Ubuntu
apparmor package

Bug prevents flash plugin to load during firefox sessions. Audit logs are provided. Known update to firefox profile may help; wondering if it is secure?

Bug #968752 reported by Devin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Every time I open Firefox apparmor-notify displays a deny message of type "m" access to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos, which it can now do after doing that. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox and do the benefits outway the risk to the sandbox?

After I updated my apparmor profile to allow flash videos, I no longer receive a deny message for it at every Firefox startup, but I now get a deny message of “rw” (read and write) to “/dev/nvidiactl”. Question #2: Is it okay to do that (i.e. add line "/dev/nvidiactl rw," to the Firefox profile configuration for apparmor), what are the security risks of doing so, and what purpose is such a permission good for?

What I want to add to a Wishlist for the apparmor package: enable apparmor sandboxing for Firefox to every Ubuntu user once the flash gets fixed after the quoted bugs below are patched.

Here is the log that I get before I add the permission in the apparmor firefox profile to get flash to work,
"
Mar 29 17:11:53 username kernel: [27877.596655] type=1400 audit(1333066313.785:410): apparmor="DENIED" operation="file_mmap" parent=4670 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/zero" pid=4673 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
"
Here is the log that I get after I add the permission in the apparmor firefox profile even though by this time flash started working,
"
Mar 25 19:26:29 username kernel: [21002.394793] type=1400 audit(1332728789.574:427): apparmor="DENIED" operation="open" parent=4894 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=4897 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
"

After enabling "/dev/nvidiactl rw," I got these bugs in the log one by one after granting permissions for each in order as follows.

Denied log before adding this line to the firefox profile, "/dev/nvidia0 rw,"

Mar 30 13:04:18 username kernel: [ 1766.955718] type=1400 audit(1333137858.144:3974): apparmor="DENIED" operation="open" parent=2635 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/nvidia0" pid=2638 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
“ (i.e. I get it after I enable "/dev/nvidiactl rw,").

Denied log before adding this line to the firefox profile, "/proc/interrupts r,"

Mar 30 13:04:18 username kernel: [ 1766.955873] type=1400 audit(1333137858.144:3975): apparmor="DENIED" operation="open" parent=2635 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/interrupts" pid=2638 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“ (i.e. I get it after I enable "/dev/nvidia0 rw,").

After enabling all of the permissions up to adding the line "/proc/interrupts r," I get the following two message examples

Mar 30 13:04:37 username kernel: [ 1786.222046] type=1400 audit(1333137877.411:3977): apparmor="DENIED" operation="capable" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" pid=2686 comm="firefox" capability=19 capname="sys_ptrace"


Mar 30 12:57:57 username kernel: [ 1386.424496] type=1400 audit(1333137477.616:2029): apparmor="DENIED" operation="ptrace" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" pid=2479 comm="firefox" target=8002C0E98002C0E9EE

To receive no related logs of this bug I had to add the final line "sys_ptrace mixr," to the firefox apparmor profile.

See original description
Tags: patch
Revision history for this message
Devin (8basepairs) wrote :

This patch should work for Firefox 11.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "/etc/apparmor.d/usr.bin.firefox" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Devin (8basepairs)
description: updated
Devin (8basepairs)
description: updated
Devin (8basepairs)
description: updated
Devin (8basepairs)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Newer releases have ptrace mediation and this should be addressed in those profiles.

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.