Stopping apparmor blocking firefox from reading local files in /var/www/

After a recent OS upgrade I was trying to upload a patch to an issue on drupal.org and encountered a strange error message.

It was very similar to this one on a vanilla Drupal 7 install:

Looking in my browser's developer tools it looked a lot like the browser was attempting the upload but actually sending 0 bytes:

The Request tab also said: "No payload for this request".

Uploading the same patch worked fine from a different browser, and in fact if I moved the patch file to a different location it also worked fine.

Trying to load the file up directly in the browser using the file:// scheme confirmed that access was being denied - it looked something like this:

This was despite the fact that my user - the one the browser was running as - definitely had read access to the patch file and the directory it was within.

Eventually I figured out that apparmor was blocking firefox from opening the patch file. Looking at the journal logs for firefox I could see entries like this:

$ journalctl | grep 'firefox.*/var/www'
 
Nov 08 10:34:45 hostname audit[599363]: AVC apparmor="DENIED" operation="open" profile="firefox" name="/var/www/drupal-7.x/3319435-5.patch" pid=599363 comm=537...034 requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

It turns our that newer versions of Ubuntu ship with an apparmor profile enabled for firefox that seems to block opening files within the /var directory.

I'd decided to put my development codebases in /var/www but apparently apparmor was not going to allow firefox to access files from there, which would be a bit annoying when it comes to uploading patches and similar activities.

As usual, knowing was... actually most of the battle and it wasn't hard to add a tweak to the apparmor profile which has resolved the problem. Something like:

/etc/apparmor.d$ cat local/usr.bin.firefox 
# Site-specific additions and overrides for usr.bin.firefox.
# For more details, please see /etc/apparmor.d/local/README.
 
# mcdruid: allow reading of files in locally hosted websites
/var/www/** r,

After reloading the apparmor profile, I can now open up files within /var/www directly in firefox, and more importantly uploading things like patches from my development docroot works okay again.

Note that I don't have firefox installed as a snap, it's an apt package but it's possible you could end up with a very similar problem if you're using the snap which is confined / sandboxed. I'm not sure the same solution would be appropriate in that case though.

I should probably file an issue for Drupal about the weird behaviour when a browser unexpectedly ends up sending a 0 byte payload for a file upload.