apparmor denies access to /usr/lib/jvm/java-7-openjdk-amd64/bin/java when using icedtea-7-plugin

Bug #1003856 reported by Max Krasilnikov on 2012-05-24
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Jamie Strandboge
Precise
Low
Unassigned
Quantal
Undecided
Unassigned

Bug Description

1.
Description: Ubuntu 12.04 LTS
Release: 12.04

2.
apparmor:
  Installed: 2.7.102-0ubuntu3
  Candidate: 2.7.102-0ubuntu3
  Version table:
 *** 2.7.102-0ubuntu3 0
        500 http://archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
        100 /var/lib/dpkg/status

3. Expected result: working icedtea-7-plugin with apparmor and firefox.
4. When using apparmor with firefox and icedtea-7-plugin access to /usr/lib/jvm/java-7-openjdk-amd64/bin/java is denied. Problem is in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:
...
  /usr/lib/jvm/java-6-openjdk*/jre/lib/*/IcedTeaPlugin.so mr,
  /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
  /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
...
    /usr/lib/jvm/java-6-openjdk*/jre/bin/java ix,
    /usr/lib/jvm/java-6-openjdk*/jre/lib/i386/client/classes.jsa m,
...
There are hardcoded jvm versions. When changing them to java-7-openjdk* problem is fixed.

Logs:
May 24 12:27:21 ad2 kernel: [2321420.007034] type=1400 audit(1337851641.949:5055): apparmor="DENIED" operation="exec" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" pid=29785 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Thu May 24 12:28:17 2012
ProcEnviron:
 TERM=xterm
 PATH=(custom, user)
 LANG=C
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.2.0-24-generic root=UUID=bd96e5bc-9915-40e7-b5bf-5e63590d3ea5 ro
SourcePackage: apparmor
UpgradeStatus: Upgraded to precise on 2012-04-26 (27 days ago)

Max Krasilnikov (pseudo) wrote :
Max Krasilnikov (pseudo) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
importance: Undecided → Low
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

---------------
apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
      0003-add-aa-easyprof.patch
      0005-clean-common-from-vim.patch
      0006-use-linux-capability-h.patch
      0008-apparmor-lp963756.patch
      0009-apparmor-lp959560-part1.patch
      0010-apparmor-lp959560-part2.patch
      0011-apparmor-lp872446.patch
      0012-apparmor-lp978584.patch
      0013-apparmor-lp800826.patch
      0014-apparmor-lp979095.patch
      0015-apparmor-lp963756.patch
      0016-apparmor-lp968956.patch
      0017-apparmor-lp979135.patch
      0018-lp990931.patch
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
    CAP_EPOLLWAKEUP
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling setup.py
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
      dist-packages
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Craig (craig-st) wrote :

Hi Jamie,

Thanks for your work for quantal. Do you think this is worth an SRU or not? It would be nice to see this fixed in LTS (precise).

Changed in apparmor (Ubuntu Precise):
assignee: nobody → Chris Coulson (chrisccoulson)
status: New → Triaged
assignee: Chris Coulson (chrisccoulson) → nobody
Changed in apparmor (Ubuntu Quantal):
status: New → Fix Released
Changed in apparmor (Ubuntu Precise):
importance: Undecided → Low
Dude4Linux (dude4linux) wrote :

Still waiting for apparmor (2.8.0-0ubuntu1) to be backported to Ubuntu Precise. It's important to get the latest Java 7 working for Precise. Packages are available oracle-java7-installer and openjdk-7-jre, but I couldn't get either one to function correctly. I finally found this bug report and was able to get openjdk-7-jre and the icedtea plugin working by modifying /etc/apparmor.d/abstractions/ubuntu-browsers.d/java as described above. I suspect that apparmor was also causing the problems with the Oracle Java7 install.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers