Bug prevents flash plugin to load during firefox sessions. Audit logs are provided. Known update to firefox profile may help; wondering if it is secure?

Bug #968752 reported by Devin on 2012-03-30
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

Every time I open Firefox apparmor-notify displays a deny message of type "m" access to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.d/usr.bin.firefox profile to be able to play Adobe Flash videos, which it can now do after doing that. Question #1: What security risks play a role when I allow "m" (?) access to this folder for Firefox and do the benefits outway the risk to the sandbox?

After I updated my apparmor profile to allow flash videos, I no longer receive a deny message for it at every Firefox startup, but I now get a deny message of “rw” (read and write) to “/dev/nvidiactl”. Question #2: Is it okay to do that (i.e. add line "/dev/nvidiactl rw," to the Firefox profile configuration for apparmor), what are the security risks of doing so, and what purpose is such a permission good for?

What I want to add to a Wishlist for the apparmor package: enable apparmor sandboxing for Firefox to every Ubuntu user once the flash gets fixed after the quoted bugs below are patched.

Here is the log that I get before I add the permission in the apparmor firefox profile to get flash to work,
Mar 29 17:11:53 username kernel: [27877.596655] type=1400 audit(1333066313.785:410): apparmor="DENIED" operation="file_mmap" parent=4670 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/zero" pid=4673 comm="firefox" requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
Here is the log that I get after I add the permission in the apparmor firefox profile even though by this time flash started working,
Mar 25 19:26:29 username kernel: [21002.394793] type=1400 audit(1332728789.574:427): apparmor="DENIED" operation="open" parent=4894 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=4897 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

After enabling "/dev/nvidiactl rw," I got these bugs in the log one by one after granting permissions for each in order as follows.

Denied log before adding this line to the firefox profile, "/dev/nvidia0 rw,"

Mar 30 13:04:18 username kernel: [ 1766.955718] type=1400 audit(1333137858.144:3974): apparmor="DENIED" operation="open" parent=2635 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/dev/nvidia0" pid=2638 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
“ (i.e. I get it after I enable "/dev/nvidiactl rw,").

Denied log before adding this line to the firefox profile, "/proc/interrupts r,"

Mar 30 13:04:18 username kernel: [ 1766.955873] type=1400 audit(1333137858.144:3975): apparmor="DENIED" operation="open" parent=2635 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" name="/proc/interrupts" pid=2638 comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
“ (i.e. I get it after I enable "/dev/nvidia0 rw,").

After enabling all of the permissions up to adding the line "/proc/interrupts r," I get the following two message examples

Mar 30 13:04:37 username kernel: [ 1786.222046] type=1400 audit(1333137877.411:3977): apparmor="DENIED" operation="capable" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" pid=2686 comm="firefox" capability=19 capname="sys_ptrace"

Mar 30 12:57:57 username kernel: [ 1386.424496] type=1400 audit(1333137477.616:2029): apparmor="DENIED" operation="ptrace" parent=1 profile="/usr/lib/firefox-11.0/firefox{,*[^s][^h]}" pid=2479 comm="firefox" target=8002C0E98002C0E9EE

To receive no related logs of this bug I had to add the final line "sys_ptrace mixr," to the firefox apparmor profile.

Devin (8basepairs) wrote :

This patch should work for Firefox 11.

The attachment "/etc/apparmor.d/usr.bin.firefox" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Devin (8basepairs) on 2012-03-30
description: updated
Devin (8basepairs) on 2012-03-30
description: updated
Devin (8basepairs) on 2012-03-31
description: updated
Devin (8basepairs) on 2012-04-01
description: updated
Jamie Strandboge (jdstrand) wrote :

Newer releases have ptrace mediation and this should be addressed in those profiles.

Changed in apparmor (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers