From v49.0, Firefox needs read access to @{PROC}/net/arp
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apparmor (Ubuntu) |
High
|
Unassigned |
Bug Description
Since the latest upgrade of Firefox to 49.0, it will need read access to @{PROC}/net/arp
I don't know what the security implications are, so I don't know if we want to give read access to explicitely deny it. Both seem to work.
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10.95-0ubuntu2.2
ProcVersionSign
Uname: Linux 4.4.0-38-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Sep 29 16:55:21 2016
InstallationDate: Installed on 2015-10-04 (361 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151002)
PackageArchitec
ProcKernelCmdline: BOOT_IMAGE=
SourcePackage: apparmor
Syslog:
Sep 29 10:37:52 franck-
Sep 29 16:50:57 franck-
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
modified.
modified.
modified.
modified.
modified.
modified.
modified.
modified.
modified.
modified.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
mtime.conffile.
Franck (alci) wrote : | #1 |
Vincas Dargis (talkless) wrote : | #2 |
Franck (alci) wrote : | #3 |
Ok, I just asked on firefox-dev mailing list...
Franck (alci) wrote : | #4 |
Motivation for this new requirement is:
## Why
Each particular network your computer and browser run in has its own set of
network conditions, routers, proxies and MITM situations.
Changing between networks also changes proxies. Intercepting or explicit,
willing or unwilling, HTTP or even HTTPS with custom installed trust-roots.
This makes the web content cache, the cookie store and others to save
contents from one network that is potentially different than what is received
over other networks. It can lead to content pollution and information leaks,
on purpose by malicious actors or just by mistake.
see the details here https:/
Launchpad Janitor (janitor) wrote : | #5 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in apparmor (Ubuntu): | |
status: | New → Confirmed |
Changed in apparmor (Ubuntu): | |
importance: | Undecided → Critical |
information type: | Public → Public Security |
Changed in apparmor (Ubuntu): | |
importance: | Critical → High |
Thomas Mayer (thomas303) wrote : | #6 |
A patch which might fix this issue, too, is available at 1659988.
https:/
Everyone affected, please give it a try and report back.
Vincas Dargis (talkless) wrote : | #7 |
I've tried patched version from 1659988, it works fine.
Maybe we should ask Firefox devs what they mean by that? net/arp contains rather sensitive info...