Ubuntu
firefox package

apparmor denials on kernel symlinks in /

Bug #571761 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Fix Released
Low
Jamie Strandboge

Bug Description

Binary package hint: firefox

When browsing for files in firefox, if you navigate to '/', firefox has the following denials logged:

[11922.881131] type=1503 audit(1272554204.829:18): operation="open" pid=5216 parent=3463 profile="/usr/lib/firefox-3.6.3/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1001 ouid=0 name="/boot/initrd.img-2.6.32-21-generic"
[11922.918844] type=1503 audit(1272554204.865:19): operation="open" pid=5216 parent=3463 profile="/usr/lib/firefox-3.6.3/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1001 ouid=0 name="/boot/vmlinuz-2.6.32-21-generic"
[11923.151096] type=1503 audit(1272554205.097:20): operation="open" pid=5216 parent=3463 profile="/usr/lib/firefox-3.6.3/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1001 ouid=0 name="/boot/initrd.img-2.6.32-21-generic"
[11925.778066] type=1503 audit(1272554207.725:21): operation="open" pid=5217 parent=3463 profile="/usr/lib/firefox-3.6.3/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1001 ouid=0 name="/boot/vmlinuz-2.6.32-21-generic"

These should still be denied, but their logging suppressed:
  deny /boot/initrd.img* r,
  deny /boot/vmlinuz* r,

Tags: apparmor
Jamie Strandboge (jdstrand)
tags: added: apparmor
Changed in firefox (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Committed to head.

Changed in firefox (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.4+build7+nobinonly-0ubuntu1

---------------
firefox (3.6.4+build7+nobinonly-0ubuntu1) maverick; urgency=low

  * New upstream release v3.6.4 (FIREFOX_3_6_4_BUILD7)

  [ Micah Gersten <email address hidden> ]
  * Rebase patch after upstream landing of Lorentz branch
    - update debian/patches/bz460917_att350845_reload_new_plugins.patch
  * Drop patch after upstream landing of (bmo: 544481) aka
    Build fails on Ubuntu Lucid Lynx using 'dash' shell
    - drop debian/patches/fix-build-glitch.patch
    - update debian/patches/series

  [ Jamie Strandboge <email address hidden> ]
  * AppArmor:
    - allow ixr access to /usr/lib/xulrunner-*/plugin-container for xul builds
    - finetune Adobe Reader access (LP: #570337)
    - silence noisy denial on /boot/vmlinuz* and /boot/initrd.img* caused by
      readlinking symlinks in / (LP: #571761)
    - allow 'm' for java's 'classes.jsa' file (LP: #574459)
    - transition to firefox_java on Sun's jre/bin/java_vm too (LP: #570128)
    - allow Uxr for gnome-codec-install (LP: #577097)

  [ Chris Coulson <email address hidden> ]
  * Rebase patches for 3.6.4 release
    - update debian/patches/firefox-kde.patch
    - update debian/patches/mozilla-kde.patch
    - update debian/patches/add_syspref_dir.patch
  * Build with --enable-ipc on amd64, i386 and armel. These are the only
    architectures where OOPP is supported. Build with --disable-ipc on all
    other architectures
    - update debian/rules
  * Fix LP: #513887 - Install the plugin-container binary for OOPP support
    when building with --enable-ipc
    - update debian/rules
  * Fix build failure with fontconfig 2.5
    - update debian/patches/lp512615_cairo_lcd_filter.patch
  * Fix LP: #469752 - KDE/Gnome startup notification not disappearing
    when app window is up - build with --enable-startup-notification
    - update debian/rules
 -- Chris Coulson <email address hidden> Wed, 23 Jun 2010 15:31:44 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.