altering the OOM score for Tor Browser:

% find /etc/apparmor* -type f -exec grep -Is oom {} +
/etc/apparmor.d/torbrowser.Browser.firefox:  owner @{PROC}/@{pid}/oom_score_adj rw,
/etc/apparmor.d/abstractions/lightdm_chromium-browser:    owner @{PROC}/[0-9]*/oom_{,score_}adj w,
/etc/apparmor.d/usr.sbin.cupsd:  /etc/foomatic/* r,

so there is no reason for it not to allow Firefox itself too.

Flags: needinfo?(nathan.teodosio)

Even for the snap,

--> /var/lib/snapd/apparmor/profiles/snap.firefox.firefox <--
owner @{PROC}/@{pid}/oom_score_adj rw,

The allowance in Firefox' profile made into Apparmor 4.0.0: https://gitlab.com/apparmor/apparmor/-/commit/271f0e2366dd306c63e21aaf7dac5f9fadfbba59. And Ubuntu 24.04 should indeed have versions more recent than that, so can you confirm that with dpkg -l apparmor?

dpkg -l apparmor gives me

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version                           Architecture Description
+++-==============-=================================-============-======================================
ii  apparmor       4.0.1really4.0.1-0ubuntu0.24.04.3 amd64        user-space parser utility for AppArmor

is there a way to reload Forefox apparmor config file?

Maybe I should replace /etc/apparmor.d/usr.bin.firefox contents with ./profiles/apparmor/profiles/extras/firefox contents that I can obtain by downloading source code release?

maybe https://gitlab.com/apparmor/apparmor/-/commit/271f0e2366dd306c63e21aaf7dac5f9fadfbba59 was made before 4.0.1 was released but 4.0.1 does not include it?

Flags: needinfo?(matkoniecz)

(In reply to Mateusz Konieczny from comment #12)

dpkg -l apparmor gives me

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version                           Architecture Description
+++-==============-=================================-============-======================================
ii  apparmor       4.0.1really4.0.1-0ubuntu0.24.04.3 amd64        user-space parser utility for AppArmor

is there a way to reload Forefox apparmor config file?

Maybe I should replace /etc/apparmor.d/usr.bin.firefox contents with ./profiles/apparmor/profiles/extras/firefox contents that I can obtain by downloading source code release?

maybe https://gitlab.com/apparmor/apparmor/-/commit/271f0e2366dd306c63e21aaf7dac5f9fadfbba59 was made before 4.0.1 was released but 4.0.1 does not include it?

no you need to inspect what apparmor profiles in /etc/apparmor.d relates to firefox, you should only have /etc/apparmor.d/firefox, the fact you have that usr.bin.firefox suggests you are also victim of the migration bug we fixed on the deb package produced by mozilla. Unfortunately, we cannot fix other packages.

Move (to keep a backup) the /etc/apparmor.d/usr.bin.firefox and restart apparmor or reboot to make sure.

getting rid of /etc/apparmor.d/usr.bin.firefox fixed the problem

Not sure should it be closed as invalid or is not warning about /etc/apparmor.d/usr.bin.firefox the problem

Maybe it could be mentioned at https://support.mozilla.org/en-US/kb/send-plugin-crash-reports-help-improve-firefox linked when /etc/apparmor.d/usr.bin.firefox caused video plugin to crash?

(In reply to Mateusz Konieczny from comment #16)

Not sure should it be closed as invalid or is not warning about /etc/apparmor.d/usr.bin.firefox the problem

Maybe it could be mentioned at https://support.mozilla.org/en-US/kb/send-plugin-crash-reports-help-improve-firefox linked when /etc/apparmor.d/usr.bin.firefox caused video plugin to crash?

Unfortunately, it should be fixed by the packagers of the PPA. The problem can be multi-faceted and it's a third party packaging bug. Can you file a bug against the PPA and link it here ?

Status: UNCONFIRMED → RESOLVED
Closed: 6 months ago
Duplicate of bug: 1918003
Resolution: --- → DUPLICATE

The problem can be multi-faceted and it's a third party packaging bug. Can you file a bug against the PPA and link it here ?

I have not found place to report bugs in that PPA.

See also https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/2100945

Flags: needinfo?(seb128)
You need to log in before you can comment on or make changes to this bug.