AppArmor set to enforce mode breaks plugin installation

Hi,

unfortunately its not possible to use Pipelight when Apparmor is enabled
and configured too strict. Based on the way pipelight works it needs to
execute external programs (e.g. the installer script, the windows
silverlight plugin, ...) which is obviously blocked by your Apparmor
profile. Similar problems also occur when running SELinux.

The output shows that you Apparmor assumes Pipelight is just a regular
browser plugin, and thus isn't allowed to execute the required commands. Do
you have configured anything special, or is this the default configuration
for your Ubuntu distribution?

So far noone else experienced this issue, because probably most other
people have configured Apparmor less strict or completely disabled it. I'll
take a closer look at this problem later and will try to find out, which
exceptions are exactly necessary.

Sebastian

2013/10/18 Adam Porter <email address hidden>

> Public bug reported:
>
> I'm using Raring. AppArmor is breaking installation. How does it work
> for anyone in Ubuntu?
>
> [525586.920163] type=1400 audit(1382094229.267:57): apparmor="DENIED"
> operation="exec" parent=9596 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=9633 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525586.927659] type=1400 audit(1382094229.271:58): apparmor="DENIED"
> operation="exec" parent=9596 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=9634 comm="firefox"
> requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.004959] type=1400 audit(1382094298.352:59): apparmor="DENIED"
> operation="exec" parent=9713 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/hw-accel-default" pid=9717
> comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.008875] type=1400 audit(1382094298.356:60): apparmor="DENIED"
> operation="exec" parent=9713 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/usr/share/pipelight/install-dependency" pid=9718
> comm="plugin-containe" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
> [525656.017773] type=1400 audit(1382094298.364:61): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [525719.962174] type=1400 audit(1382094362.309:62): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [525847.269813] type=1400 audit(1382094489.615:63): apparmor="DENIED"
> operation="open" parent=9600 profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
> name="/etc/issue" pid=9713 comm="plugin-containe" requested_mask="r"
> denied_mask="r" fsuid=1000 ouid=0
> [526597.501260] type=1400 audit(1382095239.850:64): apparmor="DENIED"
> operation="open" parent=11475
> profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/kde4/kdeglobals"
> pid=10559 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0
...

Hi,

you can use Pipelight with Firefox, although the Appamor profile for Firefox is set to enforce, by adding the following lines:

/usr/share/pipelight/hw-accel-default Ux,
/usr/share/pipelight/install-dependency Ux,
/opt/wine-compholio/bin/wine Ux,

to /etc/apparmor.d/local/usr.bin.firefox or creating it if it does not exist. This files defines local exceptions which are not part of a default Firefox installation.

This solution is not perfect since the three listed files are not secured by appamor, but I don't have an appamor profile for them yet and it might also be very complicated to define rules for Wine. Moreover, we are also working on a Sandbox for the Windows plugins which should be even a bit more secure than appamor rules. This should make it needless to additionally secure them via Appamor or SELinux and should provide the same security independently from the installed security mechanisms. Although the above workaround may be a bit less secure I would still think that it's acceptable in the meantime.

Michael

Thanks for your help. I don't recall ever changing my AppArmor settings from the defaults, but I have upgraded this system all the way from 8.04 Hardy, so maybe I forgot, or maybe something was left over from an old upgrade. I disabled the Firefox AppArmor profile and it worked perfectly. Thanks for your work in finally getting Netflix working in Linux! Amazing. I will try your suggestions too.

Hi,

I switch the importance of the bug to Wishlist since I don't know any Ubuntu version which sets the browser's appamor profile to enforce and I couldn't reproduce it with either 12.04 or 13.10 without manually changing the appamor settings. Nevertheless it would be nice to provide a file with exceptions during the installation. The only problem is that we would need to do this for every browser since appamor associates the Pipelight libraries with the browser's executable and doesn't use a separate profile for them.

Michael

Ubuntu 14.04 has app armor in enforcing mode and it prevent the plugin from loading successfully - https://answers.launchpad.net/pipelight/+question/251075

Hi,

I've installed Pipelight from this tutorial http://zecheru.com/how-to-install-silverlight-on-ubuntu-14-04/
Restarted Firefox - no success (still can't stream and see a message that I need to install Silverlight)
Rebooted system - the same thing.
Opened content in Chromium - success.

My Ubuntu: 14.04.2 LTS

Please let me know what shall I do to be able to open it in my browser of choice (Firefox).

Thanks.