Join Log in
Score:5
Alex avatar Ubuntu

Excessive Firefox related AppArmor log entries

bi flag
Alex

I recently installed and fully updated Ubuntu 22.04.1 LTS (jammy), 64-bit (amd64, x86_64). I removed 'snapd' and its default set of installed applications, which includes Firefox browser (which in 22.04 is covered by 'snap' as default). I simply don't want to rely on 'snap' and this post is not meant to be related to 'snap' pros/cons matter in general.

Further, I installed Firefox 109.0 (64-bit) through 'APT', using the Mozilla Team repository (https://ppa.launchpadcontent.net/mozillateam/ppa/ubuntu/). It caught my attention that an excessive amount of Firefox related 'DENIED' AppArmor log messages is generated during the browser activity.

Following is the set of log entries generated immediately after the Firefox start:

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.813:39): apparmor="DENIED" operation="capable" profile="firefox" pid=2231 comm="firefox" capability=21  capname="sys_admin"

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.877:40): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.877:41): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.877:42): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.877:43): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.885:44): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.885:45): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.885:46): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/revision" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.885:47): apparmor="DENIED" operation="open" profile="firefox" name="/sys/devices/pci0000:00/0000:00:02.0/config" pid=2235 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[Tue Jan 17 19:14:50 2023] audit: type=1400 audit(1674000890.941:48): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2231/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

This is the example of additional logs generated during the regular browser activity:

[Tue Jan 17 19:16:22 2023] audit: type=1400 audit(1674000983.040:56): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2347/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

[Tue Jan 17 19:16:35 2023] audit: type=1400 audit(1674000995.296:57): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2347/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

[Tue Jan 17 19:16:39 2023] audit: type=1400 audit(1674000999.280:58): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2347/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

[Tue Jan 17 19:16:41 2023] audit: type=1400 audit(1674001001.768:59): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2455/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

[Tue Jan 17 19:16:41 2023] audit: type=1400 audit(1674001001.768:60): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2458/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000

[Tue Jan 17 19:16:41 2023] audit: type=1400 audit(1674001001.768:61): apparmor="DENIED" operation="open" profile="firefox" name="/proc/2461/oom_score_adj" pid=2231 comm="firefox" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000---

If I understand correctly, Firefox is denied read access to '/sys/devices/' area and read/write access to 'oom_score_adj' in '/proc/'. Could somebody clarify why would that access be required for regular browser operations? Is there any potential negative impact to performance and/or security if those attempts are allowed by AppArmor rules? I'm a bit puzzled as I haven't noticed anything similar with the older Ubuntu and Firefox versions. A complete suppression of those messages is also an option as long as there's no negative impact on application's performance.

I understand that this could be more of a question for application developers (Firefox), but I'd appreciate any input or hint.

453
1 + 6
davidA avatar
us flag
davidA
Did you find an answer to this? I also uninstalled the snap and installed Firefox via PPA, and I see a *lot* of these messages. My log files are significantly inflated because of these.
2
Reply
Alex avatar
bi flag
Alex
No, absolutely no answer to this....:( Still present, even with the latest updates (both app and system)....still referring that 'oom_score_adj' file.
0
Reply
guiverc avatar
cn flag
guiverc
I suspect you'll only get the answers you seek from Mozilla themselves. I can't recall when `firefox` was moved to *snap* package (*impish* from memory but only for new installs not existing & my install was years old) & it wasn't until *jammy* I think for existing installs; thus there isn't much of a history in older releases for the *snap confined* version of `firefox` for comparison. You can adjust messages so fewer are logged but they'll still occur. Mozilla code for the *snap* version for Ubuntu (not the *deb* which is intended for testing only thus more logging is expected/wanted there)
0
Reply
Alex avatar
bi flag
Alex
I would rather like to understand the background than suppress log messages, if possible. FYI, I just posted this same question to Firefox support group. I'll post an update if I get any further detail.
4
Reply
Alex avatar
bi flag
Alex
So, I got suggestion on Firefox support group to try downloading Firefox package straight from the official Mozilla server and compare it. I downloaded the binaries from URL https://mozilla.org/en-US/firefox/all/#product-desktop-release and extracted it to a sub-folder in my home directory. That specific build doesn't generate any log messages on its own. Still, that binary from my home folder has no apparmor profile defined...
1
Reply
rlat avatar
in flag
rlat
@Alex you won't see apparmor log messages if the Firefox binaries are in your home directory. apparmor doesn't block anything in the home directory. If you'd like to compare it, try to move it to `/opt/firefox` and change the owner to root with `sudo chown -R root:root /opt/firefox`. That would a then comparable to apt-installed version.
1
Reply
Score:1
hydrandt avatar Ubuntu
cn flag
hydrandt

Additional rules have to be added to the Firefox Apparmor profile.

Edit /etc/apparmor.d/usr.bin.firefox and add:

# allow firefox to adjust its out of memory killer scroe
@{PROC}/[0-9]*/oom_score_adj rw,

# allow firefox to retrieve information about its own cgroups
@{PROC}/[0-9]*/cgroup r,

There are more things that firefox is trying to access when it is starting, but I am not completely sure about whether it is a good idea to allow them or not, so I don't include them. The one allowing the oom score adjustments gets you rid of most of the log messages.

If you need to generate the apparmor rules, ask a LLM, together with the error log.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.