From v49.0, Firefox needs read access to @{PROC}/net/arp

Bug #1628956 reported by Franck on 2016-09-29
This bug affects 6 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

Since the latest upgrade of Firefox to 49.0, it will need read access to @{PROC}/net/arp

I don't know what the security implications are, so I don't know if we want to give read access to explicitely deny it. Both seem to work.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: apparmor-profiles 2.10.95-0ubuntu2.2
ProcVersionSignature: Ubuntu 4.4.0-38.57-generic 4.4.19
Uname: Linux 4.4.0-38-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Sep 29 16:55:21 2016
InstallationDate: Installed on 2015-10-04 (361 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151002)
PackageArchitecture: all
ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.4.0-38-generic.efi.signed root=/dev/mapper/ubuntu--vg-root ro noprompt persistent kaslr threadirqs quiet splash vt.handoff=7
SourcePackage: apparmor
 Sep 29 10:37:52 franck-ThinkPad-T430s dbus[2546]: [system] AppArmor D-Bus mediation is enabled
 Sep 29 16:50:57 franck-ThinkPad-T430s dbus[2410]: [system] AppArmor D-Bus mediation is enabled
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.apparmor.d.sbin.klogd: [modified]
modified.conffile..etc.apparmor.d.sbin.syslogd: [modified]
modified.conffile..etc.apparmor.d.usr.bin.chromium-browser: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.avahi-daemon: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.dnsmasq: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.dovecot: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.identd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.mdnsd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.nmbd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.nscd: [modified]
modified.conffile..etc.apparmor.d.usr.sbin.smbd: [modified]
mtime.conffile..etc.apparmor.d.sbin.klogd: 2015-10-05T12:04:03.854535
mtime.conffile..etc.apparmor.d.sbin.syslogd: 2015-10-05T12:03:15.705968
mtime.conffile..etc.apparmor.d.usr.bin.chromium-browser: 2015-10-05T12:02:05.273141
mtime.conffile..etc.apparmor.d.usr.sbin.avahi-daemon: 2016-04-13T19:13:25.829679
mtime.conffile..etc.apparmor.d.usr.sbin.dnsmasq: 2016-04-13T19:13:05.941424
mtime.conffile..etc.apparmor.d.usr.sbin.dovecot: 2015-10-05T12:00:55.356323
mtime.conffile..etc.apparmor.d.usr.sbin.identd: 2015-10-05T12:01:02.204403
mtime.conffile..etc.apparmor.d.usr.sbin.mdnsd: 2015-10-05T12:02:37.861523
mtime.conffile..etc.apparmor.d.usr.sbin.nmbd: 2015-10-05T12:00:10.119794
mtime.conffile..etc.apparmor.d.usr.sbin.nscd: 2016-04-13T19:14:17.520643
mtime.conffile..etc.apparmor.d.usr.sbin.smbd: 2015-10-05T12:00:26.103981

Franck (alci) wrote :
Vincas Dargis (talkless) wrote :

Maybe we should ask Firefox devs what they mean by that? net/arp contains rather sensitive info...

Franck (alci) wrote :

Ok, I just asked on firefox-dev mailing list...

Franck (alci) wrote :

Motivation for this new requirement is:

## Why

 Each particular network your computer and browser run in has its own set of
 network conditions, routers, proxies and MITM situations.

 Changing between networks also changes proxies. Intercepting or explicit,
 willing or unwilling, HTTP or even HTTPS with custom installed trust-roots.
 This makes the web content cache, the cookie store and others to save
 contents from one network that is potentially different than what is received
 over other networks. It can lead to content pollution and information leaks,
 on purpose by malicious actors or just by mistake.

see the details here

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Changed in apparmor (Ubuntu):
importance: Undecided → Critical
information type: Public → Public Security
Changed in apparmor (Ubuntu):
importance: Critical → High
Thomas Mayer (thomas303) wrote :

A patch which might fix this issue, too, is available at 1659988.

Everyone affected, please give it a try and report back.

Vincas Dargis (talkless) wrote :

I've tried patched version from 1659988, it works fine.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers