Web pages not rendering with e10s enabled and AppArmor profile in enforce mode

Okay. I dug a bit deeper and this issue is caused by the AppArmor profile shipped with Firefox that I have enabled. The syslog contains following entries from AppArmor when running Firefox e10s enabled and the firefox profile in enforce mode:

audit: type=1400 audit(1474776774.198:579): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.h4apSY" pid=5022 comm=57656220436F6E74656E74 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

audit: type=1400 audit(1474776774.222:580): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.VpQMbW" pid=5022 comm=57656220436F6E74656E74 requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

So Firefox tries to access /dev/shm but the default AppArmor profile denies it. So the profile needs to be changed to make it compatible with e10s.

As a workaround, you can run the following commands to allow Firefox to access shared memory:

  echo "/dev/shm/org.chromium.* rw," | sudo tee -a /etc/apparmor.d/local/usr.bin.firefox
  sudo apparmor_parser -r /etc/apparmor.d/usr.bin.firefox

That should make e10s work again with AppArmor enforcement enabled.

Status changed to 'Confirmed' because the bug affects multiple users.

Should this be reported as a bug against the apparmor package? https://launchpad.net/ubuntu/+source/apparmor/+bugs

Hi,
this bug should not be reported against the apparmor package. The profile /etc/apparmor.d/usr.bin.firefox belongs to the firefox package. Also I did not face the problem on all machines, investigating this I found machines where is a link from /etc/apparmor.d/disable/usr.bin.firefox to /etc/apparmor.d/usr.bin.firefox does not face the problem (oviously because apparmor is entirely disabled for this machine). Now /etc/apparmor.d/disable/usr.bin.firefox does not belong to any package, so I assume I created it in mid 2015 because of other problems with firefox. A lot of other people might have done the same, so they do not have a problem with firefox, except for the security hole...

Hi Sami!

The proposed workaround does not work for me. Only setting apparmor to complain mode allows shm access and renders websites... Any hints?

Thanks
Martin

If you are running in complain mode you could look at the audit log and see what AppArmor complains about when you are browsing the web with e10s enabled. If you see AppArmor complaining about Firefox accessing some specific paths, those might be causing he issues you are seeing.

Just ran into this today, make sure to grant Firefox rw access to /dev/shm/org.chromium.*, I first tried just with write access and it wasn't enough.
Is there something I can do to propose a fix? It's just the single line from #3.

A patch which might fix this issue, too, is available at 1659988.

https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1659988

Everyone affected, please give it a try and report back.

I think it should fix your issues too.

@Maintainers: This issue might duplicate

https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1659922 and
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1643200

or vice versa.

I'm optimistic that 1659988 fixes all of these apparmor related issues (which is the reason I encourage everyone affected to try it out).

@mikecaines-gmail This issue is apparmor related, whereas FF's apparmor profile is part of the firefox package as demonstrated here (first file is the apparmor profile):

http://packages.ubuntu.com/xenial/amd64/firefox/filelist

That said, this issue needs to be fixed in the firefox package and not in the apparmor packages. There's no need to report it against apparmor.

@Thomas Mayer 1659988 proposes to disable appamor for firefox. This works, but is a very poor solution in terms of security. I prefer the solution proposed by Sami Jaktholm (sjakthol) on 2016-09-25 in his 3'rd post.

I do not think the proposed patch by @Thomas Mayer https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1659988/+attachment/4809979/+files/usr.bin.firefox.patch completely disables apparmor for firefox, but allows access to certain aspects of the system. Those access rights seem to be necessary to run with e10s.

The thread author Sami proposed to just add shm/chromium rw in #3 but this workaround does not fix the issue for me. So there have to be other restrictions which prevent firefox e10s from running smoothly.

I will try the patch and report back.

The patch of @Thomas Mayer only applies cleanly to LTS 16.04, while I run 14.04.

@Sami Jaktholm:
I had to add another line to your proposal in comment #3 in
/etc/apparmor.d/local/usr.bin.firefox to get it running:

  /dev/shm/org.chromium.* rw,
  /run/shm/org.chromium.* rw,

Not only "/dev" but also "/run" seems to be necessary for 14.04.

@christoph-thomas I did not propose to disable the apparmor profile. I just disabled it to demonstrate that the issue is fully related to the apparmor profile provided by ubuntu and not related to FF upstream.

Later on, I uploaded a patch which fixes the profile itself. With the patch applied to the profile while the profile is enabled, the whole issue is fixed whereas apparmor still can take care on security.

That goes along with what @mailing-m1 already posted in comment 13.

@mailing-m1

I uploaded a patch named "VERSION 4" at https://bugs.launchpad.net/bugs/1659988 which integrates your suggestion for 14.04. Would you like to retry?

@thomas303

Unfortunately, "usr.bin.firefox" of 14.04 has a different structure when compared to 16.04. So the patch fails.