Ubuntu
apparmor package

Firefox apparmor profile, WebGL/DRI and libc corrections.

Bug #918879 reported by Mike Mestnik
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

libc: It's hard to find an application that dosn't read ld.so.preload, so all apparmor profiles should define it.

WebGL is calling DRI on my system and that means reading drirc.

Thanks!

diff -u -r1.1 /etc/apparmor.d/usr.bin.firefox
--- /etc/apparmor.d/usr.bin.firefox 2012/01/19 19:49:40 1.1
+++ /etc/apparmor.d/usr.bin.firefox 2012/01/19 19:51:49
@@ -62,6 +62,7 @@
   deny /boot/vmlinuz* r,
   deny /var/cache/fontconfig/ w,
   deny @{HOME}/.local/share/recently-used.xbel r,
+ deny /etc/ld.so.preload r,

   # TODO: investigate
   deny /usr/bin/gconftool-2 x,
@@ -138,6 +139,7 @@
   /usr/bin/mkfifo Uxr, # TODO: investigate
   /bin/ps Uxr, # TODO: child profile
   /bin/uname Uxr, # TODO: child profile
+ /etc/drirc r,

   # Site-specific additions and overrides. See local/README for details.
   #include <local/usr.bin.firefox>

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: firefox 10.0~b2+build1-0ubuntu1
ProcVersionSignature: Ubuntu 3.0-2.3-generic-pae 3.0.0-rc4
Uname: Linux 3.0-2-generic-pae i686
AddonCompatCheckDisabled: False
AlsaVersion: Advanced Linux Sound Architecture Driver Version 1.0.24.
ApportVersion: 1.90-0ubuntu1
Architecture: i386
ArecordDevices:
 **** List of CAPTURE Hardware Devices ****
 card 0: SB [HDA ATI SB], device 0: VT2020 Analog [VT2020 Analog]
   Subdevices: 2/2
   Subdevice #0: subdevice #0
   Subdevice #1: subdevice #1
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/by-path', '/dev/snd/controlC1', '/dev/snd/hwC1D0', '/dev/snd/pcmC1D3p', '/dev/snd/controlC0', '/dev/snd/hwC0D0', '/dev/snd/pcmC0D0c', '/dev/snd/pcmC0D0p', '/dev/snd/pcmC0D1p', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
BuildID: 20120102174747
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info:
 Card hw:0 'SB'/'HDA ATI SB at 0xfe3f8000 irq 16'
   Mixer name : 'VIA VT2020'
   Components : 'HDA:11060441,104383e4,00100100'
   Controls : 33
   Simple ctrls : 19
Card1.Amixer.info:
 Card hw:1 'HDMI'/'HDA ATI HDMI at 0xfe9ec000 irq 88'
   Mixer name : 'ATI R6xx HDMI'
   Components : 'HDA:1002aa01,00aa0100,00100000'
   Controls : 4
   Simple ctrls : 1
Card1.Amixer.values:
 Simple mixer control 'IEC958',0
   Capabilities: pswitch pswitch-joined penum
   Playback channels: Mono
   Mono: Playback [on]
Channel: beta
Date: Thu Jan 19 13:52:18 2012
ForcedLayersAccel: False
IpRoute:
 default via 192.168.172.100 dev eth2 metric 100
 169.254.0.0/16 dev eth2 scope link metric 1000
 192.168.172.0/24 dev eth2 proto kernel scope link src 192.168.172.26
IwConfig: Error: [Errno 2] No such file or directory
ProcEnviron:
 LANGUAGE=en
 PATH=(custom, no user)
 LANG=C
 SHELL=/bin/bash
Profiles: Profile0 (Default) - LastVersion=10.0/20120102174747
PulseSinks: Error: command ['pacmd', 'list-sinks'] failed with exit code 127: pacmd: error while loading shared libraries: libpulsecommon-UNKNOWN.UNKNOWN.UNKNOWN.so: cannot open shared object file: No such file or directory
PulseSources: Error: command ['pacmd', 'list-sources'] failed with exit code 127: pacmd: error while loading shared libraries: libpulsecommon-UNKNOWN.UNKNOWN.UNKNOWN.so: cannot open shared object file: No such file or directory
RfKill: Error: [Errno 2] No such file or directory
RunningIncompatibleAddons: False
SourcePackage: firefox
UpgradeStatus: Upgraded to precise on 2012-01-01 (17 days ago)
WpaSupplicantLog:

dmi.bios.date: 02/17/2011
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 1902
dmi.board.asset.tag: To Be Filled By O.E.M.
dmi.board.name: Crosshair IV Formula
dmi.board.vendor: ASUSTeK Computer INC.
dmi.board.version: Rev 1.xx
dmi.chassis.asset.tag: Asset-1234567890
dmi.chassis.type: 3
dmi.chassis.vendor: Chassis Manufacture
dmi.chassis.version: Chassis Version
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr1902:bd02/17/2011:svnSystemmanufacturer:pnSystemProductName:pvrSystemVersion:rvnASUSTeKComputerINC.:rnCrosshairIVFormula:rvrRev1.xx:cvnChassisManufacture:ct3:cvrChassisVersion:
dmi.product.name: System Product Name
dmi.product.version: System Version
dmi.sys.vendor: System manufacturer
mtime.conffile..etc.apparmor.d.usr.bin.firefox: 2012-01-19T13:51:49.097296

Related branches

lp:ubuntu/precise/apparmor
Revision history for this message
Mike Mestnik (cheako) wrote :
Micah Gersten (micahg)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and filing a bug. /etc/drirc would be better in the X abstraction, so I have adjusted the bug accordingly.

affects: firefox (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: New → Triaged
Revision history for this message
Mike Mestnik (cheako) wrote :

Jamie, thank you for that as I'm unfamiliar with Apparmor.

What do ppl think about ld.so.preload? To tell the truth I used to put tsocks in that file, but since FF has it's own socks client it can be excluded from loading tsocks. For the most part preload should be enabled, but there are some cases(like FF) where it might make sense to block preloads for security.

My stance is since ld.so.preload is something nearly every application should access, that it should never show up in an apparmor log. The reason being is that it says little more then this application was linked using ld.so and this information is pointless to log.

Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.7.99-0ubuntu1

---------------
apparmor (2.7.99-0ubuntu1) precise; urgency=low

  * New upstream release which also pulls in 2.7.0-1 changes from Debian.
    For the sake of simplicity, I have added the 2.7.0-1 changelog entry after
    2.7.0-0ubuntu7 even though chronologically it appeared in Debian between
    2.7.0-0ubuntu4 and 2.7.0-0ubuntu5.
    - LP: #940422 (FFe)
  * Drop the following patches, included upstream:
    - 0003-commits-through-r1882.patch
    - 0004-lp887992.patch
    - 0005-lp884748.patch
    - 0006-lp870992.patch
    - 0007-lp860856.patch
    - 0008-lp852062.patch
    - 0009-lp851977.patch
    - 0010-lp890894.patch
    - 0011-lp817956.patch
    - 0012-lp458922.patch
    - 0013-lp769148.patch
    - 0014-lp904548.patch
    - 0015-lp712584.patch
    - 0016-lp562831.patch
    - 0017-lp662906.patch
    - 0018-deny-home-pki-so.patch
    - 0019-lp899963.patch
    - 0020-lp912754a.patch
    - 0021-lp912754b.patch
    - 0022-workaround-lp851986.patch
    - 0023-syslog-ng-needs-dac-read-search.patch
    - 0024-fix-python-and-ruby-autogeneration.patch
    - 0025-lp914184.patch
    - 0026-lp914190.patch
    - 0027-lp914386.patch
    - 0028-testsuite-fixes.patch
    - 0029-lp917628.patch
    - 0030-lp916285.patch
    - 0031-lp917639.patch
    - 0032-lp917641.patch
    - 0033-add-ubuntu-helpers-to-plugins-common.patch
    - 0034-lp917859.patch
    - 0035-kde-should-use-kde4.patch
    - 0036-lp929531.patch
    - 0036-fix-manpage-errors.patch
  * Rename 0037-add-aa-easyprof.patch 0003-add-aa-easyprof.patch
  * debian/apparmor-profiles.postrm: clean out autogenerated files created by
    apparmor-profiles.postinst (Closes: 656451)
  * debian/patches/0004-lp918879.patch: allow /etc/drirc in the X abstraction
    (LP: #918879)
  * debian/patches/0005-disable-minimization.patch: do to LP: 940362,
    minimization is not working correctly. Disable it for now.

apparmor (2.7.0-1) unstable; urgency=low

  * debian/po/pt.po add new Portuguese translation, thanks to Pedro Ribeiro,
    (Closes: 651434).
  * debian/control: do not require initramfs-tools on !linux-any
    (Closes: 651297).
  * debian/{control,rules,debhelper/*}: move dh_apparmor into separate
    binary package, out of debhelper (Closes: 649784).
  * debian/{control,rules}: fix up lack of real build-indep.
  * debian/patches/0036-fix-manpage-errors.patch: minor man page cleanups.
  * merge changes from Ubuntu (r1443).
 -- Jamie Strandboge <email address hidden> Fri, 24 Feb 2012 09:04:45 -0600

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.