Firefox deb handcuffed in 24.04. How to remove its restrictions?

Ubuntu Version:
Xubuntu 24.04.1

Desktop Environment:
XFCE

Problem Description:
Am attempting to move from 22.4 to 24.4.
Clean (X)Ubuntu Minimal install into a qemu vm.
The vm has a system/home ‘virtual disk’ + a data ‘virtual disk’

I installed Firefox 135.0.1 from the .deb
using the instructions at
support.mozilla.org/en-US/kb/install-firefox-linux
(snap removed from the system).

I need to move the firefox profiles and the download directory out of /home
onto the separate data virtual disk.
Easy in Xubuntu 22.04 with firefox 135.0.1, easy in google-chrome, and Brave.
Also no problem for Thunderbird.
But can’t move either in the 24.4 install of firefox 135.0.1.

(happy to explain why I need to do this if anyone is moved to question my sanity,
or explain why snaps dont work for me if my judgement needs to be questioned).)

Moving the download directory anywhere but in /home causes the download to fail.
Moving the profile out of /home
(either by creating an entry in .profile or creating a symlink)
and attempting to start firefox results in

Firefox is already running but is not responding…

At first I thought it was apparmor.
But, there is an apparmor profile /etc/apparmor/firefox
which starts with

This profile allows everything and only exists to give the
application a name instead of having the label “unconfined”

so I assume this means it is not apparmor preventing the access.

So what other else could be stopping firefox?
Or have I misunderstand “This profile allows everything”?
Or does this apparmor profile only apply to the (never installed) snap version of firefox
but not to firefox installed from .deb.

Relevant System Information:
Clean minimal install of Xubuntu 22.04.1, snapd uninstalled

Screenshots or Error Messages:
“Download Failed” - if change download directory
“Firefox is already running but is not responding…” - if move profile

What I’ve Tried:
symlinks to the firefox profile on the other disk
updating the .profile to point to the firefox profile on the other disk - works in 22.04, works for g-chrome, thunderbird.

Edited the title to specify that this question is about the Firefox deb.

As sometimes happens, simply posting here,
(and banging ones head against the wall 23 times)
leads one to the solution.

I saw that
/etc/apparmor.d
has 2 firefox profiles:

/etc/apparmor.d/firefox
(probably installed with the minimal install)

and

/etc/apparmor.d/usr.bin.firefox
(probably installed there by the .deb install).

Now /etc/apparmor.d/firefox, a stub profile
has the profile line:
profile firefox /{usr/lib/firefox{,-esr,-beta,-devedition,-nightly},opt/firefox}/firefox{,-esr,-bin} flags=(unconfined)

and
/etc/apparmor.d/usr.bin.firefox, a full detailed profile
has the profile line:
profile firefox /usr/lib/firefox/firefox{,*[^s][^h]} {

BUT the actual firefox in use is
/usr/bin/firefox

removing those 2 profiles and replacing with a new stub profile
/etc/apparmor.d/firefox
with the profile line:
profile firefox /usr/bin/firefox flags=(unconfined) {

resolves the problem.

In fact I would like to be able to edit the full profile
and keep its many imaginative restrictions
but simply allow the ability to move the profile and download folders to a different specific location.
But understanding a full apparmor profile enough to edit it
may take several years of prayer, fasting and not washing with soap.
I will start tomorrow.

Am marking this as the ‘solution’ as it is also the solution offered in the launchpad bug report
mentioned by @ogra in post 5 and @wxl in post 7 below.

Though long term I will create a more secure solution that uses apparmor rather than neutralises it.

Lots of good information here:

In particular, you might be interested in complain mode and logprof.

1 Like

Thanks, yes, I saw that last night.
It was that page, plus reading the existing profiles,
that decided me I would need 40 days and 40 nights on a caffeine-only diet
to fully understand it.

I need to finish the test install of 24.04 first, deal with all the new issues (eg this one)
sufficiently to keep moving,
then get it deployed on the vms and hosts beside the existing 22.04 as fallback,
all the while trying not to shout at innocent passing wildlife.

Then, I will buy a truckload of fine coffee beans, and start on apparmor.

1 Like

This is likely caused by the newly added security features in 24.04 and has been discussed in this bug during the release cycle:

(FWIW it should be trivial to achieve what you want with the snap too, as long as you use bind mounts instead of symlinks for any directory redirections and you would not weaken the overall security through apparmor hacks)

1 Like

Thanks for that - I hadn’t realised a bug had been created,
though not surprised.

For the moment I’ll just use my unconfined profile,
until I finish testing, problem-workarounds, configuration, install and deployment of 24.4.
I’ll then take a serious look at apparmor and create a proper apparmor profile.
(have been avoiding doing that for years :sweat_smile: but apparmor is now kicking on my front door).

FWIW the change @ogra was referring to was mentioned in the release notes.

Though not quite as obvious, there are fixes to this bug that appeared in the point release notes.

So you kind of had to put two and two together to figure it out, but the basic information was there.

1 Like

Thanks wkl, yes I had read the release notes.
But the existence of the firefox apparmor profiles as outlined in the first post above
seemed to suggest that wasn’t the issue.

also, one does tend to glaze over a bit on things one doesnt understand.
As firefox wasnt mentioned and doesn’t seem to have the sandboxes g-chrome has,
I wasn’t sure at the time that “user namespaces” applied to me.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.