firefox-esr weird instalation logs

Hello everyone ,

i installed firefox-esr via apt on latest version of whonix and just noticed weird installation logs … is it safe ?

Setting up libjsoncpp1:amd64 (1.7.4-3) …
Setting up firefox-esr (68.7.0esr-1~deb10u1) …
Processing triggers for mime-support (3.62) …
Processing triggers for hicolor-icon-theme (0.17-2) …
Processing triggers for libc-bin (2.28-10) …
Processing triggers for man-db (2.8.5-2) …
Processing triggers for desktop-file-utils (0.23-4) …

• shopt -s nullglob
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub
• source /etc/default/grub
  ++ GRUB_DEFAULT=0
  ++ GRUB_TIMEOUT=5
  +++ lsb_release -i -s
  ++ GRUB_DISTRIBUTOR=Debian
  ++ GRUB_CMDLINE_LINUX_DEFAULT=quiet
  ++ GRUB_CMDLINE_LINUX=
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/30_screen_resolution.cfg
• source /etc/default/grub.d/30_screen_resolution.cfg
  ++ GRUB_GFXPAYLOAD_LINUX=1024x768
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/30_whonix.cfg
• source /etc/default/grub.d/30_whonix.cfg
  ++ GRUB_DISTRIBUTOR=Whonix
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/30_whonix-workstation.cfg
• source /etc/default/grub.d/30_whonix-workstation.cfg
  ++ GRUB_DISTRIBUTOR=‘Whonix-Workstation ™’
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/40_cpu_mitigations.cfg
• source /etc/default/grub.d/40_cpu_mitigations.cfg
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force’
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/40_distrust_cpu.cfg
• source /etc/default/grub.d/40_distrust_cpu.cfg
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off’
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/40_enable_iommu.cfg
• source /etc/default/grub.d/40_enable_iommu.cfg
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma’
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/40_kernel_hardening.cfg
• source /etc/default/grub.d/40_kernel_hardening.cfg
  +++ dpkg --print-architecture
  ++ kpkg=linux-image-amd64
  +++ dpkg-query --show ‘–showformat=${Version}’ linux-image-amd64
  ++ kver=4.19+105+deb10u3
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge’
  ++ dpkg --compare-versions 4.19+105+deb10u3 ge 5.3
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP’
  ++ command -v qubesdb-read
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on’
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none’
  ++ dpkg --compare-versions 4.19+105+deb10u3 ge 5.2
  ++ GRUB_CMDLINE_LINUX=’ spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full,nosmt mds=full,nosmt l1tf=full,force nosmt=force kvm.nx_huge_pages=force random.trust_cpu=off intel_iommu=on amd_iommu=on efi=disable_early_pci_dma slab_nomerge slub_debug=FZP page_poison=1 mce=0 pti=on vsyscall=none extra_latent_entropy’
• for config_file in /etc/default/grub /etc/default/grub.d/*.cfg
• test -f /etc/default/grub.d/init-select.cfg
• source /etc/default/grub.d/init-select.cfg
• for file_name in /boot/vmlinuz-*
• base_name=vmlinuz-4.19.0-8-amd64
• search=vmlinuz-
• replace=
  ++ echo vmlinuz-4.19.0-8-amd64
  ++ str_replace vmlinuz- ‘’
• version=4.19.0-8-amd64
• unset search
• unset replace
• break
• ‘[’ 4.19.0-8-amd64 = ‘’ ‘]’
• real_grub_cfg=/boot/grub/grub.cfg
• file_replace=/boot/grub/grub.cfg.temp
• test -w /boot/grub/grub.cfg
• cp /boot/grub/grub.cfg /boot/grub/grub.cfg.temp
• test -w /boot/grub/grub.cfg.temp
• search=’ GNU/Linux’
• replace=
• str_replace ’ GNU/Linux’ ‘’ /boot/grub/grub.cfg.temp
• search=‘, with Linux 4.19.0-8-amd64’
• replace=
• str_replace ‘, with Linux 4.19.0-8-amd64’ ‘’ /boot/grub/grub.cfg.temp
• search=‘menuentry ‘'‘Whonix-Workstation ™’'’’
• replace=‘menuentry ‘'‘PERSISTENT mode USER (For daily activities.)’'’’
• str_replace ‘menuentry ‘'‘Whonix-Workstation ™’'’’ ‘menuentry ‘'‘PERSISTENT mode USER (For daily activities.)’'’’ /boot/grub/grub.cfg.temp
• search=‘menuentry ‘'‘Whonix-Workstation ™ (recovery mode)’'’’
• replace=‘menuentry ‘'‘Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)’'’’
• str_replace ‘menuentry ‘'‘Whonix-Workstation ™ (recovery mode)’'’’ ‘menuentry ‘'‘Recovery PERSISTENT mode SUPERADMIN (Be very cautious!)’'’’ /boot/grub/grub.cfg.temp
• test -x /usr/bin/grub-script-check
• /usr/bin/grub-script-check /boot/grub/grub.cfg.temp
• cp /boot/grub/grub.cfg.temp /boot/grub/grub.cfg
• exit 0

Log seems truncated.

Something enables sh xtrace (set -x) during update-grub. That’s certainly too verbose log output. Usability issue, yes as proven by this forum thread. But security issue, no.

set -x might for example be set here:

• /etc/default/grub file
• /etc/default/grub.d folder
• /etc/grub.d folder
• /usr/sbin/grub-mkconfig script
• /usr/sbin/update-grub

To debug:

sudo sh -x /usr/sbin/grub-mkconfig

and post output here.

Using apparmor-profile-everything? That has a set -x.

Also Bug Reports, Software Development and Feature Requests applies.

Script https://github.com/Whonix/apparmor-profile-everything/blob/master/usr/lib/apparmor-profile-everything/grub-cfg#L3 is still in debugging mode.