Ubuntu
apparmor package

  1. Bug #965718
  2. Comment #0

Comment 0 for bug 965718

Revision history for this message
Devin (8basepairs) wrote : Denied to "/dev/zero/ m," and "/dev/nvidiactl rw,"

Every time I open firefox apparmor-notify displays a deny of "m" message to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox?

Now every time I start Firefox apparmor-notify displays a deny of “rw” (read and write) to “/dev/nvidiactl”. Despite this I get messages no matter what web page I'm on after exactly every minute that look something like this, from my “/var/log/kern.log” LogFile,

type=AVC msg=audit(1332717987.622:214): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718047.625:215): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718107.625:216): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
type=AVC msg=audit(1332718167.624:217): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/2011/net/dev" pid=2030 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

After every restart of Firefox the proc folder changes in the message logs. Question #2: Will these access denied messages go away if I again edit my /etc/apparmor.d/usr.bin.firefox profile, but this time to add the permissive line, “/dev/nvidiactl rw,”? Question #3: Either way, is it okay to do so (i.e. add /dev/nvidiactl rw, to the Firefox profile)? And what are the security risks for that?

Question #3: Do I need to change this to a bug report as suggested in the aa-notify messages' link to https://wiki.ubuntu.com/DebuggingApparmor?

Thank you.