The mystery of Firefox freezing on Ubuntu 15.10 solved
Summary: Some kind of conflict with the AppArmor profile I was using for Firefox.
Today I upgraded my laptop from Ubuntu 15.04 to 15.10, and Firefox stopped working properly. When hitting certain web sites such as twitter.com and youtube.com it would grey screen and lock Firefox completely. I tried installing a newer version of Firefox - same problem. I then installed an even newer version of Firefox, the developer version with Electrolysis enabled which is supposed to sandbox tabs - same problem.
I got rid of all extensions and bookmarks and tried deleting the .mozilla directory and hence getting a pristine Firefox - still same problem.
So I did what any sane man would do, I downloaded and installed a virtual machine and installed a separate instance of Ubuntu 15.10 on that, and now the problem was gone.
So what on earth was the difference between my laptop and the virtual machine? And then it struck me - AppArmor. AppArmor can make sure that an application doesn't read or write files outside of certain constraints. And pretty much everything is a file on Linux. Somehow the AppArmor profile I had for my Firefox, constrained the versions of Firefox on Ubuntu 15.10 in such a was as to make Firefox grey screen and hang, with a minimum of CPU usage.
Or, there is a new exploit that Apparmor blocked which I am now vulnerable to after having removed the Firefox AppArmor profile (probably not likely). Here is the AppArmor profile BTW:
(update: I now enabled the very same AppArmor profile on the virtual machine, and Firefox still works. The mystery is hence not solved just, ehrrum, resolved)
# vim:syntax=apparmor
# Author: Jamie Strandboge <jamie@canonical.com>
# Declare an apparmor variable to help with overrides
@{MOZ_LIBDIR}=/usr/lib/firefox
#include <tunables/global>
# We want to confine the binaries that match:
# /usr/lib/firefox/firefox
# /usr/lib/firefox/firefox
# but not:
# /usr/lib/firefox/firefox.sh
/usr/lib/firefox/firefox{,*[^s][^h]} {
#include <abstractions/audio>
#include <abstractions/cups-client>
#include <abstractions/dbus-strict>
#include <abstractions/dbus-session-strict>
#include <abstractions/dconf>
#include <abstractions/gnome>
#include <abstractions/ibus>
#include <abstractions/nameservice>
#include <abstractions/openssl>
#include <abstractions/p11-kit>
#include <abstractions/ubuntu-unity7-base>
#include <abstractions/ubuntu-unity7-launcher>
#include <abstractions/dbus-accessibility-strict>
dbus (send)
bus=session
peer=(name=org.a11y.Bus),
dbus (receive)
bus=session
interface=org.a11y.atspi**,
dbus (receive, send)
bus=accessibility,
# for networking
network inet stream,
network inet6 stream,
@{PROC}/[0-9]*/net/if_inet6 r,
@{PROC}/[0-9]*/net/ipv6_route r,
@{PROC}/[0-9]*/net/dev r,
@{PROC}/[0-9]*/net/wireless r,
dbus (send)
bus=system
path=/org/freedesktop/NetworkManager
member=state,
dbus (receive)
bus=system
path=/org/freedesktop/NetworkManager,
# should maybe be in abstractions
/etc/ r,
/etc/mime.types r,
/etc/mailcap r,
/etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
/etc/xfce4/defaults.list r,
/usr/share/xubuntu/applications/defaults.list r,
owner @{HOME}/.local/share/applications/defaults.list r,
owner @{HOME}/.local/share/applications/mimeapps.list r,
owner @{HOME}/.local/share/applications/mimeinfo.cache r,
owner /tmp/** m,
owner /var/tmp/** m,
owner /{,var/}run/shm/shmfd-* rw,
/tmp/.X[0-9]*-lock r,
/etc/udev/udev.conf r,
# Doesn't seem to be required, but noisy. Maybe allow 'r' for 'b*' if needed.
# Possibly move to an abstraction if anything else needs it.
deny /run/udev/data/** r,
# let the shell know we launched something
dbus (send)
bus=session
interface=org.gtk.gio.DesktopAppInfo
member=Launched,
/etc/timezone r,
/etc/wildmidi/wildmidi.cfg r,
# firefox specific
/etc/firefox*/ r,
/etc/firefox*/** r,
/etc/xul-ext/** r,
/etc/xulrunner-2.0*/ r,
/etc/xulrunner-2.0*/** r,
/etc/gre.d/ r,
/etc/gre.d/* r,
# noisy
deny @{MOZ_LIBDIR}/** w,
deny /usr/lib/firefox-addons/** w,
deny /usr/lib/xulrunner-addons/** w,
deny /usr/lib/xulrunner-*/components/*.tmp w,
deny /.suspended r,
deny /boot/initrd.img* r,
deny /boot/vmlinuz* r,
deny /var/cache/fontconfig/ w,
deny @{HOME}/.local/share/recently-used.xbel r,
# TODO: investigate
deny /usr/bin/gconftool-2 x,
# These are needed when a new user starts firefox and firefox.sh is used
@{MOZ_LIBDIR}/** ixr,
/usr/bin/basename ixr,
/usr/bin/dirname ixr,
/usr/bin/pwd ixr,
/sbin/killall5 ixr,
/bin/which ixr,
/usr/bin/tr ixr,
@{PROC}/ r,
@{PROC}/[0-9]*/cmdline r,
@{PROC}/[0-9]*/mountinfo r,
@{PROC}/[0-9]*/stat r,
owner @{PROC}/[0-9]*/task/[0-9]*/stat r,
@{PROC}/[0-9]*/status r,
@{PROC}/filesystems r,
@{PROC}/sys/vm/overcommit_memory r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/platform/**/uevent r,
/sys/devices/pci*/**/{busnum,idVendor,idProduct} r,
owner @{HOME}/.cache/thumbnails/** rw,
/etc/mtab r,
/etc/fstab r,
# Needed for the crash reporter
owner @{PROC}/[0-9]*/environ r,
owner @{PROC}/[0-9]*/auxv r,
/etc/lsb-release r,
/usr/bin/expr ix,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/** r,
# about:memory
owner @{PROC}/[0-9]*/statm r,
owner @{PROC}/[0-9]*/smaps r,
# Needed for container to work in xul builds
/usr/lib/xulrunner-*/plugin-container ixr,
# allow access to documentation and other files the user may want to look
# at in /usr and /opt
/usr/ r,
/usr/** r,
/opt/ r,
/opt/** r,
# so browsing directories works
/ r,
/**/ r,
# Default profile allows downloads to ~/Downloads and uploads from ~/Public
owner @{HOME}/ r,
owner @{HOME}/Public/ r,
owner @{HOME}/Public/* r,
owner @{HOME}/Downloads/ r,
owner @{HOME}/Downloads/* rw,
# per-user firefox configuration
owner @{HOME}/.{firefox,mozilla}/ rw,
owner @{HOME}/.{firefox,mozilla}/** rw,
owner @{HOME}/.{firefox,mozilla}/**/*.{db,parentlock,sqlite}* k,
owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,
owner @{HOME}/.gnome2/firefox* rwk,
owner @{HOME}/.cache/mozilla/{,firefox/} rw,
owner @{HOME}/.cache/mozilla/firefox/** rw,
owner @{HOME}/.cache/mozilla/firefox/**/*.sqlite k,
owner @{HOME}/.config/gtk-3.0/bookmarks r,
owner @{HOME}/.config/dconf/user w,
owner /{,var/}run/user/*/dconf/user w,
dbus (send)
bus=session
path=/org/gnome/GConf/Server
member=GetDefaultDatabase,
dbus (send)
bus=session
path=/org/gnome/GConf/Database/*
member={AddMatch,AddNotify,AllEntries,LookupExtended,RemoveNotify},
#
# Extensions
# /usr/share/.../extensions/... is already covered by '/usr/** r', above.
# Allow 'x' for downloaded extensions, but inherit policy for safety
owner @{HOME}/.mozilla/**/extensions/** mixr,
deny @{MOZ_LIBDIR}/update.test w,
deny /usr/lib/mozilla/extensions/**/ w,
deny /usr/lib/xulrunner-addons/extensions/**/ w,
deny /usr/share/mozilla/extensions/**/ w,
deny /usr/share/mozilla/ w,
# Miscellaneous (to be abstracted)
# Ideally these would use a child profile. They are all ELF executables
# so running with 'Ux', while not ideal, is ok because we will at least
# benefit from glibc's secure execute.
/usr/bin/mkfifo Uxr, # investigate
/bin/ps Uxr,
/bin/uname Uxr,
/usr/bin/lsb_release Cxr -> lsb_release,
profile lsb_release {
#include <abstractions/base>
#include <abstractions/python>
/usr/bin/lsb_release r,
/bin/dash ixr,
/usr/bin/dpkg-query ixr,
/usr/include/python2.[4567]/pyconfig.h r,
/etc/lsb-release r,
/etc/debian_version r,
/var/lib/dpkg/** r,
/usr/local/lib/python3.[0-4]/dist-packages/ r,
/usr/bin/ r,
/usr/bin/python3.[0-4] r,
# file_inherit
deny /tmp/gtalkplugin.log w,
}
# Addons
#include <abstractions/ubuntu-browsers.d/firefox>
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.bin.firefox>
}