Firefox profile denied messages with google hangouts

Bug #1403050 reported by James Westby on 2014-12-16
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Low
Unassigned

Bug Description

Hi,

I am using apparmor on trusty, with the firefox profile in enforce mode.

I have just tried hangouts for the first time under the profile, and there are two DENIED:

Dec 16 12:36:31 superstar kernel: [191033.672376] type=1400 audit(1418733391.061:436): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/video0" pid=19492 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Which means that it thinks I have no webcam. I don't know if this should be allowed or not. I'd prefer to enable
my webcam in a hangout, but I can see an argument for denying this to firefox.

Dec 16 12:36:37 superstar kernel: [191039.824064] type=1400 audit(1418733397.217:440): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/shm/google-nacl-shm--19492.3" pid=19492 comm="GoogleTalkPlugi" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I assume this is something to do with NaCl. I haven't noticed anything that is broken by this.

Thanks,

James

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor 2.8.95~2430-0ubuntu5.1
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Dec 16 12:58:32 2014
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-43-generic root=/dev/mapper/hostname--vg-root ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

James Westby (james-w) wrote :
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
affects: apparmor (Ubuntu) → firefox (Ubuntu)
tags: added: apparmor
Jamie Strandboge (jdstrand) wrote :

In thinking about this, I don't think the firefox profile should be changed but instead we should add something to /etc/apparmor.d/abstractions/ubuntu-browsers.d/. In theory, we could add policy to 'multimedia', but perhaps it makes sense to add a new abstraction.

These appear to be the rules that are needed:
  /dev/video[0-9]* rw,
  /sys/devices/**/video4linux/** r,
  owner /run/shm/google-* rw,
  /opt/google/talkplugin/** r,
  owner @{HOME}/.config/google-googletalkplugin/ rw,
  owner @{HOME}/.config/google-googletalkplugin/** rwk,
  unix bind type=dgram addr=@google-nacl*,

affects: firefox (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
Christian Boltz (cboltz) wrote :

Seeing comm="GoogleTalkPlugi" I think it might be worth a child profile, so that the permissions of the main profile don't become too broad.

Changed in apparmor (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers