Ubuntu
apparmor package

Bug #965718
Activity log

Activity log for bug #965718

Date	Who	What changed	Old value	New value	Message
2012-03-26 21:13:46	Devin	bug			added bug
2012-03-26 21:14:33	Devin	description	Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox? Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile, “ type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 “ After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that? Question #3: Do I need to change this to a bug report as suggested in the aa-notify messages' link to https://wiki.ubuntu.com/DebuggingApparmor? Thank you.	Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox? Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile, “ type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 “ After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that? Thank you.
2012-03-26 21:14:33	Devin	tags		apparmor
2012-03-26 21:19:07	Devin	description	Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox? Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile, “ type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 “ After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that? Thank you.	Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox? Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile, “ type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 “ After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that? Here are my specs, " DISTRIB_ID=Ubuntu DISTRIB_RELEASE=11.10 DISTRIB_CODENAME=oneiric DISTRIB_DESCRIPTION="Ubuntu 11.10" Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux firefox: Installed: 11.0+build1-0ubuntu0.11.10.1 Candidate: 11.0+build1-0ubuntu0.11.10.1 Version table: *** 11.0+build1-0ubuntu0.11.10.1 0 500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages 500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages 100 /var/lib/dpkg/status 7.0.1+build1+nobinonly-0ubuntu2 0 500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages " Thank you.
2012-03-26 21:21:50	Devin	tags	apparmor	aa-notify adobe apparmor firefox flash play proc video videos
2012-03-26 22:41:58	Devin	summary	Denied to "/dev/zero/ m," and "/dev/nvidiactl rw,"	HTTPS-Everywhere add-on causes aa-notify bug of deny messages.
2012-03-26 22:41:58	Devin	description	Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox? Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile, “ type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 “ After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that? Here are my specs, " DISTRIB_ID=Ubuntu DISTRIB_RELEASE=11.10 DISTRIB_CODENAME=oneiric DISTRIB_DESCRIPTION="Ubuntu 11.10" Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux firefox: Installed: 11.0+build1-0ubuntu0.11.10.1 Candidate: 11.0+build1-0ubuntu0.11.10.1 Version table: *** 11.0+build1-0ubuntu0.11.10.1 0 500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages 500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages 100 /var/lib/dpkg/status 7.0.1+build1+nobinonly-0ubuntu2 0 500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages " Thank you.	I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile, “ type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 “ After every restart of Firefox the proc folder changes in the message logs. These access denied aa-notify messages do not appear when I disable the HTTPS-Everywhere add-on from EFF.org . Here are my specs, " DISTRIB_ID=Ubuntu DISTRIB_RELEASE=11.10 DISTRIB_CODENAME=oneiric DISTRIB_DESCRIPTION="Ubuntu 11.10" Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux firefox: Installed: 11.0+build1-0ubuntu0.11.10.1 Candidate: 11.0+build1-0ubuntu0.11.10.1 Version table: *** 11.0+build1-0ubuntu0.11.10.1 0 500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages 500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages 100 /var/lib/dpkg/status 7.0.1+build1+nobinonly-0ubuntu2 0 500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages " Thank you.
2012-03-29 15:39:16	Florian Geyer	bug			added subscriber Florian Geyer
2012-03-29 23:59:32	Devin	tags	aa-notify adobe apparmor firefox flash play proc video videos	aa-notify apparmor eff firefox https-everywhere proc profile
2012-05-01 20:50:07	Jamie Strandboge	marked as duplicate		955066

Ubuntuapparmor package

Activity log for bug #965718

Ubuntu
apparmor package