2012-03-26 21:13:46 |
Devin |
bug |
|
|
added bug |
2012-03-26 21:14:33 |
Devin |
description |
Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?
Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?
Question #3: Do I need to change this to a bug report as suggested in the aa-notify messages' link to https://wiki.ubuntu.com/DebuggingApparmor?
Thank you. |
Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?
Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?
Thank you. |
|
2012-03-26 21:14:33 |
Devin |
tags |
|
apparmor |
|
2012-03-26 21:19:07 |
Devin |
description |
Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?
Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?
Thank you. |
Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?
Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?
Here are my specs,
"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux
firefox:
Installed: 11.0+build1-0ubuntu0.11.10.1
Candidate: 11.0+build1-0ubuntu0.11.10.1
Version table:
*** 11.0+build1-0ubuntu0.11.10.1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages
100 /var/lib/dpkg/status
7.0.1+build1+nobinonly-0ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
"
Thank you. |
|
2012-03-26 21:21:50 |
Devin |
tags |
apparmor |
aa-notify adobe apparmor firefox flash play proc video videos |
|
2012-03-26 22:41:58 |
Devin |
summary |
Denied to "/dev/zero/ m," and "/dev/nvidiactl rw," |
HTTPS-Everywhere add-on causes aa-notify bug of deny messages. |
|
2012-03-26 22:41:58 |
Devin |
description |
Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?
Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?
Here are my specs,
"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux
firefox:
Installed: 11.0+build1-0ubuntu0.11.10.1
Candidate: 11.0+build1-0ubuntu0.11.10.1
Version table:
*** 11.0+build1-0ubuntu0.11.10.1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages
100 /var/lib/dpkg/status
7.0.1+build1+nobinonly-0ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
"
Thank you. |
I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,
“
type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“
After every restart of Firefox the proc folder changes in the message logs. These access denied aa-notify messages do not appear when I disable the HTTPS-Everywhere add-on from EFF.org .
Here are my specs,
"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=11.10
DISTRIB_CODENAME=oneiric
DISTRIB_DESCRIPTION="Ubuntu 11.10"
Linux username 3.0.0-16-generic #29-Ubuntu SMP Tue Feb 14 12:49:42 UTC 2012 i686 athlon i386 GNU/Linux
firefox:
Installed: 11.0+build1-0ubuntu0.11.10.1
Candidate: 11.0+build1-0ubuntu0.11.10.1
Version table:
*** 11.0+build1-0ubuntu0.11.10.1 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric-updates/main i386 Packages
500 http://security.ubuntu.com/ubuntu/ oneiric-security/main i386 Packages
100 /var/lib/dpkg/status
7.0.1+build1+nobinonly-0ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ oneiric/main i386 Packages
"
Thank you. |
|
2012-03-29 15:39:16 |
Florian Geyer |
bug |
|
|
added subscriber Florian Geyer |
2012-03-29 23:59:32 |
Devin |
tags |
aa-notify adobe apparmor firefox flash play proc video videos |
aa-notify apparmor eff firefox https-everywhere proc profile |
|
2012-05-01 20:50:07 |
Jamie Strandboge |
marked as duplicate |
|
955066 |
|