Ubuntu
apparmor package

Java applets won't run in Firefox with Apparmor profile activated

Bug #1426316 reported by Franck on 2015-02-27

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Confirmed	Low	Unassigned

Bug Description

After activating firefox profile, be it in complain or enforce mode, no applet will run with OpenJDK.

The culprit seems to be:
apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,[^s][^h]}//browser_openjdk" name="/run/user/1000/dconf/user" pid=11973 comm=64636F6E6620776F726B6572 requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000

The rules that prevent the applets to run belong to Apparmor abstractions, specifically /etc/apparmor.d/abstractions/ubuntu-browser.d/java

These rules will be enforced, even when usr.in.firefox is in complain mode (I don't know why exactly)

Adding write access to the line

owner /run/user/*/icedteaplugin-*/ rw

in /etc/apparmor.d/abstractions/ubuntu-browser.d/java

seems to solve the problem.

ProblemType: Bug
DistroRelease: Ubuntu 14.10
Package: apparmor-profiles 2.8.98-0ubuntu2
ProcVersionSignature: Ubuntu 3.16.0-31.41-lowlatency 3.16.7-ckt5
Uname: Linux 3.16.0-31-lowlatency x86_64
ApportVersion: 2.14.7-0ubuntu8.2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Feb 27 11:05:20 2015
InstallationDate: Installed on 2014-12-13 (75 days ago)
InstallationMedia: Ubuntu 14.10 "Utopic Unicorn" - Release amd64 (20141022.1)
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.16.0-31-lowlatency root=/dev/mapper/ubuntu--vg-lv--root ro threadirqs quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog: Feb 27 09:42:45 franck-ThinkPad-T430s dbus[3940]: apparmor="DENIED" operation="dbus_method_call" bus="session" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="Hello" mask="send" name="org.freedesktop.DBus" pid=9748 profile="/usr/lib/firefox/firefox{,*[^s][^h]}//browser_openjdk" peer_profile="unconfined"
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.usr.sbin.dnsmasq: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.traceroute: [modified]
mtime.conffile..etc.apparmor.d.usr.sbin.dnsmasq: 2015-02-20T14:58:28.130461
mtime.conffile..etc.apparmor.d.usr.sbin.traceroute: 2015-02-20T15:04:02.437880

See original description

Tags:

Revision history for this message

Franck (alci) wrote on 2015-02-27:

ApparmorPackages.txt Edit (453 bytes, text/plain; charset="utf-8")
ApparmorStatusOutput.txt Edit (2.9 KiB, text/plain; charset="utf-8")
Dependencies.txt Edit (2.9 KiB, text/plain; charset="utf-8")
KernLog.txt Edit (26.8 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (103 bytes, text/plain; charset="utf-8")
PstreeP.txt Edit (33.2 KiB, text/plain; charset="utf-8")

Revision history for this message

John Johansen (jjohansen) wrote on 2015-02-27:

The rule is enforced when the firefox profile is in complain mode because /usr/lib/firefox/firefox{,[^s][^h]}//browser_openjdk is a separate profile from /usr/lib/firefox/firefox{,[^s][^h]} and has its own flags/modes. The tools have a bug where they are not changing the subprofiles modes, only the main profile.

Revision history for this message

Franck (alci) wrote on 2015-03-26:

Add owner /run/user/*/icedteaplugin-*/* rw, to allow java plugins execution Edit (501 bytes, text/plain)

Here is my proposed patch.
I'm not an apparmor expert, so this need review, but it works for me(TM).

summary:

- Applets won't run with Apparmor profile activated
+ Java applets won't run in Firefox with Apparmor profile activated

Franck (alci) on 2015-03-26

description:

updated

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2015-03-26:

The attachment "Add owner /run/user/*/icedteaplugin-*/* rw, to allow java plugins execution" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-03-26:

Franck, thanks for the patch, but I'm curious; the DENIED in the description is for dconf, the DENIED in the automatic tools is for a dbus access, and the patch you've included is for some /run/user icedteaplugin files.

Do you know which if the other two are important or unimportant? Do you know if you added rules for them, too?

Thanks

Revision history for this message

Franck (alci) wrote on 2015-03-27:

Seth, yes this is contradictory. In fact I had many DENIED messages, as you might have seen here http://askubuntu.com/questions/586611/apparmor-problem-icedtea-plugin-freezes-firefox-35-0-1

But finally, only adding rw to owner /run/user/*/icedteaplugin-*/* did the trick for me.

Regarding the other modifications I made, there all are in my local/usr.bin.firefox:

# Site-specific additions and overrides for usr.bin.firefox.
# For more details, please see /etc/apparmor.d/local/README.
# Allow keyring integration to work
dbus (send,receive)
    bus=session
    interface=org.freedesktop.DBus.Properties
    path=/org/freedesktop/secrets,
dbus (send,receive)
    bus=session
    interface=org.freedesktop.Secret.Service
    path=/org/freedesktop/secrets,
dbus (send,receive)
    bus=session
    interface=org.freedesktop.Secret.Item
    path=/org/freedesktop/secrets/**/*,
dbus (send,receive)
    bus=session
    interface=org.freedesktop.DBus.Properties
    path=/org/freedesktop/secrets/collection/mozilla/*,
dbus (send,receive)
    bus=session
    interface=org.freedesktop.DBus.Properties
    path=/org/freedesktop/secrets/collection/mozilla,
dbus (send,receive)
    bus=session
    interface=org.freedesktop.Secret.Prompt
    path=/org/freedesktop/secrets/prompt/*,
@{HOME}/.cache/mozilla/firefox/**/safebrowsing-to_delete/*.sbstore rw,
deny dbus
    interface=org.gtk.vfs.MountTracker,
deny /tmp/.ICE-unix/* rw,

Everything regarding dbus is related to a gnome-keyring-integration plugin I use (https://github.com/swick/moz-gnome-keyring-integration).
Last two line are here to avoid noisy notifications.

Reagards,
Franck

Mathew Hodson (mhodson) on 2016-04-21

Changed in apparmor (Ubuntu):
importance:	Undecided → Low

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-04-29:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add owner /run/user/*/icedteaplugin-*/* rw, to allow java plugins execution Edit

Add patch

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuapparmor package

Java applets won't run in Firefox with Apparmor profile activated

Bug Description

Other bug subscribers

Patches

Bug attachments

Remote bug watches

Ubuntu
apparmor package