Skip to content

Instantly share code, notes, and snippets.

@marcbelmont

marcbelmont/firefox-apparmor-fix.md

Created December 31, 2024 16:26
Show Gist options
  • Save marcbelmont/42e8ebe648a7a03ab97889679f69c90a to your computer and use it in GitHub Desktop.
Save marcbelmont/42e8ebe648a7a03ab97889679f69c90a to your computer and use it in GitHub Desktop.
Download ZIP
The AppArmor profile for Firefox is too restrictiv
Raw
firefox-apparmor-fix.md

The AppArmor profile for Firefox is too restrictive and does not allow certain operations. It can result in the following error message:

kernel: audit: type=1400 audit(1735660893.908:4139): apparmor="DENIED" operation="file_mmap" class="file" profile="firefox" name="/opt/amdgpu/lib/x86_64-linux-gnu/libdrm_radeon.so.1.123.0" pid=53603 comm="glxtest" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
kernel: audit: type=1400 audit(1735660614.942:4117): apparmor="DENIED" operation="file_mmap" class="file" profile="firefox" name="/opt/amdgpu/lib/x86_64-linux-gnu/libdrm.so.2.123.0" pid=51946 comm=5244442050726F63657373 requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
kernel: audit: type=1400 audit(1735660318.232:4073): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/cpu.max" pid=49380 comm=57656220436F6E74656E74 requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

To resolve this issue, you can take the following steps:

  1. Check the AppArmor Status: First, check if AppArmor is running and enforcing profiles.

    sudo systemctl status apparmor

  2. View the Current AppArmor Profile for Firefox: You can view the current AppArmor profile for Firefox to see what permissions are being denied.

    sudo cat /etc/apparmor.d/usr.bin.firefox

  3. Modify the AppArmor Profile: If you determine that the profile is too restrictive, you can modify it. Open the profile in a text editor:

   sudo nano /etc/apparmor.d/usr.bin.firefox

Add the following line to allow the D-Bus method call:

owner @{HOME}/.{firefox,mozilla}/**/libwidevinecdm.so m,
owner @{HOME}/.{firefox,mozilla}/**/gmp-gmpopenh264/*/lib*so m,
owner @{HOME}/.{firefox,mozilla}/**/gmp-widevinecdm/*/lib*so m,


/opt/amdgpu/lib/x86_64-linux-gnu/libdrm.so.2.123.0 rm,
/opt/amdgpu/lib/x86_64-linux-gnu/** rm,

/sys/fs/cgroup/user.slice/user-1000.slice/session-2.scope/cpu.max r,
dbus (send, receive) bus=system path=/org/freedesktop/NetworkManager interface=org.freedesktop.DBus.Properties member=GetAll,

#https://askubuntu.com/questions/1450727/excessive-firefox-related-apparmor-log-entries
# allow firefox to adjust its out of memory killer scroe
@{PROC}/[0-9]*/oom_score_adj rw,

# allow firefox to retrieve information about its own cgroups
@{PROC}/[0-9]*/cgroup r,

Make sure to adjust the permissions according to your needs.

  1. Reload the AppArmor Profile: After making changes, reload the AppArmor profiles to apply the changes.

    sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

  2. Test the Changes: Restart Firefox and check if the issue persists. You can also monitor the logs to see if the denial messages continue.

    sudo journalctl -f

  3. Consider Setting to Complain Mode: If you want to troubleshoot further without enforcing the profile, you can set the profile to complain mode, which will log denials but not enforce them.

    sudo aa-complain /usr/bin/firefox

  4. Revert Changes if Necessary: If the changes do not resolve the issue or cause other problems, you can revert the profile to its original state.

Remember to be cautious when modifying AppArmor profiles, as overly permissive settings can expose your system to security risks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment