Ubuntu
firefox-3.5 package

  1. Bug #484148
  2. Comment #20

Comment 20 for bug 484148

Revision history for this message
Jamie Strandboge (jdstrand) wrote : Re: apparmor-profiles freezes Firefox when using Java applets (Sun JRE)

Ok, I was able to reproduce this with the icedtea plugin:
1. profile is enabled
$ md5sum /etc/apparmor.d/usr.bin.firefox-3.5
97d80b2693f5e7d9141a4275b91bd883 /etc/apparmor.d/usr.bin.firefox-3.5

2. sudo aa-status
apparmor module is loaded.
14 profiles are loaded.
14 profiles are in enforce mode.
   ...
   /usr/lib/firefox-3.5.*/firefox
   ...
4 processes are in enforce mode :
   /usr/lib/firefox-3.5.*/firefox (5638)
   ...

3. $ dpkg -l | egrep '(iced|java)'
...
ii icedtea-6-jre-cacao 6b16-1.6.1-3ubuntu1 Alternative JVM for OpenJDK, using Cacao
ii icedtea6-plugin 6b16-1.6.1-3ubuntu1 web browser plugin based on OpenJDK and Iced
ii java-common 0.30ubuntu5 Base of all Java packages
...

4. There are no denied messages in kern.log/audit.log

5. Steps to reproduce:
 a. start firefox with: firefox -safe-mode
 b. disable all addons
 c. go to 'about:plugins' no plugins should be displayed
 d. go to Tools/Addons/Plugins and enable the IcedTea plugin
 e. close firefox
 f. start firefox, then go to 'about:plugins' to verify that icedtea is enabled
 g. navigate to http://www.gnu.org/software/classpath/ (though http://java.com/en/download/help/testvm.xml should lockup firefox too)

6. $ lsb_release -a ; uname -m
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 9.10
Release: 9.10
Codename: karmic
i686

WORKAROUND (ie, disable the firefox profile):
$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.firefox-3.5
$ sudo touch /etc/apparmor.d/disable/usr.bin.firefox-3.5

$HOME/.xsession-errors shows various errors, but they don't seem directly related to this bug. What is most interesting is that while the profile doesn't show any denials, java nonetheless does not work.