You are not logged in.
- Topics: Active | Unanswered
#1 2025-10-26 15:49:06
- out_of_memory
- Member
- Registered: 2025-10-26
- Posts: 2
[SOLVED] firefox apparmor profile in complain mode causes GTK crash
Hi, I've been trying to create apparmor profiles for few apps but when i set firefox profile to complain mode it caused gtk warning and crashes when i try to save something (ctrl s, which should show firefox file manager) -
there are no errors when the profile is disabled. I tried default firefox profile and one generated by aa-easyprof:
aa-easyprof /usr/lib/firefox/firefox
# vim:syntax=apparmor
# AppArmor policy for firefox
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###
#include <tunables/global>
# No template variables specified
"/usr/lib/firefox/firefox" {
#include <abstractions/base>
# No abstractions specified
# No policy groups specified
# No read paths specified
# No write paths specified
}Why is setting profile complain mode even changing behavior of application?
It works fine with brave browser profile in complain mode
I also tried making librewolf profile (based on one I've made and which worked) but it outputs similar error
plasma-desktop
kernel: 6.17.5-arch1-1
kernel has command line options lsm=landlock,lockdown,yama,integrity,apparmor,bpf
apparmor enabled
auditd enabled
system updated
(and reinstalled - it didn't helped)
/usr/lib/firefox/firefox:
[GFX1-]: More than 2 GPUs detected via PCI, secondary GPU is arbitrary
[Parent 104676, Main Thread] WARNING: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.: 'glib warning', file /usr/src/debug/firefox/firefox-144.0/toolkit/xre/nsSigHandlers.cpp:201
(firefox:104676): Gtk-WARNING **: 16:17:39.035: Could not load a pixbuf from icon theme.
This may indicate that pixbuf loaders or the mime database could not be found.
**
Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command:
"bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1001" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib" "/lib64" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/user/.cache/fontconfig" "/home/user/.cache/fontconfig" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "144" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "143" (gdk-pixbuf-error-quark, 0)
Bail out! Gtk:ERROR:../gtk/gtk/gtkiconhelper.c:495:ensure_surface_for_gicon: assertion failed (error == NULL): Failed to load /usr/share/icons/Adwaita/scalable/status/image-missing.svg: Loader process exited early with status '1'Command: "bwrap" "--unshare-all" "--die-with-parent" "--chdir" "/" "--ro-bind" "/usr" "/usr" "--dev" "/dev" "--ro-bind-try" "/etc/ld.so.cache" "/etc/ld.so.cache" "--ro-bind-try" "/nix/store" "/nix/store" "--tmpfs" "/tmp-home" "--tmpfs" "/tmp-run" "--clearenv" "--setenv" "HOME" "/tmp-home" "--setenv" "XDG_RUNTIME_DIR" "/tmp-run" "--setenv" "XDG_RUNTIME_DIR" "/run/user/1001" "--symlink" "/usr/lib" "/lib" "--symlink" "/usr/lib" "/lib64" "--ro-bind-try" "/etc/fonts/conf.d" "/etc/fonts/conf.d" "--ro-bind-try" "/etc/fonts/fonts.conf" "/etc/fonts/fonts.conf" "--ro-bind-try" "/home/user/.cache/fontconfig" "/home/user/.cache/fontconfig" "--ro-bind-try" "/var/cache/fontconfig" "/var/cache/fontconfig" "--bind-try" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--setenv" "XDG_CACHE_HOME" "/home/user/.cache/glycin/usr/lib/glycin-loaders/2+/glycin-svg" "--seccomp" "144" "/usr/lib/glycin-loaders/2+/glycin-svg" "--dbus-fd" "143" (gdk-pixbuf-error-quark, 0)
Redirecting call to abort() to mozalloc_abort
ExceptionHandler::GenerateDump attempting to generate:/home/user/.mozilla/firefox/4yejqjb6.default-release/minidumps/49e8a26b-88ea-b638-506c-1c000a357854.dmp
ExceptionHandler::GenerateDump cloned child 105123
ExceptionHandler::SendContinueSignalToChild sent continue signal to child
ExceptionHandler::WaitForContinueSignal waiting for continue signal...
ExceptionHandler::GenerateDump minidump generation succeeded
Exiting due to channel error.
Exiting due to channel error.
[user@test ~]$
(process:105124): Gtk-CRITICAL **: 16:17:40.313: gtk_window_set_default_icon: assertion 'GDK_IS_PIXBUF (icon)' failed
(crashreporter:105124): Gtk-WARNING **: 16:17:40.351: Could not load a pixbuf from /org/gtk/libgtk/theme/Adwaita/assets/check-symbolic.svg.
This may indicate that pixbuf loaders or the mime database could not be found.
(crashreporter:105124): GLib-GObject-CRITICAL **: 16:17:42.448: g_object_unref: assertion 'G_IS_OBJECT (object)' failedaa-status:
apparmor module is loaded.
168 profiles are loaded.
78 profiles are in enforce mode.
/usr/lib/apache2/mpm-prefork/apache2
/usr/lib/apache2/mpm-prefork/apache2//DEFAULT_URI
/usr/lib/apache2/mpm-prefork/apache2//HANDLING_UNTRUSTED_INPUT
/usr/lib/apache2/mpm-prefork/apache2//phpsysinfo
apache2
apache2//DEFAULT_URI
apache2//HANDLING_UNTRUSTED_INPUT
apache2//phpsysinfo
avahi-daemon
dnsmasq
dnsmasq//libvirt_leaseshelper
dovecot
dovecot-anvil
dovecot-auth
dovecot-config
dovecot-deliver
dovecot-dict
dovecot-director
dovecot-doveadm-server
dovecot-dovecot-auth
dovecot-dovecot-lda
dovecot-dovecot-lda//sendmail
dovecot-imap
dovecot-imap-login
dovecot-lmtp
dovecot-log
dovecot-managesieve
dovecot-managesieve-login
dovecot-pop3
dovecot-pop3-login
dovecot-replicator
dovecot-script-login
dovecot-ssl-params
dovecot-stats
identd
klogd
lsb_release
mdnsd
nmbd
nscd
ntpd
nvidia_modprobe
nvidia_modprobe//kmod
php-fpm
ping
plasmashell
plasmashell//QtWebEngineProcess
samba-bgqd
samba-dcerpcd
samba-rpcd
samba-rpcd-classic
samba-rpcd-spoolss
sbuild
sbuild-abort
sbuild-adduser
sbuild-apt
sbuild-checkpackages
sbuild-clean
sbuild-createchroot
sbuild-destroychroot
sbuild-distupgrade
sbuild-hold
sbuild-shell
sbuild-unhold
sbuild-update
sbuild-upgrade
smbd
smbldap-useradd
smbldap-useradd///etc/init.d/nscd
syslog-ng
syslogd
traceroute
unix-chkpwd
unprivileged_userns
winbindd
zgrep
zgrep//helper
zgrep//sed
13 profiles are in complain mode.
/usr/lib/librewolf/librewolf
Xorg
firefox
firefox//null-/usr/bin/bwrap
firefox//null-/usr/lib/firefox/crashhelper
firefox//null-/usr/lib/firefox/firefox
firefox//null-/usr/lib/firefox/glxtest
firefox//null-/usr/lib/firefox/pingsender
firefox//null-/usr/lib/firefox/vaapitest
transmission-cli
transmission-daemon
transmission-gtk
transmission-qt
0 profiles are in prompt mode.
0 profiles are in kill mode.
77 profiles are in unconfined mode.
1password
Discord
MongoDB Compass
QtWebEngineProcess
balena-etcher
brave
buildah
busybox
cam
ch-checkns
ch-run
chrome
chromium
crun
devhelp
element-desktop
epiphany
evolution
flatpak
foliate
geary
github-desktop
goldendict
ipa_verify
kchmviewer
keybase
lc-compliance
libcamerify
linux-sandbox
loupe
lxc-attach
lxc-create
lxc-destroy
lxc-execute
lxc-stop
lxc-unshare
lxc-usernsexec
mmdebstrap
msedge
nautilus
notepadqq
obsidian
opam
opera
pageedit
podman
polypane
privacybrowser
qcam
qmapshack
qutebrowser
rootlesskit
rpm
rssguard
runc
scide
signal-desktop
slack
slirp4netns
steam
stress-ng
surfshark
systemd-coredump
thunderbird
toybox
trinity
tup
tuxedo-control-center
userbindmount
uwsgi-core
vdens
virtiofsd
vivaldi-bin
vpnns
vscode
wike
wpcom
21 processes have profiles defined.
2 processes are in enforce mode.
/usr/bin/plasmashell (1720) plasmashell
/usr/bin/plasmashell (58412) plasmashell
1 processes are in complain mode.
/usr/lib/librewolf/librewolf (77153)
0 processes are in prompt mode.
0 processes are in kill mode.
18 processes are unconfined but have a profile defined.
/usr/lib/librewolf/librewolf (77208)
/usr/lib/librewolf/librewolf (77264)
/usr/lib/librewolf/librewolf (77312)
/usr/lib/librewolf/librewolf (77322)
/usr/lib/librewolf/librewolf (77410)
/usr/lib/librewolf/librewolf (77484)
/usr/lib/librewolf/librewolf (77537)
/usr/lib/librewolf/librewolf (79600)
/usr/lib/librewolf/librewolf (79979)
/usr/lib/librewolf/librewolf (80940)
/usr/lib/librewolf/librewolf (81881)
/usr/lib/librewolf/librewolf (82185)
/usr/lib/librewolf/librewolf (83333)
/usr/lib/librewolf/librewolf (90400)
/usr/lib/librewolf/librewolf (90657)
/usr/lib/librewolf/librewolf (90715)
/usr/lib/librewolf/librewolf (91926)
/usr/lib/librewolf/librewolf (92116)
0 processes are in mixed mode.journalct (fragment, after firefox crash)
Oct 26 16:21:38 test auditd[32444]: Audit daemon rotating log files
Oct 26 16:21:42 test systemd[1]: Starting Time & Date Service...
Oct 26 16:21:42 test systemd[1]: Started Time & Date Service.
Oct 26 16:21:42 test auditd[32444]: Audit daemon rotating log files
Oct 26 16:21:42 test rtkit-daemon[1509]: Supervising 14 threads of 7 processes of 2 users.
Oct 26 16:21:42 test rtkit-daemon[1509]: Supervising 14 threads of 7 processes of 2 users.
Oct 26 16:21:42 test rtkit-daemon[1509]: Supervising 14 threads of 7 processes of 2 users.
Oct 26 16:21:42 test rtkit-daemon[1509]: Supervising 14 threads of 7 processes of 2 users.
Oct 26 16:21:42 test rtkit-daemon[1509]: Successfully made thread 107784 of process 107546 owned by '1001' RT at priority 10.
Oct 26 16:21:42 test rtkit-daemon[1509]: Supervising 15 threads of 8 processes of 2 users.
Oct 26 16:21:43 test rtkit-daemon[1509]: Supervising 15 threads of 8 processes of 2 users.
Oct 26 16:21:43 test rtkit-daemon[1509]: Supervising 15 threads of 8 processes of 2 users.
Oct 26 16:21:43 test auditd[32444]: Audit daemon rotating log files
Oct 26 16:21:43 test auditd[32444]: Audit daemon rotating log filesalso
Oct 26 16:18:43 test kernel: audit: audit_backlog=16000 > audit_backlog_limit=16000
Oct 26 16:18:43 test kernel: audit: audit_lost=10630 audit_rate_limit=0 audit_backlog_limit=16000
Oct 26 16:18:43 test kernel: audit: backlog limit exceededI mostly followed arch wiki when setting up apparmor so I'm still newbie
Last edited by out_of_memory (2025-10-31 13:02:02)
Offline
#2 2025-10-26 15:57:12
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 69,878
Re: [SOLVED] firefox apparmor profile in complain mode causes GTK crash
Offline
#3 2025-10-31 11:11:44
- out_of_memory
- Member
- Registered: 2025-10-26
- Posts: 2
Re: [SOLVED] firefox apparmor profile in complain mode causes GTK crash
Thanks, after installing gdk-pixbuf2-noglycin firefox (and librewolf) works in complain and enforce mode, there are no GDK or bubblewrap errors.
Also,
sysctl -a | grep apparmorreturns
kernel.apparmor_display_secid_mode = 0
kernel.apparmor_restrict_unprivileged_unconfined = 0
kernel.unprivileged_userns_apparmor_policy = 1so that's probably why bubblewrap didn't start - but bwrap-suid didn't solve this error
Offline
#4 2025-10-31 12:46:04
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 69,878
Re: [SOLVED] firefox apparmor profile in complain mode causes GTK crash
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Probably migrate away from software that uses gdk-pixbuf2
Offline