Ubuntu
firefox package

apparmor prevent Firefox from loading Google Voice plugin

Bug #632868 reported by Simon Déziel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

I installed Google Voice plugin while I use the AppArmor profile of Firefox. To make it works I had to add this :

  # Google Voice
  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin Uxr,

I think this should be added to the profile as this plugin will probably be very popular because it allows to make free call to land lines.

Here is an extract of the log with the default AA profile (including retries as I added some authorization to the profile) :

$ grep denied_mask /var/log/kern.log
Sep 5 14:45:54 simon-laptop kernel: [106066.802488] type=1503 audit(1283712354.787:46): operation="open" pid=16649 parent=16645 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/libnpgoogletalk64.so"
Sep 5 14:45:54 simon-laptop kernel: [106066.803259] type=1503 audit(1283712354.787:47): operation="open" pid=16649 parent=16645 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/libnpgoogletalk64.so"
Sep 5 14:45:54 simon-laptop kernel: [106066.805247] type=1503 audit(1283712354.787:48): operation="open" pid=16649 parent=16645 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/libnpgtpo3dautoplugin.so"
Sep 5 14:45:54 simon-laptop kernel: [106066.805294] type=1503 audit(1283712354.787:49): operation="open" pid=16649 parent=16645 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/libnpgtpo3dautoplugin.so"
Sep 5 14:48:25 simon-laptop kernel: [106217.723661] type=1503 audit(1283712505.710:53): operation="open" pid=16811 parent=16807 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/libnpgoogletalk64.so"
Sep 5 14:48:25 simon-laptop kernel: [106217.723704] type=1503 audit(1283712505.710:54): operation="open" pid=16811 parent=16807 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/libnpgoogletalk64.so"
Sep 5 14:48:25 simon-laptop kernel: [106217.724316] type=1503 audit(1283712505.710:55): operation="open" pid=16811 parent=16807 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/lib/libCgGL.so"
Sep 5 14:48:53 simon-laptop kernel: [106245.157627] type=1503 audit(1283712533.137:59): operation="open" pid=16848 parent=16844 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::r" denied_mask="::r" fsuid=1000 ouid=0 name="/opt/google/talkplugin/lib/libCgGL.so"
Sep 5 14:49:57 simon-laptop kernel: [106309.288246] type=1503 audit(1283712597.267:66): operation="exec" pid=17002 parent=17001 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/opt/google/talkplugin/GoogleTalkPlugin"
Sep 5 14:51:24 simon-laptop kernel: [106396.050887] type=1503 audit(1283712684.030:70): operation="exec" pid=17110 parent=17109 profile="/usr/lib/firefox-3.6.8/firefox-*bin" requested_mask="::x" denied_mask="::x" fsuid=1000 ouid=0 name="/opt/google/talkplugin/GoogleTalkPlugin"

$ lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04

$ apt-cache policy apparmor-profiles firefox google-talkplugin
apparmor-profiles:
  Installed: 2.5-0ubuntu3
  Candidate: 2.5-0ubuntu3
  Version table:
 *** 2.5-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/universe Packages
        100 /var/lib/dpkg/status
firefox:
  Installed: 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
  Candidate: 3.6.8+build1+nobinonly-0ubuntu0.10.04.1
  Version table:
 *** 3.6.8+build1+nobinonly-0ubuntu0.10.04.1 0
        500 http://archive.ubuntu.com/ubuntu/ lucid-updates/main Packages
        500 http://archive.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     3.6.3+nobinonly-0ubuntu4 0
        500 http://archive.ubuntu.com/ubuntu/ lucid/main Packages
google-talkplugin:
  Installed: 1.5.1.0-1
  Candidate: 1.5.1.0-1
  Version table:
 *** 1.5.1.0-1 0
        500 http://dl.google.com/linux/talkplugin/deb/ stable/main Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: apparmor-profiles 2.5-0ubuntu3
ProcVersionSignature: Ubuntu 2.6.32-25.43-generic 2.6.32.21+drm33.7
Uname: Linux 2.6.32-25-generic x86_64
ApparmorStatusOutput:
 Error: command /usr/sbin/apparmor_status failed with exit code 4: You do not have enough privilege to read the profile set.
 apparmor module is loaded.
Architecture: amd64
Date: Tue Sep 7 23:18:28 2010
Dependencies:

EcryptfsInUse: Yes
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release amd64 (20100429)
ProcEnviron:
 LANGUAGE=en
 LANG=en_CA.utf8
 SHELL=/bin/bash
SourcePackage: apparmor

Revision history for this message
Simon Déziel (sdeziel) wrote :
Revision history for this message
Simon Déziel (sdeziel) wrote :

The file /etc/apparmor.d/usr.bin.firefox is provided by the firefox package and not apparmor-profiles

affects: apparmor (Ubuntu) → firefox (Ubuntu)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. This particular bug has already been reported and is a duplicate of bug 626451, so it is being marked as such. Please look at the other bug report to see if there is any missing information that you can provide, or to see if there is a workaround for the bug. Additionally, any further discussion regarding the bug should occur in the other report. Feel free to continue to report any other bugs you may find.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.