Ubuntu
firefox package

usr.bin.firefox blocks /dev/shm

Bug #1495248 reported by Jean-Philippe Guérard
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

When apparmor is activated for Firefox, I get the following log messages:

[28547.841769] audit: type=1400 audit(1442154214.608:109): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/shmfd-mSnoHU" pid=7425 comm
="firefox" requested_mask="c" denied_mask="c" fsuid=1111 ouid=1111

Both /run/shm/shmfd-* and /var/run/shm/shmfd-* are allowed, but not /dev/shm/shmfd-*.

Changing :

owner /{,var/}run/shm/shmfd-* rw,

To:

owner /{dev,{,var/}run}/shm/shmfd-* rw,

seems to fix the issue.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Thomas Mayer (thomas303) wrote :

Patch available in https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1659988

Revision history for this message
Simon Déziel (sdeziel) wrote :

@Jean-Philippe, I use the Firefox profile extensively with some additional local/ rules (LP: #1533232) but I never ran into a situation where Firefox needed to access /dev/shm. Could you double check if you still have those denial on a fully updated system? Thanks

Revision history for this message
Jean-Philippe Guérard (fevrier) wrote :

I was able to reproduce the problem, but only using the flash plugin:

Jan 31 23:38:34 tigreraye kernel: [221147.141240] audit: type=1400 audit(1485902314.881:3406): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.CvbXEt" pid=11592 comm="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jan 31 23:38:34 tigreraye kernel: [221147.141263] audit: type=1400 audit(1485902314.881:3407): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.5Am9iK" pid=11592 comm="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I also tried the java plugin, but it does not use /dev/shm (it fails, but for another reason):

Jan 31 23:43:49 tigreraye kernel: [221461.300441] audit: type=1400 audit(1485902629.062:6116995): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=11779 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Jan 31 23:43:49 tigreraye kernel: [221461.301683] audit: type=1400 audit(1485902629.062:6116996): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=11780 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Revision history for this message
Simon Déziel (sdeziel) wrote : Re: [Bug 1495248] Re: usr.bin.firefox blocks /dev/shm

On 2017-01-31 05:46 PM, Jean-Philippe Guérard wrote:
> I was able to reproduce the problem, but only using the flash plugin:
>
> Jan 31 23:38:34 tigreraye kernel: [221147.141240] audit: type=1400 audit(1485902314.881:3406): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.CvbXEt" pid=11592 comm="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
> Jan 31 23:38:34 tigreraye kernel: [221147.141263] audit: type=1400 audit(1485902314.881:3407): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/shm/org.chromium.5Am9iK" pid=11592 comm="plugin-containe" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

Good, thanks for the additional information.

> I also tried the java plugin, but it does not use /dev/shm (it fails,
> but for another reason):
>
> Jan 31 23:43:49 tigreraye kernel: [221461.300441] audit: type=1400 audit(1485902629.062:6116995): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=11779 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> Jan 31 23:43:49 tigreraye kernel: [221461.301683] audit: type=1400 audit(1485902629.062:6116996): apparmor="DENIED" operation="exec" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-8-oracle/jre/bin/java" pid=11780 comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Yeah, it seems like the Oracle version of the JRE/JDK isn't authorized
in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java. Even OpenJDK/JRE
8 isn't authorized. Both should be supported IMHO.

Thanks,
Simon

Revision history for this message
Thomas Mayer (thomas303) wrote :

I had the /dev/shm/org.chromium.XXXXXX issues with

- Flash plugin DISABLED
- Java plugin DISABLED

Maybe playing a HTML5 youtube video exposes it.

I'm on ubuntu 16.04 (up-to-date), FF 51.0.1, with apparmor profile activated.

@fevrier Have you tried my patch (version 6) (taken from https://bugs.launchpad.net/bugs/1659988)?

I did not try with Java/Flash support, but your log entries look as if my patch covers that, too.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.