apparmor complains about webapps and /run/shm/

Bug #1056418 reported by James Troup on 2012-09-25
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Steve Beattie
Quantal
Medium
Steve Beattie

Bug Description

Sep 25 20:45:33 ornery kernel: [ 66.044761] type=1400 audit(1348602333.026:81): apparmor="DENIED" operation="file_lock" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/james/.local/share/unity-webapps/availableapps.db" pid=3460 comm="firefox" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
Sep 25 20:45:34 ornery kernel: [ 67.419678] type=1400 audit(1348602334.407:82): apparmor="DENIED" operation="mknod" parent=1 profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/shm/sem.iQETGb" pid=3460 comm="firefox" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

This is on current quantal with the firefox appamor profile as shipped.

Micah Gersten (micahg) on 2012-09-25
tags: added: apparmor
Jamie Strandboge (jdstrand) wrote :

Moving to apparmor because this will be handled in a new abstraction: /etc/apparmor.d/abstractions/ubuntu-browsers.d/webapps.

I can reproduce the first denial, but not the second. What website did you visit that triggered this?

affects: firefox (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
milestone: none → ubuntu-12.10
status: New → Incomplete

Jamie Strandboge <email address hidden> writes:

> I can reproduce the first denial, but not the second. What website did
> you visit that triggered this?

I got it before visiting a website. After bisecting through my plugins,
it appears to be lastpass which is trying to create the /run/shm/
semaphore.

(It still works fine even though the mknod call is blocked, FWIW.)

--
James

Changed in apparmor (Ubuntu):
status: Incomplete → New
Changed in apparmor (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → Steve Beattie (sbeattie)
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu5

---------------
apparmor (2.8.0-0ubuntu5) quantal; urgency=low

  [ Micah Gersten ]
  * Allow /etc/vdpau_wrapper.cfg r and /var/lib/xine/gxine.desktop r
    in the multimedia browser abstraction (LP: #1057642)
    - update profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia

  [ Steve Beattie ]
  * debian/control: make libnotify-bin a Recommends rather than a
    Depends for use in server environments (LP: #1061879)
  * debian/patches/0020-coredump_tests.patch: fix coredump regression
    tests (LP: #1050430)
  * debian/patches/0021-webapps_abstraction.patch: add a few items
    triggered by using and installing webapps in firefox (LP: #1056418)
  * debian/patches/0022-aa-decode-stdin.patch: fix aa-decode to process
    stdin correctly and decode encoded profiles names
 -- Steve Beattie <email address hidden> Tue, 09 Oct 2012 12:44:56 -0700

Changed in apparmor (Ubuntu Quantal):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers