Ubuntu
firefox package

firefox apparmor updates for trusty

Bug #1288260 reported by James Troup
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Attached is a patch to fix the apparmor syslog noise I see after
upgrading to trusty. It follows the chromium apparmor profile in
terms of what to allow and deny.

--- ./usr.bin.firefox 2014-03-05 13:52:13.470886569 +0000
+++ /etc/apparmor.d/usr.bin.firefox 2014-03-05 13:56:42.640802391 +0000
@@ -38,7 +38,9 @@
   /etc/ r,
   /etc/mime.types r,
   /etc/mailcap r,
+ /etc/udev/udev.conf r,
   /etc/xdg/*buntu/applications/defaults.list r, # for all derivatives
+ /sys/devices/pci[0-9]*/**/uevent r,
   /usr/share/xubuntu/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/defaults.list r,
   owner @{HOME}/.local/share/applications/mimeapps.list r,
@@ -73,6 +75,9 @@
   # TODO: investigate
   deny /usr/bin/gconftool-2 x,

+ # This is requested, but doesn't seem to actually be needed so deny for now
+ deny /run/udev/data/** r,
+
   # These are needed when a new user starts firefox and firefox.sh is used
   @{MOZ_LIBDIR}/** ixr,
   /usr/bin/basename ixr,

Tags: patch trusty
Revision history for this message
James Troup (elmo) wrote :
Jamie Strandboge (jdstrand)
Changed in firefox (Ubuntu):
status: New → Fix Committed
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Firefox apparmor profile updates for Trusty" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Flames_in_Paradise (ellisistfroh-deactivatedaccount)
tags: added: trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 28.0+build1-0ubuntu1

---------------
firefox (28.0+build1-0ubuntu1) trusty; urgency=medium

  * New upstream stable release (FIREFOX_28_0_BUILD1)

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Make geolocation work
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Switch to the release channel
 -- Chris Coulson <email address hidden> Wed, 05 Mar 2014 08:11:10 -0600

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This actually was not fixed in the latest upload to trusty.

Changed in firefox (Ubuntu):
status: Fix Released → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Sorry, to be clear, the fix was only partially applied to the beta branch. The udev rules are present, but the uevent rule is missing.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This will be fixed in the next upload.

Changed in firefox (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 29.0+build1-0ubuntu0.13.10.3

---------------
firefox (29.0+build1-0ubuntu0.13.10.3) saucy-security; urgency=medium

  * New upstream stable release (FIREFOX_29_0_BUILD1)
    - see LP: #1313464 for USN information

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Add Malay language pack
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/no_neon_on_arm.patch
  * Backport changeset from aurora to fix armhf build
    - add debian/patches/fix-armhf-build.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Mon, 28 Apr 2014 00:44:59 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 29.0+build1-0ubuntu0.12.04.2

---------------
firefox (29.0+build1-0ubuntu0.12.04.2) precise-security; urgency=medium

  * New upstream stable release (FIREFOX_29_0_BUILD1)
    - see LP: #1313464 for USN information

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Add Malay language pack
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/no_neon_on_arm.patch
  * Backport changeset from aurora to fix armhf build
    - add debian/patches/fix-armhf-build.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Mon, 28 Apr 2014 00:49:13 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 29.0+build1-0ubuntu0.12.10.3

---------------
firefox (29.0+build1-0ubuntu0.12.10.3) quantal-security; urgency=medium

  * New upstream stable release (FIREFOX_29_0_BUILD1)
    - see LP: #1313464 for USN information

  [ Jamie Strandboge <email address hidden> ]
  * usr.bin.firefox.apparmor*: updates for new firefox releases (LP: #1288260)
    - allow read of /sys/devices/pci[0-9]*/**/uevent
    - allow read of /etc/udev/udev.conf
    - explicityly deny /run/udev/data/**, like we do with evince

  [ Chris Coulson <email address hidden> ]
  * Add Malay language pack
  * Backport changeset from mozilla-central for aarch64 support
    - add debian/patches/aarch64-support.patch
    - update debian/patches/series
  * Use --enable-system-libffi on arm64, as the bundled libffi doesn't
    support this yet
  * Refresh patches
    - update debian/patches/unity-menubar.patch
    - update debian/patches/no_neon_on_arm.patch
  * Backport changeset from aurora to fix armhf build
    - add debian/patches/fix-armhf-build.patch
    - update debian/patches/series
 -- Chris Coulson <email address hidden> Mon, 28 Apr 2014 00:48:05 +0100

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.