2

I'm migrating from Gentoo to Ubuntu 22.04. Traditionally, I have all my firefox profiles on a seperate partition mounted at /profiles which is mounted via this line in /etc/fstab:

PARTUUID="..." /profiles       ext4    data=writeback,barrier=0,nobh,commit=120,nofail,noatime,nodiratime      0       0

Now, I figured firefox comes as a snap package, and I have issues with that (off topic) so I installed it via the mozillateam ppa. Now, this firefox can read/write my profiles only if I copy them into my user's $HOME, but it says permission denied when I try to make the profile manager use any of the profiles on /profiles or create new profiles there. In the terminal, I can read/write just fine inside /profiles.

After a bit of research, it seems like, Ubuntu's software center has some kind of options to allow R/W access to removable media, which I suppose my /profiles partition counts as (see this answer or this answer). I don't understand how this is done and I really really don't want this extra layer of "security". I want my permissions handled by chown and chmod and that's it. Can I disable this hidden mechanism of denying R/W access to removable media somehow?

Thanks :)

Artur Meinild
  • 26,018
igel
  • 167
  • It's a rabbit hole, but not the rabbit hole you think: "Ubuntu's software center has some kind of options to allow r/w access to removable media" That's not an extra layer of security and has nothing to do with whether Firefox and access other parts of the filesystem. The software center is not the access police. The software center's options are due to it being a snap, and those are snapd access restrictions. – user535733 Oct 23 '23 at 23:09
  • 2
    Ubuntu does, however, have actual access police. It's called AppArmor. It's a peer of SELinux. Read up on how to use it wisely: https://help.ubuntu.com/community/AppArmor Check your syslog and systemd journal to see why access by Firefox is denied. Maybe it's AppArmor, maybe it's something else. – user535733 Oct 23 '23 at 23:12
  • Yes, that was exactly the info I needed, thanks for the pointers. Should have thought of looking through the syslog anyways, silly me :) Can I close this somehow, or do you want to turn your comment into an answer so I can accept it (for future generations)? – igel Oct 25 '23 at 09:31
  • Do feel free to answer your own question. Such self-answers are great guides for future folks with similar problems. – user535733 Oct 26 '23 at 12:13

1 Answers1

1

Thanks to the comments pointing to AppArmor as the culprit and reminding me to look at the syslog (I had to tell rsyslogd to actually write out messages to /var/log/messages in its config file). Sure enough, syslog also contained lines pointing to AppArmor:

[...] audit: type=1400 audit(1698224327.418:520): apparmor="DENIED" operation="open" class="file" profile="firefox" name="/proc/5309/cgroup" pid=5309 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Now, the link above contains information on how to disable this "feature":

sudo systemctl stop apparmor
sudo systemctl disable apparmor

after a reboot, everything worked as expected. According to the kernel parameter webpage, AppArmor can also be disabled by passing apparmor=0 to the kernel on boot.

igel
  • 167