Ubuntu
apparmor package

Google video chat plugin needs an apparmor abstraction

Bug #626451 reported by Guillaume
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Wishlist
Jamie Strandboge
Lucid
Fix Released
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

Hello,

If I want to use the Google chat video plugin for firefox and apparmor, I have to add these lines to "/etc/apparmor.d/usr.bin.firefox" :

  /opt/google/talkplugin/** rm,
  /opt/google/talkplugin/lib/** rm,

There is probably a smarter way to do this.

Best regards.

Guillaume

Related branches

lp:ubuntu/maverick/apparmor
Revision history for this message
Guillaume (guillaume-zin) wrote :

This works better:

  /opt/google/talkplugin/** Uxrm,
  /opt/google/talkplugin/lib/** rm,
  owner @{HOME}/.config/google-googletalkplugin/** rw,

Best regards.

Guillaume

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

For someone fixing this bug in Ubuntu 10.10, these should go in /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia.

Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Does using this work instead:
  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,

(be sure to run 'sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.firefox' and reloading firefox when testing).

Changed in apparmor (Ubuntu):
status: Triaged → Incomplete
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Simon Déziel (sdeziel) wrote :

It works well with Jamie's suggestion in comment #3.

@Guillaume, the owner @{HOME}/.config/google-googletalkplugin/** rw, is not required because the default Firefox profile includes this :

owner @{HOME}/** w,

Changed in apparmor (Ubuntu):
status: Incomplete → Confirmed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Simon Déziel (sdeziel) wrote :

@Jamie

I just noticed several lines like those below in /var/log/kern.log :

Sep 27 15:13:33 simon-laptop kernel: [25083.645117] type=1400 audit(1285614813.028:89): apparmor="DENIED" operation="exec" parent=16043 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/lsb_release" pid=16044 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
Sep 27 15:13:33 simon-laptop kernel: [25083.646496] type=1400 audit(1285614813.028:90): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/proc/16009/net/route" pid=16009 comm="GoogleTalkPlugi" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

This only occurs when actually dialing so I was wrong to say that it worked in comment #4. Please note that even with those warnings it is possible to use the Google Talk plugin.

Here is the profile configuration I came up with that works well and generates no AA log :

  /opt/google/talkplugin/*.so mr,
  /opt/google/talkplugin/lib/*.so mr,
  /opt/google/talkplugin/GoogleTalkPlugin ixr,
  /usr/bin/lsb_release Ux,
  @{PROC}/[0-9]*/net/route r,

I have also tried "ix" flags for lsb_release but it generated those errors :

Sep 27 16:17:34 simon-laptop kernel: [28925.071870] type=1400 audit(1285618654.458:123): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/python2.6/sitecustomize.py" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086222] type=1400 audit(1285618654.468:124): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/lsb-release" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.086782] type=1400 audit(1285618654.468:125): apparmor="DENIED" operation="open" parent=18417 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/etc/debian_version" pid=18418 comm="lsb_release" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Sep 27 16:17:34 simon-laptop kernel: [28925.088605] type=1400 audit(1285618654.468:126): apparmor="DENIED" operation="exec" parent=18419 profile="/usr/lib/firefox-3.6.10/firefox-*bin" name="/usr/bin/apt-cache" pid=18420 comm="sh" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

IMO, it's better to run lsb_release unconfined.

Changed in apparmor (Ubuntu):
status: Fix Released → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Guillaume, marking this back to Fix Released as the functionality still works. Please file a different bug on needing more rules to keep apparmor from being noisy.

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Lucid affected, but Ubuntu-only change (adjusting abstractions/ubuntu-browsers.d/multimedia) fixed in Maverick, not in SRU for 2.5.1-0ubuntu0.10.04.1.

Changed in apparmor (Ubuntu Lucid):
status: New → Won't Fix
Jamie Strandboge (jdstrand)
tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (10.1 KiB)

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.1

---------------
apparmor (2.5.1-0ubuntu0.10.04.1) lucid-proposed; urgency=low

  * Backport 2.5.1-0ubuntu0.10.10.1 from maverick for userspace tools to work
    with newer kernels (LP: #660077)
    NOTE: user-tmp now uses 'owner' match, so non-default profiles will have
    to be adjusted when 2 separately confined applications that both use the
    user-tmp abstraction depend on being able to cooperatively share files
    with each other in /tmp or /var/tmp.
  * remove the following patches (features not appropriate for SRU):
    - 0002-add-chromium-browser.patch
    - 0003-local-includes.patch
    - 0004-ubuntu-abstractions-updates.patch
  * debian/rules (this makes it the same as what was shipped in 10.04 LTS
    release):
    - don't ship aa-update-browser and its man page (requires
      0004-ubuntu-abstractions-updates.patch)
    - don't ship apparmor.d/local/ (requires 0003-local-includes.patch)
    - don't use dh_apparmor (not in Ubuntu 10.04 LTS)
    - don't ship chromium profile
  * remove debian/profiles/chromium-browser
  * remove debian/aa-update-browser*
  * debian/apparmor-profiles.postinst: revert to that in lucid release
    (requires dh_apparmor and 0002-add-chromium-browser.patch)
  * remove debian/apparmor-profiles.postrm: doesn't make sense without
    0002-add-chromium-browser.patch
  * debian/control:
    - revert Build-Depends on debhelper (>= 5)
    - revert Standards-Version to 3.8.4
    - revert Vcs-Bzr
    - use Conflicts/Replaces version that was in Ubuntu 10.04 LTS
  * debian/patches/0011-lucid-compat-dbus.patch: move /var/lib/dbus/machine-id
    back into dbus, since profiles on 10.04 LTS expect it there
  * debian/patches/0012-lucid-compat-kde.patch: add kde4-config to kde
    abstraction, since the firefox profile on Ubuntu 10.04 LTS expects it to
    be there

apparmor (2.5.1-0ubuntu0.10.10.2) maverick-proposed; urgency=low

  * New upstream release (LP: #660077)
    - The following patches were refreshed:
      + 0001-fix-release.patch
      + 0003-local-includes.patch
      + 0004-ubuntu-abstractions-updates.patch
      + 0008-lp648900.patch: renamed as 0005-lp648900.patch
    - The following patches were dropped (included upstream):
      + 0005-lp601583.patch
      + 0006-network-interface-enumeration.patch
      + 0007-gnome-updates.patch
  * debian/patches/0006-testsuite-fixes.patch: testsuite fixes from head
    of 2.5 branch. These are needed for QRT and SRU testing (LP: #652211)
  * debian/patches/0007-honor-cflags.patch: have the parser makefile honor
    CFLAGS environment variable. Brings back missing symbols for the retracer
  * debian/patches/0008-lp652674.patch: fix warnings for messages without
    denied or requested masks (LP: #652674)
  * debian/apparmor.init: fix path to aa-status (LP: #654841)
  * debian/apport/source_apparmor.py: apport hook should use
    root_command_hook() for running apparmor_status (LP: #655529)
  * debian/apport/source_apparmor.py: use ProcKernelCmdline and don't clobber
    cmdline details (LP: #657091)
  * debian/{rules,control}: move apache2 abstractions into the base package
    so we can put ...

Changed in apparmor (Ubuntu Lucid):
status: Won't Fix → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.