github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

update.test" #3115

New issue

Open

opened 2026-05-05 09:45:10 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 09:45:10 -06:00

Owner

Originally created by @Gerenuk on GitHub (Jun 28, 2023).
Original GitHub issue: https://github.com/netblue30/firejail/issues/5872

Firefox with firejail seems to function normally, but I see error messages in dmesg:

audit: type=1400 audit: apparmor="DENIED" operation="mknod" class="file" profile="firejail-default" name="/opt/Firefox/update.test" pid=1379 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This appears 3 times and does not repeat more when I restart firefox (with or without profile). I guess it's some type of update test that Firefox performs. /opt/Firefox is my firefox directory and update.test does usually not exist.

I do not know if this impacts functionality of the update check. It's a minor issue, but I thought there shouldn't be stray error messages in dmesg and hopefully this is a small fix.

(firejail 0.9.72)

Originally created by @Gerenuk on GitHub (Jun 28, 2023). Original GitHub issue: https://github.com/netblue30/firejail/issues/5872 Firefox with firejail seems to function normally, but I see error messages in `dmesg`: ``` audit: type=1400 audit: apparmor="DENIED" operation="mknod" class="file" profile="firejail-default" name="/opt/Firefox/update.test" pid=1379 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ``` This appears 3 times and does not repeat more when I restart firefox (with or without profile). I guess it's some type of update test that Firefox performs. `/opt/Firefox` is my firefox directory and `update.test` does usually not exist. I do not know if this impacts functionality of the update check. It's a minor issue, but I thought there shouldn't be stray error messages in dmesg and hopefully this is a small fix. (firejail 0.9.72)

gitea-mirror commented

2026-05-05 09:45:12 -06:00

Author

Owner

@ghost commented on GitHub (Jun 29, 2023):

How do you usually install your Firefox? And what OS is this?

Indeed, very likely this is Firefox' updater trying to write into /optFirefox/update.test. Usually, when installing Firefox via native OS package manager, its app-internal updating fuctionality is disabled. Hence our default AppArmor profile only supports executing files under /opt:

fbd53a8f8c/etc/apparmor/firejail-default (L98)

Even if you wanted to, your user doesn't have the needed privileges to install pending updates to /opt/Firefox. Or at least they shouldn't have. So instead of messing with AppArmor options, to me it would make more sense to never allow such update checks in the first place (when running from under /opt). Could be as simple as setting app.update.auto to false in about:config.

If you disable FF auto-update, do you still get those messages?
If for some reason you don't want to disable that, does appending a line like the one below to your /etc/apparmor.d/local/firejail-default stops those messages from showing up in dmesg? PLEASE NOTE that after making changes to anything under /etc/apparmor.d it's best to do a full reboot and let AppArmor refresh its cache. Not doing so could give incorrect results.

[...]
/opt/Firefox/update.test rw,

If that's too restrictive, try

[...]
/opt/Firefox/** rw,

Depending on the results of your testing we can make a more informed decision on adding to/fixing our default AppArmor files later on. Thanks for reporting!

@ghost commented on GitHub (Jun 29, 2023): How do you usually install your Firefox? And what OS is this? Indeed, very likely this is Firefox' `updater` trying to write into /optFirefox/update.test. Usually, when installing Firefox via native OS package manager, its app-internal updating fuctionality is disabled. Hence our default AppArmor profile only supports executing files under /opt: https://github.com/netblue30/firejail/blob/fbd53a8f8cf91f6285e96a7c458f30798947c238/etc/apparmor/firejail-default#L98 Even if you wanted to, your user doesn't have the needed privileges to install pending updates to /opt/Firefox. Or at least they shouldn't have. So instead of messing with AppArmor options, to me it would make more sense to never allow such update checks in the first place (when running from under /opt). Could be as simple as setting `app.update.auto` to `false` in about:config. If you disable FF auto-update, do you still get those messages? If for some reason you don't want to disable that, does `appending` a line like the one below to your /etc/apparmor.d/local/firejail-default stops those messages from showing up in dmesg? PLEASE NOTE that after making changes to anything under /etc/apparmor.d it's best to do a full reboot and let AppArmor refresh its cache. Not doing so could give incorrect results. ``` [...] /opt/Firefox/update.test rw, ``` If that's too restrictive, try ``` [...] /opt/Firefox/** rw, ``` Depending on the results of your testing we can make a more informed decision on adding to/fixing our default AppArmor files later on. Thanks for reporting!

gitea-mirror commented

2026-05-05 09:45:13 -06:00

Author

Owner

@Gerenuk commented on GitHub (Jul 13, 2023):

Usually I have a script which downloads the new binary from Mozilla and puts it into /opt/Firefox. I'm using Manjaro Linux, but not their Firefox package.

Using the first line /opt/Firefox/update.test rw, would give dmesg message

audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/Firefox/updates/" pid=1529 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

and an error in Firefox when it tries to update.

Using the second line /opt/Firefox/** rw, makes Firefox update successfully, but weirdly I still get another dmesg error message

audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/update.test/" pid=1531 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Of course I would prefer to add such custom modification to ~/.config/firejail/... somehow instead of /etc.

I'm actually not sure if I want Firefox to automatically update itself, but I definitely want Firefox to tell me about new updates. And while that worked before, ideally I also do not see error messages in dmesg.

@Gerenuk commented on GitHub (Jul 13, 2023): Usually I have a script which downloads the new binary from Mozilla and puts it into /opt/Firefox. I'm using Manjaro Linux, but not their Firefox package. Using the first line `/opt/Firefox/update.test rw,` would give `dmesg` message ``` audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/Firefox/updates/" pid=1529 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ``` and an error in Firefox when it tries to update. Using the second line `/opt/Firefox/** rw,` makes Firefox update successfully, but weirdly I still get another dmesg error message ``` audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/update.test/" pid=1531 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 ``` Of course I would prefer to add such custom modification to `~/.config/firejail/...` somehow instead of `/etc`. I'm actually not sure if I want Firefox to automatically update itself, but I definitely want Firefox to tell me about new updates. And while that worked before, ideally I also do not see error messages in `dmesg`.

gitea-mirror commented

2026-05-05 09:45:14 -06:00

Author

Owner

@ghost commented on GitHub (Jul 13, 2023):

Using the second line /opt/Firefox/** rw, makes Firefox update successfully, but weirdly I still get another dmesg error message
audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/update.test/" pid=1531 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

The error message shows that your Firefox tries to create /opt/update.test/, which isn't covered by the new /opt/Firefox/** rw, rule. So you'll have to allow that too:

/opt/update.test rw,
/opt/Firefox/** rw,
/opt/update.test/** rw,

Of course I would prefer to add such custom modification to ~/.config/firejail/... somehow instead of /etc.

That's not possible. Apparmor only accepts such overrides from /etc/apparmor.d/local/firefox-default, which expands /etc/apparmor.d/firejail-default automatically. If you install Firejail via pacman from Manjaro's repositories these customizations will survive future Firejail upgrades via the backup configuration.

Please test these rules again and report back. You can use Firefox' internal configuration to only have it show you available updates without automatically installing those. If you could implement this 'new Firefox upgrade available' logic into your shell script it would simplify things.

@ghost commented on GitHub (Jul 13, 2023): > Using the second line /opt/Firefox/** rw, makes Firefox update successfully, but weirdly I still get another dmesg error message audit: type=1400 audit: apparmor="DENIED" operation="mkdir" class="file" profile="firejail-default" name="/opt/update.test/" pid=1531 comm="firefox-bin" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 The error message shows that your Firefox tries to create `/opt/update.test/`, which isn't covered by the new `/opt/Firefox/** rw,` rule. So you'll have to allow that too: ``` /opt/update.test rw, /opt/Firefox/** rw, /opt/update.test/** rw, ``` > Of course I would prefer to add such custom modification to ~/.config/firejail/... somehow instead of /etc. That's not possible. Apparmor only accepts such overrides from `/etc/apparmor.d/local/firefox-default`, which expands `/etc/apparmor.d/firejail-default` automatically. If you install Firejail via pacman from Manjaro's repositories these customizations will survive future Firejail upgrades via the [backup](https://gitlab.archlinux.org/archlinux/packaging/packages/firejail/-/blob/main/PKGBUILD#L15) configuration. Please test these rules again and report back. You can use Firefox' internal configuration to only have it show you available updates without automatically installing those. If you could implement this 'new Firefox upgrade available' logic into your shell script it would simplify things.

gitea-mirror commented

2026-05-05 09:45:15 -06:00

Author

Owner

@Gerenuk commented on GitHub (Jul 14, 2023):

With these 3 lines there are no more dmesg audit messages anymore. Thanks! I know how to reconfigure things now.
I'll will probably set Firefox to check for updates, but not perform them. And I'll play with these 3 lines to remove all dmesg audit messages.

I think it would be better to not allow the whole Firefox directory, as it's the whole point of security to restrict access.

@Gerenuk commented on GitHub (Jul 14, 2023): With these 3 lines there are no more dmesg audit messages anymore. Thanks! I know how to reconfigure things now. I'll will probably set Firefox to check for updates, but not perform them. And I'll play with these 3 lines to remove all dmesg audit messages. I think it would be better to not allow the whole Firefox directory, as it's the whole point of security to restrict access.