Ubuntu
apparmor package

Firefox profile denied messages with google hangouts

Bug #1403050 reported by James Westby
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Triaged
Low
Unassigned

Bug Description

Hi,

I am using apparmor on trusty, with the firefox profile in enforce mode.

I have just tried hangouts for the first time under the profile, and there are two DENIED:

Dec 16 12:36:31 superstar kernel: [191033.672376] type=1400 audit(1418733391.061:436): apparmor="DENIED" operation="open" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/dev/video0" pid=19492 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Which means that it thinks I have no webcam. I don't know if this should be allowed or not. I'd prefer to enable
my webcam in a hangout, but I can see an argument for denying this to firefox.

Dec 16 12:36:37 superstar kernel: [191039.824064] type=1400 audit(1418733397.217:440): apparmor="DENIED" operation="mknod" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/run/shm/google-nacl-shm--19492.3" pid=19492 comm="GoogleTalkPlugi" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000

I assume this is something to do with NaCl. I haven't noticed anything that is broken by this.

Thanks,

James

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: apparmor 2.8.95~2430-0ubuntu5.1
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Dec 16 12:58:32 2014
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-3.13.0-43-generic root=/dev/mapper/hostname--vg-root ro quiet splash vt.handoff=7
SourcePackage: apparmor
Syslog:

UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
James Westby (james-w) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Jamie Strandboge (jdstrand)
affects: apparmor (Ubuntu) → firefox (Ubuntu)
tags: added: apparmor
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In thinking about this, I don't think the firefox profile should be changed but instead we should add something to /etc/apparmor.d/abstractions/ubuntu-browsers.d/. In theory, we could add policy to 'multimedia', but perhaps it makes sense to add a new abstraction.

These appear to be the rules that are needed:
  /dev/video[0-9]* rw,
  /sys/devices/**/video4linux/** r,
  owner /run/shm/google-* rw,
  /opt/google/talkplugin/** r,
  owner @{HOME}/.config/google-googletalkplugin/ rw,
  owner @{HOME}/.config/google-googletalkplugin/** rwk,
  unix bind type=dgram addr=@google-nacl*,

affects: firefox (Ubuntu) → apparmor (Ubuntu)
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Christian Boltz (cboltz) wrote :

Seeing comm="GoogleTalkPlugi" I think it might be worth a child profile, so that the permissions of the main profile don't become too broad.

Mathew Hodson (mhodson)
Changed in apparmor (Ubuntu):
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.