AppArmor

Change to Firefox profile causes seemingly unrelated problems

Bug #681955 reported by roome on 2010-11-26

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	Invalid	Undecided	Unassigned

Bug Description

When I change the line "/usr/bin/evince PUxr," in my Firefox apparmor profile to either "/usr/bin/evince Pxr," or "/usr/bin/evince Uxr," or when I comment the line out or delete it entirely, whenever I browse to a website with flash content, the browser hangs and a "unresponsive script" message pops up.
Changing the line to "/usr/bin/evinc{,e} PUxr," or moving it to another location in the same profile does not trigger this behavior.
I use Kubuntu 10.04 64 bit and don't even have Evince installed, there is no /usr/bin/evince on my system.
There are no error messages when I load the modified profile and nothing gets logged to /var/log/messages when Firefox hangs.
The problem occurs in different Firefox user profiles, both with and without addons, though the slowdown is worse with more addons.
The exact same apparmor profile doesn't cause this behavior on my 32 bit Kubuntu 10.04 netbook.
I couldn't reproduce this behavior with the official 3.6.13 aa profile, so here's the difference between my version and 3.6.13:

6c6
< /usr/lib/firefox-*/firefox-*bin {
---
> /usr/lib/firefox-3.6.13/firefox-*bin {
50c50
< deny /usr/lib/firefox-*/** w,
---
> deny /usr/lib/firefox-3.6.13/** w,
54a55,56
> deny /boot/initrd.img* r,
> deny /boot/vmlinuz* r,
57c59
< /usr/lib/firefox-*/*firefox** ixr,
---
> /usr/lib/firefox-3.6.13/** ixr,
72a75,80
> # Needed for the crash reporter
> owner @{PROC}/[0-9]*/environ r,
> owner @{PROC}/[0-9]*/auxv r,
> /etc/lsb-release r,
> /usr/bin/expr ix,
>
85c93
< # owner @{HOME}/** w
---
> owner @{HOME}/** w,
92,94c100,102
< # owner /media/** w,
< # owner /mnt/** w,
< # owner /srv/** w,
---
> owner /media/** w,
> owner /mnt/** w,
> owner /srv/** w,
106,107c114
< owner @{HOME}/.mozilla/**/*.sqlite* k,
< owner @{HOME}/.mozilla/**/.parentlock k,
---
> owner @{HOME}/.mozilla/**/*.{db,parentlock,sqlite}* k,
117c124
< deny /usr/lib/firefox-*/update.test w,
---
> deny /usr/lib/firefox-3.6.13/update.test w,
133a141
> /usr/bin/gnome-codec-install Uxr,
136c144
< /usr/lib/nspluginwrapper/i386/linux/npviewer Pxr,
---
> /usr/lib/nspluginwrapper/i386/linux/npviewer Uxr,
140a149,151
> # Needed for container to work in xul builds
> /usr/lib/xulrunner-*/plugin-container ixr,
>
152,154c163,166
< # /opt/Adobe/Reader9/bin/acroread Uxr
< # /usr/bin/evince PUxr,
< /usr/bin/okular Pxr,
---
> /opt/Adobe/Reader9/bin/acroread Uxr,
> /opt/Adobe/Reader9/** r,
> /usr/bin/evince PUxr,
> /usr/bin/okular Uxr,
161,166c173,178
< # /usr/bin/ooffice Uxr,
< # /usr/bin/oocalc Uxr,
< # /usr/bin/oodraw Uxr,
< # /usr/bin/ooimpress Uxr,
< # /usr/bin/oowriter Uxr,
< # /usr/lib/openoffice/program/soffice Uxr,
---
> /usr/bin/ooffice Uxr,
> /usr/bin/oocalc Uxr,
> /usr/bin/oodraw Uxr,
> /usr/bin/ooimpress Uxr,
> /usr/bin/oowriter Uxr,
> /usr/lib/openoffice/program/soffice Uxr,
194c206
< owner @{HOME}/.java/deployment/deployment.properties k,
---
> @{HOME}/.java/deployment/deployment.properties k,
198,200c210,212
< # /usr/lib/jvm/java-*-sun-1.*/jre/bin/java cx -> firefox_java
< # /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> firefox_java
< # /usr/lib/j2*-ibm/jre/bin/java cx -> firefox_java
---
> /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} cx -> firefox_java,
> /usr/lib/jvm/java-*-sun-1.*/jre/lib/*/libnp*.so cx -> firefox_java,
> /usr/lib/j2*-ibm/jre/bin/java cx -> firefox_java,
221,269d232
< #############
<
< /etc/kde4rc r,
< /etc/kubuntu-default-settings/{,**} r,
<
< owner @{HOME}/.kde/share/config/** rwkl,
< owner @{HOME}/.kde/share/apps/RecentDocuments/** rwkl,
< owner @{HOME}/.config/qtcurve/* rwkl,
< owner @{HOME}/Downloads/** rwkl,
< owner @{HOME}/dwhelper/{,**} rw,
< owner @{HOME}/.kde/** rkl,
< owner @{HOME}/.esd_auth rwk,
<
<
< /usr/bin/perl ix,
< /bin/mv ix,
< /usr/bin/ffmpeg ix,
< /usr/bin/mencoder ix,
< # /usr/bin/kde4-config ix
< /usr/lib/mozilla/** ix,
<
< /usr/bin/kwrite ix,
<
< deny /usr/lib/mozilla/** w,
<
< # gnash
< owner @{HOME}/.gnash/{,**} rw,
< owner @{HOME}/.gstreamer-*/{,**} rw,
<
< # vlc-plugin
< owner @{HOME}/.cache/vlc/** rwkl,
<
< # plugincontainer
<
< /usr/lib/firefox-*/plugin-container cx -> firefox_plugincontainer,
<
< profile firefox_plugincontainer {
< #include <abstractions/audio>
< #include <abstractions/base>
< #include <abstractions/kde>
< #include <abstractions/nameservice>
<
< /usr/lib{,32,64}/** rm,
<
< owner @{HOME}/.adobe/** rklw,
< owner @{HOME}/.macromedia/** rklw,
< owner @{HOME}/.fontconfig/** rklw,
<
< }
278c241
< profile firefox_openjdk {
---
> profile firefox_openjdk {
308a272
> /usr/lib/jvm/java-6-openjdk/jre/lib/i386/client/classes.jsa m,
313,315c277,278
< owner @{HOME}/.netx/** rkw,
< owner @{HOME}/.icedteaplugin/** rkw,
<
---
> owner @{HOME}/ r,
> owner @{HOME}/** rwk,
320c283
< profile firefox_java {
---
> profile firefox_java {
333a297
> @{PROC}/loadavg r,
334a299
> /etc/debian_version r,
350c315,316
< /usr/lib/jvm/java-*-sun-1.*/jre/bin/java ix,
---
> /usr/lib/jvm/java-*-sun-1.*/jre/bin/java{,_vm} ix,
> /usr/lib/jvm/java-*-sun-1.*/jre/lib/i386/client/classes.jsa m,
360a327
> owner @{HOME}/.fontconfig/*.cache* m,

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-10-09:

This isn't an AppArmor upstream problem, but a problem with the Ubuntu policy. Please file a new bug in Ubuntu if you are still having this issue.

Changed in apparmor:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.