apparmor denies firefox access to /etc/alternatives/mozilla-flashplugin

Thanks for reporting this bug and any supporting documentation. Since this bug has enough information provided for a developer to begin work, I'm going to mark it as Triaged and let them handle it from here. Thanks for taking the time to make Ubuntu better! Please report any other issues you may find.

Subscribing Jamie to look at this

Oops, the security team was already subscribed :/

/etc/alternatives/mozilla-flashplugin should be a symlink to something (eg /var/lib/flashplugin-installer/npwrapper.libflashplayer.so) and not an actual file. AppArmor will effectively 'realpath' a symlink so /etc/alternatives/mozilla-flashplugin should not need to be added to the profile, but rather what it is pointing to.

Simon, can you determine why /etc/alternatives/mozilla-flashplugin is not a symlink on your system? A start might be to perform: dpkg -S /etc/alternatives/mozilla-flashplugin

Please note that there is no real issue I can observe as Firefox and Flash work perfectly even when AA denies access to the symlink /etc/alternatives/mozilla-flashplugin. The only observable thing I have is a log message.

/etc/alternatives/mozilla-flashplugin is effectively a symlink on my system :

root@simon-laptop:~# dpkg -S /etc/alternatives/mozilla-flashplugin
dpkg: /etc/alternatives/mozilla-flashplugin not found.
root@simon-laptop:~# ls -l /etc/alternatives/mozilla-flashplugin
lrwxrwxrwx 1 root root 48 2010-07-02 20:05 /etc/alternatives/mozilla-flashplugin -> /usr/lib/flashplugin-installer/libflashplayer.so

The thing is only that I noticed that Firefox attempted to read the symlink and that was generating a log in /var/log/kern.log. I tried adding the file pointed to by the symlink to the AA profile but I still have the issue.

/var/log/kern.log with the original AA profile :

Aug 4 10:45:08 simon-laptop kernel: [ 101.546773] type=1400 audit(1280911508.321:55): operation="getattr" pid=2205 parent=2201 profile="/usr/lib/firefox-3.6.8/firefox-*bin" name="/etc/alternatives/mozilla-flashplugin" pid=2205 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

When I reload the profile with "/etc/alternatives/mozilla-flashplugin r," nothing is logged to /var/log/kern.log (except the profile reload).

When I reload with "/usr/lib/flashplugin-installer/libflashplayer.so rm," (I used "rm" as other .so use that) :

Aug 4 10:53:17 simon-laptop kernel: [ 590.648180] type=1400 audit(1280911997.422:67): operation="getattr" pid=2501 parent=2497 profile="/usr/lib/firefox-3.6.8/firefox-*bin" name="/etc/alternatives/mozilla-flashplugin" pid=2501 comm="firefox-bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Note: I quit Firefox before changing the AA profile, I reload the profile (apparmor_parser -r /etc/apparmor.d/usr.bin.firefox) and start Firefox on a Youtube page.

Ah, I missed that you were running a 2.6.35 kernel on Lucid. This looks to be a duplicate of bug #599450. Please use at least 2.6.35-13.18. I am going to mark this as invalid for now. Feel free to open a new bug against apparmor (the project) if you continue to have problems after updating your kernel.

Hi Jamie,

I should have highlighted the fact that I'm not using the default Lucid kernel. I'm now using 2.6.35-14.19~lucid1 and the problem is no longer there.

But I have many messages like this in /var/log/kern.log :

Aug 4 14:48:33 simon-laptop kernel: [ 85.661468] AppArmor DFA next/check upper bounds error fixed, upgrade user space tools

Should I open a bug against apparmor for this new problem ?

Thanks

Simon, glad it is fixed for you. The warning you see in the kern.log is known and is nothing to worry about (the kernel is fixing an issue caused by the userspace tools). A future update should fix this, but it is harmless.