Bug prevents flash plugin to load during firefox sessions. Audit logs are provided. Known update to firefox profile may help; wondering if it is secure?
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Every time I open Firefox apparmor-notify displays a deny message of type "m" access to "/dev/zero". I added the line "/dev/zero m," to my /etc/apparmor.
After I updated my apparmor profile to allow flash videos, I no longer receive a deny message for it at every Firefox startup, but I now get a deny message of “rw” (read and write) to “/dev/nvidiactl”. Question #2: Is it okay to do that (i.e. add line "/dev/nvidiactl rw," to the Firefox profile configuration for apparmor), what are the security risks of doing so, and what purpose is such a permission good for?
What I want to add to a Wishlist for the apparmor package: enable apparmor sandboxing for Firefox to every Ubuntu user once the flash gets fixed after the quoted bugs below are patched.
Here is the log that I get before I add the permission in the apparmor firefox profile to get flash to work,
"
Mar 29 17:11:53 username kernel: [27877.596655] type=1400 audit(133306631
"
Here is the log that I get after I add the permission in the apparmor firefox profile even though by this time flash started working,
"
Mar 25 19:26:29 username kernel: [21002.394793] type=1400 audit(133272878
"
After enabling "/dev/nvidiactl rw," I got these bugs in the log one by one after granting permissions for each in order as follows.
Denied log before adding this line to the firefox profile, "/dev/nvidia0 rw,"
“
Mar 30 13:04:18 username kernel: [ 1766.955718] type=1400 audit(133313785
“ (i.e. I get it after I enable "/dev/nvidiactl rw,").
Denied log before adding this line to the firefox profile, "/proc/interrupts r,"
“
Mar 30 13:04:18 username kernel: [ 1766.955873] type=1400 audit(133313785
“ (i.e. I get it after I enable "/dev/nvidia0 rw,").
After enabling all of the permissions up to adding the line "/proc/interrupts r," I get the following two message examples
“
Mar 30 13:04:37 username kernel: [ 1786.222046] type=1400 audit(133313787
“
“
Mar 30 12:57:57 username kernel: [ 1386.424496] type=1400 audit(133313747
“
To receive no related logs of this bug I had to add the final line "sys_ptrace mixr," to the firefox apparmor profile.
description: | updated |
description: | updated |
description: | updated |
description: | updated |
This patch should work for Firefox 11.