Google video chat plugin needs an apparmor abstraction

Bug #626451 reported by Guillaume on 2010-08-29
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Jamie Strandboge

Bug Description

Binary package hint: apparmor


If I want to use the Google chat video plugin for firefox and apparmor, I have to add these lines to "/etc/apparmor.d/usr.bin.firefox" :

  /opt/google/talkplugin/** rm,
  /opt/google/talkplugin/lib/** rm,

There is probably a smarter way to do this.

Best regards.


Related branches

Guillaume (guillaume-zin) wrote :

This works better:

  /opt/google/talkplugin/** Uxrm,
  /opt/google/talkplugin/lib/** rm,
  owner @{HOME}/.config/google-googletalkplugin/** rw,

Best regards.


Jamie Strandboge (jdstrand) wrote :

For someone fixing this bug in Ubuntu 10.10, these should go in /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia.

Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

Does using this work instead:
  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,

(be sure to run 'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox' and reloading firefox when testing).

Changed in apparmor (Ubuntu):
status: Triaged → Incomplete
assignee: nobody → Jamie Strandboge (jdstrand)
Simon Déziel (sdeziel) wrote :

It works well with Jamie's suggestion in comment #3.

@Guillaume, the owner @{HOME}/.config/google-googletalkplugin/** rw, is not required because the default Firefox profile includes this :

owner @{HOME}/** w,

Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Changed in apparmor (Ubuntu):
status: Confirmed → Fix Committed
Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Simon Déziel (sdeziel) wrote :


I just noticed several lines like those below in /var/log/kern.log :

Sep 27 15:13:33 simon-laptop kernel: [25083.645117] type=1400 audit(1285614813.028:89): apparmor="DENIED" operation="exec" parent=16043 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/lsb_release" pid=16044 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 27 15:13:33 simon-laptop kernel: [25083.646496] type=1400 audit(1285614813.028:90): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/proc/16009/net/route" pid=16009 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

This only occurs when actually dialing so I was wrong to say that it worked in comment #4. Please note that even with those warnings it is possible to use the Google Talk plugin.

Here is the profile configuration I came up with that works well and generates no AA log :

  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,
  /usr/bin/lsb_release Ux,
  @{PROC}/[0-9]*/net/route r,

I have also tried "ix" flags for lsb_release but it generated those errors :

Sep 27 16:17:34 simon-laptop kernel: [28925.071870] type=1400 audit(1285618654.458:123): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/python2.6/" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086222] type=1400 audit(1285618654.468:124): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/lsb-release" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086782] type=1400 audit(1285618654.468:125): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/debian_version" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.088605] type=1400 audit(1285618654.468:126): apparmor="DENIED" operation="exec" parent=18419 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/apt-cache" pid=18420 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

IMO, it's better to run lsb_release unconfined.

Changed in apparmor (Ubuntu):
status: Fix Released → Confirmed
Jamie Strandboge (jdstrand) wrote :

Guillaume, marking this back to Fix Released as the functionality still works. Please file a different bug on needing more rules to keep apparmor from being noisy.

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand) wrote :

Lucid affected, but Ubuntu-only change (adjusting abstractions/ubuntu-browsers.d/multimedia) fixed in Maverick, not in SRU for 2.5.1-0ubuntu0.10.04.1.

Changed in apparmor (Ubuntu Lucid):
status: New → Won't Fix
tags: added: verification-done
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    - don't ship aa-update-browser and its man page (requires
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/ apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/ use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers