Apparmor problem.

To: debian-user@lists.debian.org
Subject: Apparmor problem.
From: George <gpdsbe+debian@mailbox.org>
Date: Sat, 09 Apr 2022 13:45:28 +0300
Message-id: <[🔎] 7d8565dc299ad9816973acafac1e843034fe5e7d.camel@mailbox.org>
Hi! 
Im trying to make a profile for firefox-esr.

I used aa-genprof to create it and then aa-logprof to update it.
I also use apparmor-notify to get error messages.

The problem is that I get constant apparmor messages like the
following:

Apparmor Message
Profile /usr/lib/firefox-esr/firefox-esr
Operation: file_lock
Name: /home/gpred/.mozilla/firefox/8i0h8b60.default-esr/-
webappsstore.sqlite
Denied: wk
Logfile: /var/log/kern.log

I run aa-logprof but it doesnt seem to detect the denied command. It
doesnt show me the option to allow it,deny it, etc. I also tried to
clear the kern.log and syslog files but after a while I have the same
problem.

Any ideas?

My firefox profile


# Last Modified: Sat Apr  9 12:18:47 2022
#include <tunables/global>

/usr/lib/firefox-esr/firefox-esr flags=(complain) {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/evince>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/openssl>
  #include <abstractions/postfix-common>
  #include <abstractions/python>
  #include <abstractions/totem>
  #include <abstractions/ubuntu-browsers.d/ubuntu-integration>
  #include <abstractions/ubuntu-konsole>

  deny /home/*/AppData/** rw,

  capability sys_admin,

  signal send set=kill peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/firefox-esr,
  signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/firefox-esr,
  signal send set=term peer=/usr/lib/firefox-esr/firefox-esr//null-
/usr/lib/firefox-esr/plugin-container,

  /etc/firefox-esr/firefox-esr.js r,
  /etc/mailcap r,
  /etc/mime.types r,
  /proc/devices r,
  /proc/driver/nvidia/params r,
  /proc/filesystems r,
  /proc/modules r,
  /sys/devices/pci0000:00/0000:00:00.0/class r,
  /sys/devices/pci0000:00/0000:00:00.0/device r,
  /sys/devices/pci0000:00/0000:00:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/class r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/device r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_device r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/subsystem_vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/class r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/device r,
  /sys/devices/pci0000:00/0000:00:01.0/0000:02:00.1/vendor r,
  /sys/devices/pci0000:00/0000:00:01.0/class r,
  /sys/devices/pci0000:00/0000:00:01.0/device r,
  /sys/devices/pci0000:00/0000:00:01.0/vendor r,
  /sys/devices/pci0000:00/0000:00:02.0/class r,
  /sys/devices/pci0000:00/0000:00:02.0/device r,
  /sys/devices/pci0000:00/0000:00:02.0/vendor r,
  /sys/devices/pci0000:00/0000:00:04.0/class r,
  /sys/devices/pci0000:00/0000:00:04.0/device r,
  /sys/devices/pci0000:00/0000:00:04.0/vendor r,
  /sys/devices/pci0000:00/0000:00:08.0/class r,
  /sys/devices/pci0000:00/0000:00:08.0/device r,
  /sys/devices/pci0000:00/0000:00:08.0/vendor r,
  /sys/devices/pci0000:00/0000:00:12.0/class r,
  /sys/devices/pci0000:00/0000:00:12.0/device r,
  /sys/devices/pci0000:00/0000:00:12.0/vendor r,
  /sys/devices/pci0000:00/0000:00:14.0/class r,
  /sys/devices/pci0000:00/0000:00:14.0/device r,
  /sys/devices/pci0000:00/0000:00:14.0/vendor r,
  /sys/devices/pci0000:00/0000:00:14.2/class r,
  /sys/devices/pci0000:00/0000:00:14.2/device r,
  /sys/devices/pci0000:00/0000:00:14.2/vendor r,
  /sys/devices/pci0000:00/0000:00:15.0/class r,
  /sys/devices/pci0000:00/0000:00:15.0/device r,
  /sys/devices/pci0000:00/0000:00:15.0/vendor r,
  /sys/devices/pci0000:00/0000:00:16.0/class r,
  /sys/devices/pci0000:00/0000:00:16.0/device r,
  /sys/devices/pci0000:00/0000:00:16.0/vendor r,
  /sys/devices/pci0000:00/0000:00:17.0/class r,
  /sys/devices/pci0000:00/0000:00:17.0/device r,
  /sys/devices/pci0000:00/0000:00:17.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/class r,
  /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/device r,
  /sys/devices/pci0000:00/0000:00:1b.0/0000:03:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1b.0/class r,
  /sys/devices/pci0000:00/0000:00:1b.0/device r,
  /sys/devices/pci0000:00/0000:00:1b.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/class r,
  /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/device r,
  /sys/devices/pci0000:00/0000:00:1c.0/0000:04:00.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1c.0/class r,
  /sys/devices/pci0000:00/0000:00:1c.0/device r,
  /sys/devices/pci0000:00/0000:00:1c.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.0/class r,
  /sys/devices/pci0000:00/0000:00:1f.0/device r,
  /sys/devices/pci0000:00/0000:00:1f.0/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.3/class r,
  /sys/devices/pci0000:00/0000:00:1f.3/device r,
  /sys/devices/pci0000:00/0000:00:1f.3/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.4/class r,
  /sys/devices/pci0000:00/0000:00:1f.4/device r,
  /sys/devices/pci0000:00/0000:00:1f.4/vendor r,
  /sys/devices/pci0000:00/0000:00:1f.5/class r,
  /sys/devices/pci0000:00/0000:00:1f.5/device r,
  /sys/devices/pci0000:00/0000:00:1f.5/vendor r,
  /sys/devices/system/cpu/cpu0/cache/index2/size r,
  /sys/devices/system/cpu/cpu0/cache/index3/size r,
  /sys/devices/system/cpu/cpufreq/policy0/cpuinfo_max_freq r,
  /sys/devices/system/cpu/present r,
  /sys/devices/system/memory/block_size_bytes r,
  /usr/bin/chrome-gnome-shell mrix,
  /usr/bin/lsb_release mrix,
  /usr/bin/python3.9 ix,
  /usr/bin/python3.9 r,
  /usr/lib/firefox-esr/firefox-esr mrix,
  /usr/lib/firefox-esr/plugin-container mrix,
  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
  /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache r,
  /var/lib/flatpak/exports/share/icons/hicolor/index.theme r,
  owner /home/*/.cache/fontconfig/* r,
  owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/** rw,
  owner /home/*/.cache/mozilla/firefox/8i0h8b60.default-esr/.startup-
incomplete w,
  owner
/home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f


87001cad/f35e6a48c63c96b3.bin rwk,
  owner
/home/*/.cache/nvidia/GLCache/4e72b67faf2c55a81064f0f669542d15/af453b2f


87001cad/f35e6a48c63c96b3.toc rwk,
  owner /home/*/.config/dconf/user r,
  owner /home/*/.config/mimeapps.list r,
  owner /home/*/.config/pulse/cookie rk,
  owner /home/*/.local/share/applications/mimeinfo.cache r,
  owner /home/*/.mozilla/firefox/** rwk,
  owner /proc/*/cgroup r,
  owner /proc/*/comm r,
  owner /proc/*/gid_map w,
  owner /proc/*/maps r,
  owner /proc/*/mountinfo r,
  owner /proc/*/mounts r,
  owner /proc/*/setgroups w,
  owner /proc/*/smaps r,
  owner /proc/*/stat r,
  owner /proc/*/statm r,
  owner /proc/*/status r,
  owner /proc/*/task/*/comm rw,
  owner /proc/*/task/*/stat r,
  owner /proc/*/uid_map w,
  owner /run/user/1000/ICEauthority r,
  owner /usr/lib/firefox-esr/fonts/** rw,
  owner /home/*/Downloads/** rw,
  owner /home/*/** r,

}
Reply to:
Follow-Ups:
- Re: Apparmor problem.
  - From: Nicholas Geovanis <nickgeovanis@gmail.com>
Prev by Date: Re: Weird printing issue...
Next by Date: Re: Problem downloading "Installation Guide for 64-bit PC (amd64)"
Previous by thread: Re: CUPS - how to match autodetected printers to physical ones
Next by thread: Re: Apparmor problem.
Index(es):
- Date
- Thread