apparmor denies access to /usr/lib/jvm/java-7-openjdk-amd64/bin/java when using icedtea-7-plugin

Bug #1003856 reported by Max Krasilnikov
This bug affects 5 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge

Bug Description

Description: Ubuntu 12.04 LTS
Release: 12.04

  Installed: 2.7.102-0ubuntu3
  Candidate: 2.7.102-0ubuntu3
  Version table:
 *** 2.7.102-0ubuntu3 0
        500 precise/main amd64 Packages
        100 /var/lib/dpkg/status

3. Expected result: working icedtea-7-plugin with apparmor and firefox.
4. When using apparmor with firefox and icedtea-7-plugin access to /usr/lib/jvm/java-7-openjdk-amd64/bin/java is denied. Problem is in /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:
  /usr/lib/jvm/java-6-openjdk*/jre/lib/*/ mr,
  /usr/lib/jvm/java-6-openjdk/jre/bin/java cx -> browser_openjdk,
  /usr/lib/jvm/java-6-openjdk-{amd64,armel,armhf,i386,powerpc}/jre/bin/java cx -> browser_openjdk,
    /usr/lib/jvm/java-6-openjdk*/jre/bin/java ix,
    /usr/lib/jvm/java-6-openjdk*/jre/lib/i386/client/classes.jsa m,
There are hardcoded jvm versions. When changing them to java-7-openjdk* problem is fixed.

May 24 12:27:21 ad2 kernel: [2321420.007034] type=1400 audit(1337851641.949:5055): apparmor="DENIED" operation="exec" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java" pid=29785 comm="firefox" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: apparmor 2.7.102-0ubuntu3
ProcVersionSignature: Ubuntu 3.2.0-24.37-generic 3.2.14
Uname: Linux 3.2.0-24-generic x86_64
ApportVersion: 2.0.1-0ubuntu7
Architecture: amd64
Date: Thu May 24 12:28:17 2012
 PATH=(custom, user)
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-3.2.0-24-generic root=UUID=bd96e5bc-9915-40e7-b5bf-5e63590d3ea5 ro
SourcePackage: apparmor
UpgradeStatus: Upgraded to precise on 2012-04-26 (27 days ago)

Revision history for this message
Max Krasilnikov (pseudo) wrote :
Revision history for this message
Max Krasilnikov (pseudo) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
importance: Undecided → Low
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu1

apparmor (2.8.0-0ubuntu1) quantal; urgency=low

  * New upstream release
    - Drop the following patches, now included upstream:
  * Rename 0007-ubuntu-manpage-updates.patch to 0003
  * debian/patches/0005-lp1019274.patch: add python3 support. Patch based
    on work from Dmitrijs Ledkovs. (LP: #1019274)
  * debian/patches/0006-cap-epollwakeup.patch: adjust severity.db for
  * debian/patches/0007-setuptools-python3.patch: adjust setuptools-python3 to
    adjust scripts to use PYTHON if it is defined
  * debian/patches/0008-libapparmor-layout-deb.patch: use --install-layout=deb
    when calling
  * enable python3 in the build:
    - debian/rules:
      + use python3 as default PYTHON
      + build libapparmor with both python2 and python3
    - debian/control:
      + Build-Depends on python3-all-dev and python3
      + adjust apparmor to Depends on ${python3:Depends}
      + adjust apparmor-utils to Depends on ${python3:Depends}
      + add python3-libapparmor package
    - add debian/python3-libapparmor.install
    - debian/python-libapparmor.install: adjust to use python2 and
  * debian/patches/0009-lp1003856.patch: update ubuntu-browsers.d/java for
    IcedTea 7 (LP: #1003856)
  * debian/patches/0010-lp972367.patch: allow software center to work again
    from browsers (LP: #972367)
  * debian/patches/0011-lp1013887.patch: let sanitized helper work with
    /usr/local. Patch based on work by Reuben Thomas. (LP: #1013887)
  * debian/patches/0012-lp964510.patch: allow Google Chrome and
    chromium-browser to work under sanitized helper (LP: #964510)
  * debian/patches/0013-lp987578.patch: ubuntu-integration does not work
    properly with exo-open. Fix thanks to Mark Ramsell (LP: #987578)
  * debian/patches/0014-lp933440.patch: update skype example profile to work
    with latest skype. Based on work by Ivan Frederiks (LP: #933440)
 -- Jamie Strandboge <email address hidden> Thu, 05 Jul 2012 10:53:17 -0500

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Craig (craig-st) wrote :

Hi Jamie,

Thanks for your work for quantal. Do you think this is worth an SRU or not? It would be nice to see this fixed in LTS (precise).

Changed in apparmor (Ubuntu Precise):
assignee: nobody → Chris Coulson (chrisccoulson)
status: New → Triaged
assignee: Chris Coulson (chrisccoulson) → nobody
Changed in apparmor (Ubuntu Quantal):
status: New → Fix Released
Changed in apparmor (Ubuntu Precise):
importance: Undecided → Low
Revision history for this message
Dude4Linux (dude4linux) wrote :

Still waiting for apparmor (2.8.0-0ubuntu1) to be backported to Ubuntu Precise. It's important to get the latest Java 7 working for Precise. Packages are available oracle-java7-installer and openjdk-7-jre, but I couldn't get either one to function correctly. I finally found this bug report and was able to get openjdk-7-jre and the icedtea plugin working by modifying /etc/apparmor.d/abstractions/ubuntu-browsers.d/java as described above. I suspect that apparmor was also causing the problems with the Oracle Java7 install.

Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in apparmor (Ubuntu Precise):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers