Ubuntu
firefox-3.5 package

Apparmor denies firefox extension execution

Bug #433128 reported by .Ulli
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Binary package hint: firefox-3.5

Both global and local extension execution is denied using profile usr.bin.firefox-3.5

Global extension:

audit(1253168735.911:24): operation="exec" pid=8616 parent=8615 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 <email address hidden>/chrome/content/download_complete_notify.py"

audit(1253204828.528:45): operation="exec" pid=19121 parent=19117 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/usr/bin/python2.6"

needs
  /usr/lib/firefox-addons/extensions/** ixr,
  /usr/bin/python* ixr,

Local extension:

audit(1253205825.484:64): operation="file_mmap" pid=16529 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="mr::" denied_mask="m::" fsuid=1000 ouid=1000 name="/home/max/.mozilla/firefox/y3kkalw7.ff_35/extensions/{6f9d85e0-794d-11dd-ad8b-0800200c9a66}/platform/Linux_x86_64-gcc3/components/libgnomekeyring.so"

audit(1253205827.300:66): operation="file_mmap" pid=16529 parent=1 profile="/usr/lib/firefox-3.5.*/firefox" requested_mask="mr::" denied_mask="m::" fsuid=1000 ouid=1000 name="/home/max/.mozilla/firefox/y3kkalw7.ff_35/extensions/{3b56bcc7-54e5-44a2-9b44-66c3ef58c13e}/components/libnstidy.so"

needs
  @{HOME}/.mozilla/**/extensions/** rm,

Related branches

lp:~jdstrand/firefox/firefox-433362+433128
Alexander Sack (community): Approve
Diff: 73 lines
2 files modified
debian/changelog (+5/-2)
debian/usr.bin.firefox.apparmor.in (+15/-4)
lp:firefox/3.5
lp:ubuntu/karmic/firefox-3.5
Revision history for this message
Micah Gersten (micahg) wrote :

Thank you for reporting this to Ubuntu. There is enough information here for a developer to look at this. Please report any other issues you may find.

Changed in firefox-3.5 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → Triaged
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu):
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in firefox-3.5 (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox-3.5 - 3.5.3+build1+nobinonly-0ubuntu4

---------------
firefox-3.5 (3.5.3+build1+nobinonly-0ubuntu4) karmic; urgency=low

  [ Fabien Tassin <email address hidden> ]
  * Bump requirement for system sqlite to >= 3.6.16 (bmo 508104)
    - update debian/rules

  [ Alexander Sack <email address hidden> ]
  * fix LP: #423610 - daily build failures after landing of mozilla-nss.pc droppage
    (bug 422829); we drop our previously used nspr pkgconfig patch and fix
    configure.in to not require in-source nspr if libxul-sdk is used
    - delete debian/patches/nspr_flags_by_pkg_config_hack.patch
    - add debian/patches/bzXXX_libxul_sdk_nspr.patch
    - update debian/patches/series
  * now that we always use libxul-sdk for getting the nspr flags we
    can use --without-system-nspr and --without-system-nss all the time
    - update debian/rules
  * rework localized search engine patch to use ChromeRegistry locale
    information rather than a char pref; also change plugin dir order to allow
    locale specific searchplugins to overlay the ones shipped in
    "searchplugins/common"
    - add debian/patches/bz515232_att399338_distro_locale_searchplugins.patch
    - update debian/patches/series
  * adjust packaging to support localized searchplugins
    + ship default searchplugins in /usr/lib/firefox-addons/searchplugins/en-US/
      and link that directory to $(DEBIAN_FF3_DIR)/distribution/searchplugins instead
      of the main firefox APP_DIR
      - update debian/rules
    + set default searchplugin locale pref to en-US - which is used as a
      fallback if no matching searchplugins/LOCALE directory exists for the
      current locale directory
      - update debian/firefox.js
    + do not install upstream searchplugins through debhelper file and
      install "debsearch" to the new distribution/.../en-US location
      - update debian/firefox-3.0.install
    + ship "common" searchplugins link that points to the old default
      searchplugins location '/usr/lib/firefox-addons/searchplugins/
      - update debian/rules

  [ Jamie Strandboge <email address hidden> ]
  * fix bugs surrounding apparmor profile
    + allow ixr access to gnash (LP: #429061)
    + allow ixr access to pulseaudio (LP: #432702)
    + allow access to plugins directory (LP: #428071)
    + allow access to mounted media (LP: #433362)
    + allow access to abstractions/ubuntu-console-email,
      abstractions/ubuntu-email and abstractions/ubuntu-gnome-terminal
      for mailto:. Add commented section for using xterm and konsole
      - update debian/usr.bin.firefox-3.5
    + allow access to extensions directory (LP: #433128)
    + allow 'k' access to @{HOME}/.mozilla/**/*.sqlite* (LP: #449286)
    + allow Ux access to apport-bug (LP: #449423)
    + allow access to /etc/mplayerplug-in.conf (LP: #439484)

 -- Alexander Sack <email address hidden> Thu, 15 Oct 2009 02:30:48 +0200

Changed in firefox-3.5 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.