After 10.04 upgrade, firefox won't download files

[dgermann]

Hi--

Testing some things here to see if I can find some clues.

1. First I set to complain and asked for a status:

Code:

doug@doug2:/etc/apparmor.d$ sudo aa-complain /etc/apparmor.d/usr.bin.firefox
Setting /etc/apparmor.d/usr.bin.firefox to complain mode.
doug@doug2:/etc/apparmor.d$ sudo service apparmor status | grep firefox
   /usr/lib/firefox-9.0.1/firefox-*bin
   /usr/lib/firefox-9.0.1/firefox-*bin//firefox_java
   /usr/lib/firefox-9.0.1/firefox-*bin//firefox_openjdk
   /usr/lib/firefox-10.0/firefox{,*[^s][^h]}
   /usr/lib/firefox-10.0/firefox{,*[^s][^h]}//firefox_java
   /usr/lib/firefox-10.0/firefox{,*[^s][^h]}//firefox_openjdk
   /usr/lib/firefox-10.0/firefox{,*[^s][^h]} (25177) 
doug@doug2:/etc/apparmor.d$

The status responses are not comprehensible to me. Are they telling me anything useful?

Before I did this, I could not do a download to a network directory as I wished. After this, I could download to the network folder where I want it. I was running

Code:

tail -F /var/log/messages

while I did this test, and got absolutely no log messages during this download after I set it to complain.

Before I set it to complain, I did get several complaints, some as I started specifying the download on the website, but before I actually hit the download button there:

Code:

Feb  9 20:34:11 localhost kernel: [1380679.327154] type=1503 audit(1328837651.071:785):  operation="open" pid=26284 parent=1 profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name=2F73616D2F646F7567322F646C2D323031312F3230313130373032206C69666520726576696577206D616E75616C2E646F63
Feb  9 20:34:18 localhost kernel: [1380686.316686] type=1503 audit(1328837658.063:786):  operation="open" pid=26292 parent=1 profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/sam/doug2/dl-2012/ImportExportTools-2.6.4.xpi"
Feb  9 20:34:42 localhost kernel: [1380710.568448] type=1503 audit(1328837682.315:787):  operation="mknod" pid=25177 parent=1 profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}" requested_mask="c::" denied_mask="c::" fsuid=1000 ouid=1000 name="/sam/doug2/dl-2012/backup-Feb-8-2012-1.tar.gz.test"
Feb  9 20:35:23 localhost kernel: [1380751.874843] type=1503 audit(1328837723.619:788):  operation="open" pid=26319 parent=1 profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/sam/doug2/dl-2012/ImportExportTools-2.6.4.xpi"
Feb  9 20:35:23 localhost kernel: [1380751.881754] type=1503 audit(1328837723.627:789):  operation="open" pid=26317 parent=1 profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name="/sam/doug2/dl-2012/ImportExportTools-2.6.4.xpi"
Feb  9 20:35:33 localhost kernel: [1380761.980555] type=1503 audit(1328837733.727:790):  operation="open" pid=26317 parent=1 profile="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}" requested_mask="r::" denied_mask="r::" fsuid=1000 ouid=1000 name=2F73616D2F646F7567322F646C2D323031312F3230313130373032206C69666520726576696577206D616E75616C2E646F63
Feb  9 20:37:24 localhost sudo: pam_sm_authenticate: Called
Feb  9 20:37:24 localhost sudo: pam_sm_authenticate: username = [doug]
Feb  9 20:41:09 localhost kernel: [1381097.953132] type=1505 audit(1328838069.699:791):  operation="profile_replace" pid=26474 name="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}"
Feb  9 20:41:09 localhost kernel: [1381097.953363] type=1505 audit(1328838069.699:792):  operation="profile_replace" pid=26474 name="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}//firefox_java"
Feb  9 20:41:09 localhost kernel: [1381097.953594] type=1505 audit(1328838069.699:793):  operation="profile_replace" pid=26474 name="/usr/lib/firefox-10.0/firefox{,*[^s][^h]}//firefox_openjdk"

So that is one set of clues, although I do not know what it means.

2. The second is that since this upgrade, I cannot do *uploads* either. I have tried uploads to both Facebook and Dropbox.com and neither will go. The uploads are from a network directory.

Aha! Having this set in complain mode allows me to do some uploading on Facebook. I uploaded 2 or so photos, and then Facebook started complaining about needing the latest Flash Player (which I have), and pushed me into their "Basic uploader" Then it would not publish the pictures, but did allow them to be uploaded. In any case, I don't think I got anything in the log during the first two regular uploads, but these on the basic uploads:

Code:

Feb  9 21:03:38 localhost kernel: [1382447.226468] Inbound IN=eth0 OUT= MAC[blanked] SRC=184.85.82.110 DST=192.168.0.5 LEN=77 TOS=0x00 PREC=0x20 TTL=58 ID=48916 DF PROTO=TCP SPT=443 DPT=57301 WINDOW=17119 RES=0x00 ACK PSH URGP=0 
Feb  9 21:03:39 localhost kernel: [1382447.739642] Inbound IN=eth0 OUT= MAC=[blanked] SRC=184.85.82.110 DST=192.168.0.5 LEN=77 TOS=0x00 PREC=0x20 TTL=58 ID=22840 DF PROTO=TCP SPT=443 DPT=57299 WINDOW=17119 RES=0x00 ACK PSH URGP=0 
Feb  9 21:03:39 localhost kernel: [1382447.866736] Inbound IN=eth0 OUT= MAC=[blanked] SRC=184.85.82.110 DST=192.168.0.5 LEN=77 TOS=0x00 PREC=0x20 TTL=58 ID=64543 DF PROTO=TCP SPT=443 DPT=57300 WINDOW=17119 RES=0x00 ACK PSH URGP=0 
Feb  9 21:04:06 localhost kernel: [1382475.067031] Inbound IN=eth0 OUT= MAC=[blanked] SRC=184.85.82.110 DST=192.168.0.5 LEN=77 TOS=0x00 PREC=0x20 TTL=58 ID=48917 DF PROTO=TCP SPT=443 DPT=57301 WINDOW=17119 RES=0x00 ACK PSH URGP=0 
Feb  9 21:04:07 localhost kernel: [1382476.090707] Inbound IN=eth0 OUT= MAC=[blanked] SRC=184.85.82.110 DST=192.168.0.5 LEN=77 TOS=0x00 PREC=0x20 TTL=58 ID=22841 DF PROTO=TCP SPT=443 DPT=57299 WINDOW=17119 RES=0x00 ACK PSH URGP=0 
Feb  9 21:04:08 localhost kernel: [1382476.347576] Inbound IN=eth0 OUT= MAC=[blanked] SRC=184.85.82.110 DST=192.168.0.5 LEN=77 TOS=0x00 PREC=0x20 TTL=58 ID=64544 DF PROTO=TCP SPT=443 DPT=57300 WINDOW=17119 RES=0x00 ACK PSH URGP=0

Seems clear to me that Apparmor is the culprit here. (FWIW, I am able to do uploads via the Epiphany browser.)

So is there some solution to all this?

Is Apparmor more trouble than it's worth?

[bodhi.zazen]

Try removing the "owner" in "owner /sam/** rw,"

Code:

/sam rw,
/sam/** rw,

[dgermann]

bodhi.zazen--

Thank you very much, bodhi.zazen!

Was not entirely sure of the two lines in your example, so I chose to do only the second one. Here's what I did:

Code:

doug@doug2:~$ sudo gedit /etc/apparmor.d/usr.bin.firefox
[sudo] password for doug: 
doug@doug2:~$ sudo aa-enforce /etc/apparmor.d/usr.bin.firefox
Setting /etc/apparmor.d/usr.bin.firefox to enforce mode.
doug@doug2:~$

Then, without restarting Firefox I tried the download to the network drive (from the site where I noticed the problem), and tried uploads from the network drive to Facebook and Dropbox, and all went flawlessly.

Thank you!

Did I need to run the parser again too?

What exactly did this change accomplish? Where might I learn a little more about apparmor syntax?

Thanks!

[bodhi.zazen]

You should be good to go. "owner" means you are granting privileges to the owner of the file / directory and as this is a shared directory it was causing problems.

[dgermann]

bodhi.zazen--

Thank you very much!

[bodhi.zazen]

bodhi.zazen--

Thank you very much!

You are most welcome.