Firefox no write access to /media although interface present

Last-one · June 24, 2021, 8:25pm

Disk mount point is in /media tree. Mount point owner changed to user who starts Firefox snap.
It was verified also that all processes started as Firefox snap run under same user.
Downloads from web sides visited using Firefox can’t be stored to mentioned disk with mount point in /media tree although snap connections firefox command output
presents firefox:removable-media in column plug yet :removable-media in column slot - for command output line removable-media. This is connection is established automatically at system start.
It doesn’t help to disconnect Firefox from removable-media slot then reconnect it manually.
No problems to save downloaded files to home directory.

Which configuration might we still miss?

Firefox snap 89.0.2-1
Manjaro 21.0 XFCE

ogra · June 25, 2021, 8:26am

was it also verified that the user can actually store files from a graphical application … i.e. a file manager … on that device ?

Last-one · June 25, 2021, 2:38pm

You’re right myself missed this detail. Sorry for that.
Yes, user can store download to home subfolder named Downloads then copy it to addressed sub-directory of /media using operating system GUI file explorer.

Mountpoint access flags: 755.

Coeur-Noir · June 26, 2021, 1:34am

From Firefox how do you specify the final location for your download ?

Is this something like → Personal Folder → place of your choice ?

Or the real « full path » to final location ? Then something like → Computer → media → mountpoint → place of your choice ?

oSoMoN · June 28, 2021, 10:48am

What error does firefox display when it fails to write to that location under /media ?
Can you check for apparmor denials in the system journal when that happens? (you can run journalctl -f | grep DEN in a terminal while reproducing the problem, and share the relevant output here)

Last-one · June 28, 2021, 10:43pm

User encounters presented problem regardless which favor of Download settings or favor of download proceeding is used. In both areas addressed is only storing to disk file, never opening in document viewer.

Last-one · June 28, 2021, 10:45pm

Something like “you are not rights to save to that location” or similar sounding (sorry I didn’t memorized exact text flow). Journal will be checked for apparmor logs at next nearest occasion - thanks for the hint. Reporting will follow.

Last-one · July 10, 2021, 12:44pm

Thanks for proposal.

Error displayed by Firefox: “The file could not be saved because you dont have the proper permissions. Choose another save directory.”

Firefox snap has strict confinement - snap maintainer default confinement. I wonder why enabled interface to removable-media does not help to overcome that confinement.

jul 10 14:15:48 maccinu audit[4185]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=4185 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:15:48 maccinu kernel: audit: type=1400 audit(1625919348.114:261): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=4185 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:15:48 maccinu audit[4185]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=4185 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:15:48 maccinu kernel: audit: type=1400 audit(1625919348.118:262): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=4185 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:15:48 maccinu audit[4185]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=4185 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:15:48 maccinu kernel: audit: type=1400 audit(1625919348.261:266): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=4185 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Alternatively, if to mount Virtual Box host share to some /media subtree - user is in group vboxsf, latter one rwx rights to mount point. Firefox snap processes/threads run as that user.

jul 10 14:11:42 maccinu audit[3631]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=3631 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:11:42 maccinu audit[3631]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=3631 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:11:42 maccinu kernel: audit: type=1400 audit(1625919102.418:238): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/etc/fstab" pid=3631 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:11:42 maccinu kernel: audit: type=1400 audit(1625919102.418:239): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=3631 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:11:42 maccinu audit[3631]: AVC apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=3631 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
jul 10 14:11:42 maccinu kernel: audit: type=1400 audit(1625919102.548:240): apparmor="DENIED" operation="open" profile="snap.firefox.firefox" name="/run/mount/utab" pid=3631 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

I course of troubleshooting administrator teared down once the automatic connection firefox snap to removable-media plug. It was made in order to see if there is any difference if interface is built manually. Afterwards one can have manual setup of interface or no interface. Automatic interface setup is no more working. How to restore automatic interface setup?

ogra · July 10, 2021, 1:21pm

See the description of the --forget switch in:
snap disconnect --help

Last-one · July 10, 2021, 1:33pm

Thanks for try. Unfortunately, results in interface not alive.

Coeur-Noir · July 17, 2021, 11:11pm

So your target folder for downloading things from Firefox is somewhere under /media ?

When Firefox as snap is launched by user toto, the target folder for downloads should be owned by user toto with rwx rights or at least be owned by a group including toto with rwx rights.

Hence
ls -la /media/target/folder
If target folder belongs to someone different than the launched Firefox’s user → access denied.

Last-one · July 31, 2021, 10:16pm

Answered in post

Also, nothing bad in presented Apparmor log? Hard for me to interpret Firefox snap DENIEDs.

Coeur-Noir · August 1, 2021, 11:48am

ls -la /media

and

ls -la /media/target/folder

to check contents, permissions and rights on these locations, please.
Something may be wrong on this side and not on snap-firefox side.

Maybe re-do something like

snap connect firefox:removable-media

to ensure this interface is connected ?