Wednesday, May 15, 2024
Homepage · firefox
 Popular · Latest · Hot · Upcoming
2
rated 0 times [  2] [ 0]  / answers: 1 / hits: 1274  / 3 Years ago, mon, november 22, 2021, 9:13:12

EDIT5: finally it's probably is an Apparmor problem.



/usr/lib/firefox/firefox{,*[^s][^h]}


is indeed in complain mode, but



/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java

/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk

/usr/lib/firefox/firefox{,*[^s][^h]}//sanitized_helper


are in enforce mode. I don't know how to switch them to complain. The only profile I have in /etc/apparmor.d/ is usr.bin.firefox (with /usr/bin/firefox apparently being a link to /usr/lib/firefox/firefox.sh), and I did sudo aa-complain /etc/apparmor.d/usr.bin.firefox
There is a bug report https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1293439 marked as 'fix released', but I don't seem to enjoy the fix :-)



One workaround was to follow the method stated here How to use Firefox AppArmor profile with IcedTea Java plugin on Ubuntu 14.04?, that is to disable firefox profile altogether:



sudo ln -s /etc/apparmor.d/usr.bin.firefox /etc/apparmor.d/disable/

sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox

sudo service apparmor reload


But as stated by the OP, this is not a satisfying solution... And until now, no one proposed a better solution...



Here are the DENIED messages from Apparmor:



type=AVC msg=audit(1424428803.909:134): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-debug-to-appletviewer" pid=4513 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428803.909:135): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.046:136): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4514 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0



type=AVC msg=audit(1424428804.395:137): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/4477/cmdline" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.406:138): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.407:139): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.407:140): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.407:141): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4480 comm="java" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.408:142): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4517 comm=64636F6E6620776F726B6572 family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"



type=AVC msg=audit(1424428804.408:143): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4517 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.408:144): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=4517 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428804.880:145): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"



type=AVC msg=audit(1424428804.881:146): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"



type=AVC msg=audit(1424428804.929:147): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"



type=AVC msg=audit(1424428804.931:148): apparmor="DENIED" operation="connect" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" pid=4480 comm="java" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/dbus-VT8SEPjAqx" peer="unconfined"



type=AVC msg=audit(1424428805.106:149): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/sys/net/ipv4/ip_local_port_range" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0



type=AVC msg=audit(1424428805.106:150): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/proc/sys/net/ipv4/ip_local_port_range" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0



type=AVC msg=audit(1424428805.929:151): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/home/franck/.mozilla/firefox/profiles.ini" pid=4480 comm="java" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000



type=AVC msg=audit(1424428805.930:152): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4519 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0



type=AVC msg=audit(1424428805.981:153): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" name="/usr/bin/logger" pid=4520 comm="java" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0


=============================================================================



I need to use java applets to access some clients VPN portals, and I'm trying to use Icedtea plugin on Ubuntu 14.10 / Firefox 35.0.1.



Whenever I try to run an applet, Firefox will freeze for some time. It might be a long time, and I might have to kill Firefox.



This seems to happen with every applet I try, for example with every applet found here http://icedtea.classpath.org/wiki/IcedTea-Web-Tests.



I can't find any .icedtea directory with logs.



Running Firefox from the terminal gives me some information:



java version "1.7.0_75"

OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~utopic1)

OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)

java.io.FileNotFoundException: /run/user/1000/icedteaplugin-franck-2KgVYB/2434-icedteanp-plugin-to-appletviewer (Permission non accordée)

    at java.io.FileInputStream.open(Native Method)

    at java.io.FileInputStream.<init>(FileInputStream.java:146)

    at java.io.FileInputStream.<init>(FileInputStream.java:101)

    at sun.applet.PluginMain.connect(PluginMain.java:186)

    at sun.applet.PluginMain.main(PluginMain.java:148)

<snip>

Something very bad happened. I don't know what to do, so I am going to exit :(



###!!! [Parent][MessageChannel::Call] Error: Channel timeout: cannot send/recv


Any idea how to fix this ?



EDIT: I made sure apparmor is in complain mode, not enforce, for Firefox.



EDIT2: rerun with 'firefox -g', but didn't get much more information.
Here is the output when running the applet:



[New Thread 0x7ffd5a3fe700 (LWP 5254)]

java version "1.7.0_75"

OpenJDK Runtime Environment (IcedTea 2.5.4) (7u75-2.5.4-1~utopic1)

OpenJDK 64-Bit Server VM (build 24.75-b04, mixed mode)

java.io.FileNotFoundException: /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer (Permission non accordée)

    at java.io.FileInputStream.open(Native Method)

    at java.io.FileInputStream.<init>(FileInputStream.java:146)

    at java.io.FileInputStream.<init>(FileInputStream.java:101)

    at sun.applet.PluginMain.connect(PluginMain.java:186)

    at sun.applet.PluginMain.main(PluginMain.java:148)





(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.

(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.

(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.

(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.

(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.

(<unknown>:5264): dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission non accordée.  dconf will not work properly.

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_register_object: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

(<unknown>:5264): GLib-GIO-CRITICAL **: g_dbus_connection_get_unique_name: assertion 'G_IS_DBUS_CONNECTION (connection)' failed

Unable to use Firefox's proxy settings. Using "DIRECT" as proxy type.

Something very bad happened. I don't know what to do, so I am going to exit :(



###!!! [Parent][MessageChannel::Call] Error: Channel timeout: cannot send/recv


And here is the output of an ls:



~$ ls -l /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer

prw------- 1 franck franck 0 févr. 18 09:41 /run/user/1000/icedteaplugin-franck-s7zldV/5255-icedteanp-plugin-to-appletviewer


EDIT4: might be related to this https://bugzilla.redhat.com/show_bug.cgi?id=976833


More From » firefox
 Answers
6

First, putting the subprofiles into complain mode. You can manually do this by adding flags=(complain) to the profile.



eg.

/usr/lib/firefox/firefox{,*[^s][^h]}//browser_java flags=(complain) {

   ...

}


Once that is done reload the profile.



Now for at first pass at the rules you will need to add to /usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk to fix the listed denials. Please note there may be more denied messages after these are added. Also you should check /var/log/syslog for denied messages because Ubuntu has turned on extended dbus mediation and its denials do not go to the kernel ring buffer. Also this profile should be reloaded to make sure the new rules are added.



/usr/bin/logger Pix, # choose transition that makes sense for your profiles



/proc/sys/net/ipv4/ip_local_port_range r,

/proc/@{pid}/cmdline r,



owner @{HOME}/.mozilla/firefox/profiles.ini r,

owner /run/user/1000/dconf/user rw,

owner /run/user/1000/icedteaplugin-franck-OzMRPQ/4468-icedteanp-plugin-to-appletviewer r,



unix peer=(addr=@/tmp/dbus-* label=unconfined),

[#21280] Tuesday, November 23, 2021, 3 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
breadoules
Add To Favorites
Follow
Total Points: 212
Total Questions: 118
Total Answers: 120
Location: Dominica
Member since Mon, Jun 22, 2020
4 Years ago
;